A Study of What Motivates Users to (Not) Follow Computer Security Advice
Presenter: Hurin
Why Do They Do What They Do
Authors: Michael Fagan, Monmand Maifi Hasan Kahan
In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), USENIX Association, pp. 59-75, 2016
17 August, 2016
Summary
“Why do some follow security advice, while others do not.”
Use:
• Survey
• Rational decision model
• Quantitative and qualitative analysis
Common security advices:
• Updating Software
• Using Password Manager
• Using 2-Factor Authentication
• Changing Password Frequently
Sampling
Yes No I Don’t Know
Updating Software 92% 6% 2%
Using Password Manager 21% 78% 1%
Using 2-Factor Authentication 62% 28% 10%
Changing Password Frequently 41% 58% 1%
Benefits vs. Costs
• Yes group rates their perceived benefit of following the advice as significantly higher than the No group
• lower ratings given by the No groups when asked to project the benefit they expected to receive from making the opposite
decision of what they reported
Benefits
Benefits vs. Costs
“For all decisions, the Benefits of Following will be
seen as higher by the Yes groups compared to the No groups.”
Benefits
Benefits vs. Costs
• No groups consistently self-rate the benefits they receive from not following as significantly higher than the benefits the Yes groups’ participants project they would receive from altering their behavior
• no significant differences for Social Benefits of Not Following
Benefits
Benefits vs. Costs
• The No group rates significantly higher than the Yes group in Individual Cost of Following for changing passwords
• the individual cost of updating and social phrasings of the Cost of Following for all pieces of advice, differences are not significant
Costs
Benefits vs. Costs
“For all decisions, the Costs of Following will be seen as higher by the No groups compared to the Yes
groups.”
Costs
Benefits vs. Costs
• The Yes group rates significantly higher than the No group in Individual Cost of Not Following for changing passwords and using password management
• It is similar for Yes group and No group rates in Individual Cost of Not Following for 2-Factor Authentication