A Framework for Reasoning about Social Influences on Security and Privacy Adoption
Article No.: 16, Pages 1 - 13
Abstract
Much research has found that social influences (such as social proof, storytelling, and advice-seeking) help boost security awareness. But we have lacked a systematic approach to tracing how awareness leads to action, and to identifying which social influences can be leveraged at each step. Toward this goal, we develop a framework that synthesizes our design ideation, expertise, prior work, and new interview data into a six-step adoption process. This work contributes a prototype framework that accounts for social influences by step. It adds to what is known in the literature and the SIGCHI community about the social-psychological drivers of security adoption. Future work should establish whether this process is the same regardless of culture, demographic variation, or work vs. home context, and whether it is a reliable theoretical basis and method for designing experiments and focusing efforts where they are likely to be most productive.
Supplemental Material
- Download
- 35.76 MB
- Transcript
References
[1]
[1]Ibrahim M. Al-Jabri and M. Sadiq Sohail. 2012. Mobile Banking Adoption: Application of Diffusion of Innovation Theory. Social Science Research Network, Rochester, NY. Retrieved October 13, 2021 from https://papers.ssrn.com/abstract=2523623
[2]
[2]Jane T. Bertrand. 2004. Diffusion of Innovations and HIV/AIDS. J. Health Commun. 9, sup1 (January 2004), 113–121. https://doi.org/10.1080/10810730490271575
[3]
[3]Scott Boss, Dennis Galletta, Paul Benjamin Lowry, Gregory D. Moody, and Peter Polak. 2015. What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors. Social Science Research Network, Rochester, NY. Retrieved July 18, 2018 from https://papers.ssrn.com/abstract=2607190
[4]
[4]Robert B. Cialdini. 2001. Influence: science and practice (4th ed ed.). Allyn and Bacon, Boston, MA.
[5]
[5]Robert B. Cialdini and Noah J. Goldstein. 2004. Social Influence: Compliance and Conformity. Annu. Rev. Psychol. 55, 1 (January 2004), 591–621. https://doi.org/10.1146/annurev.psych.55.090902.142015
[6]
[6]Jason Cipriani. Google signs up 150 million people for two-factor authentication: What it is, how it works. CNET. Retrieved January 14, 2022 from https://www.cnet.com/tech/services-and-software/google-signs-up-150-million-people-for-two-factor-authentication-what-it-is-how-it-works/
[7]
[7]Cori Faklaris, Laura Dabbish, and Jason I. Hong. 2021. SA-13, the 13-item security attitude scale. Retrieved from https://socialcybersecurity.org/files/SA13handout.pdf
[8]
[8]John W. Creswell and Vicki L. Plano Clark. 2017. Designing and Conducting Mixed Methods Research. SAGE Publications.
[9]
[9]Sauvik Das, Laura A. Dabbish, and Jason I. Hong. 2019. A Typology of Perceived Triggers for End-User Security and Privacy Behaviors. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS), 2019. USENIX Association Berkeley, CA. . Retrieved August 28, 2019 from https://www.usenix.org/conference/soups2019/presentation/das
[10]
[10]Sauvik Das, Cori Faklaris, Jason I. Hong, and Laura A. Dabbish. 2022. The Security & Privacy Acceptance Framework (SPAF). Found. Trends® Priv. Secur. 5, 1–2 (December 2022), 1–143. https://doi.org/10.1561/3300000026
[11]
[11]Sauvik Das, Tiffany Hyun-Jin Kim, Laura A. Dabbish, and Jason I. Hong. 2014. The effect of social influence on security sensitivity. In Proceedings of the Symposium on Usable Privacy and Security, 2014. USENIX Association Berkeley, CA. . Retrieved from https://www.usenix.org/system/files/conference/soups2014/ soups14-paper- das.pdf
[12]
[12]Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. 2014. Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14), 2014, New York, NY, USA. ACM, New York, NY, USA, 739–749. . https://doi.org/10.1145/2660267.2660271
[13]
[13]Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. 2015. The Role of Social Influence in Security Feature Adoption. In Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing (CSCW ’15), 2015, New York, NY, USA. ACM, New York, NY, USA, 1416–1426. . https://doi.org/10.1145/2675133.2675225
[14]
[14]Sauvik Das, Joanne Lo, Laura Dabbish, and Jason I. Hong. 2018. Breaking! A Typology of Security and Privacy News and How It's Shared. ACM CHI 2018 Conf. Hum. Factors Comput. Syst. 1, 1 (2018), 2.
[15]
[15]James W. Dearing and Jeffrey G. Cox. 2018. Diffusion Of Innovations Theory, Principles, And Practice. Health Aff. (Millwood) 37, 2 (February 2018), 183–190. https://doi.org/10.1377/hlthaff.2017.1104
[16]
[16]Thomas Erickson. Social Computing. The Encyclopedia of Human-Computer Interaction. Retrieved September 12, 2023 from https://www.interaction-design.org/literature/book/the-encyclopedia-of-human-computer-interaction-2nd-ed/social-computing
[17]
[17]World Leaders in Research-Based User Experience. Help and Documentation: The 10th Usability Heuristic. Nielsen Norman Group. Retrieved February 10, 2023 from https://www.nngroup.com/articles/help-and-documentation/
[18]
[18]Cori Faklaris, Laura Dabbish, and Jason Hong. 2018. Adapting the Transtheoretical Model for the Design of Security Interventions. Baltimore, Md., USA. Retrieved December 4, 2019 from https://doi.org/10.13140/RG.2.2.15447.57760
[19]
[19]Cori Faklaris, Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), August 12, 2019, Santa Clara, CA. USENIX Association Berkeley, CA, Santa Clara, CA, 18. . Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf
[20]
[20]Cori Faklaris, Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), August 12, 2019, Santa Clara, CA. USENIX Association Berkeley, CA, Santa Clara, CA, 18. . Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf
[21]
[21]Cori Faklaris, Laura Dabbish, and Jason I. Hong. 2022. Experimental Evidence for Using a TTM Stages of Change Model in Boosting Progress Toward 2FA Adoption. arXiv. https://doi.org/10.48550/arXiv.2205.06937
[22]
[22]Daniel Fallman. 2003. Design-oriented Human-computer Interaction. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI ’03), 2003, New York, NY, USA. ACM, New York, NY, USA, 225–232. . https://doi.org/10.1145/642611.642652
[23]
[23]Michael D Fetters, Leslie A Curry, and John W Creswell. 2013. Achieving Integration in Mixed Methods Designs—Principles and Practices. Health Serv. Res. 48, 6 Pt 2 (December 2013), 2134–2156. https://doi.org/10.1111/1475-6773.12117
[24]
[24]Kelsey R. Fulton, Rebecca Gelles, Alexandra McKay, Yasmin Abdi, Richard Roberts, and Michelle L. Mazurek. 2019. The Effect of Entertainment Media on Mental Models of Computer Security. 2019. 79–95. . Retrieved August 21, 2022 from https://www.usenix.org/conference/soups2019/presentation/fulton
[25]
[25]Karen Glanz, Barbara K. Rimer, and K. Viswanath. 2008. Health Behavior and Health Education: Theory, Research, and Practice. John Wiley & Sons.
[26]
[26]Heather A. Hausenblas, Erin A. Dannecker, Daniel P. Connaughton, and Timm R. Lovins. 1999. Examining the validity of the stages of exercise change algorithm. Am. J. Health Stud. Silver Spring 15, 2 (1999), 94–99.
[27]
[27]Detlef Hühnlein, Heiko Roßnagel, and Jan Zibuschka. 2010. Diffusion of federated identity management. Gesellschaft für Informatik e.V. Retrieved January 15, 2022 from http://dl.gi.de/handle/20.500.12116/19795
[28]
[28]Matthew Hull, Leah Zhang-Kennedy, Khadija Baig, and Sonia Chiasson. 2021. Understanding individual differences: factors affecting secure computer behaviour. Behav. Inf. Technol. 0, 0 (October 2021), 1–27. https://doi.org/10.1080/0144929X.2021.1977849
[29]
[29]Jon Kolko. 2010. Abductive Thinking and Sensemaking: The Drivers of Design Synthesis. Des. Issues 26, 1 (January 2010), 15–28. https://doi.org/10.1162/desi.2010.26.1.15
[30]
[30]Jess Kropczynski, Zaina Aljallad, Nathan Jeffrey Elrod, Heather Lipford, and Pamela J. Wisniewski. 2021. Towards Building Community Collective Efficacy for Managing Digital Privacy and Security within Older Adult Communities. Proc. ACM Hum.-Comput. Interact. 4, CSCW3 (January 2021), 255:1-255:27. https://doi.org/10.1145/3432954
[31]
[31]James J. Lin, Lena Mamykina, Silvia Lindtner, Gregory Delajoux, and Henry B. Strub. 2006. Fish'N’Steps: Encouraging Physical Activity with an Interactive Computer Game. In Proceedings of the 8th International Conference on Ubiquitous Computing (UbiComp’06), 2006, Berlin, Heidelberg. Springer-Verlag, Berlin, Heidelberg, 261–278. . https://doi.org/10.1007/11853565_16
[32]
[32]James E Maddux and Ronald W Rogers. 1983. Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. J. Exp. Soc. Psychol. 19, 5 (September 1983), 469–479. https://doi.org/10.1016/0022-1031(83)90023-9
[33]
[33]Philip Menard, Gregory J. Bott, and Robert E. Crossler. 2017. User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory. J. Manag. Inf. Syst. 34, 4 (October 2017), 1203–1230. https://doi.org/10.1080/07421222.2017.1394083
[34]
[34]Savanthi Murthy, Karthik S. Bhat, Sauvik Das, and Neha Kumar. 2021. Individually Vulnerable, Collectively Safe: The Security and Privacy Practices of Households with Older Adults. Proc. ACM Hum.-Comput. Interact. 5, CSCW1 (April 2021), 1–24. https://doi.org/10.1145/3449212
[35]
[35]Manoj Parameswaran and Andrew B. Whinston. 2007. Social Computing: An Overview. Commun. Assoc. Inf. Syst. 19, (2007). https://doi.org/10.17705/1CAIS.01937
[36]
[36]Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don't) use password managers effectively. 2019. 319–338. . Retrieved July 15, 2021 from https://www.usenix.org/conference/soups2019/presentation/pearman
[37]
[37]Ronald C. Plotnikoff and Linda Trinh. 2010. Protection Motivation Theory: Is This a Worthwhile Theory for Physical Activity Promotion? Exerc. Sport Sci. Rev. 38, 2 (April 2010), 91–98. https://doi.org/10.1097/JES.0b013e3181d49612
[38]
[38]Erika Shehan Poole, Marshini Chetty, Tom Morgan, Rebecca E. Grinter, and W. Keith Edwards. 2009. Computer help at home: methods and motivations for informal technical support. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI ’09), April 04, 2009, New York, NY, USA. Association for Computing Machinery, New York, NY, USA, 739–748. . https://doi.org/10.1145/1518701.1518816
[39]
[39]Jennifer Preece, Helen Sharp, and Yvonne Rogers. 2015. Interaction Design: Beyond Human-Computer Interaction (4th ed.). Wiley. Retrieved May 10, 2019 from https://www.wiley.com/en-us/Interaction+Design%3A+Beyond+Human+Computer+Interaction%2C+4th+Edition-p-9781119020752
[40]
[40]J. O. Prochaska and W. F. Velicer. 1997. The transtheoretical model of health behavior change. Am. J. Health Promot. AJHP 12, 1 (October 1997), 38–48.
[41]
[41]James O. Prochaska and Carlo C. DiClemente. 1983. Stages and processes of self-change of smoking: Toward an integrative model of change. J. Consult. Clin. Psychol. 51, 3 (1983), 390–395. https://doi.org/10.1037/0022-006X.51.3.390
[42]
[42]Christina A. Rader, Richard P. Larrick, and Jack B. Soll. 2017. Advice as a form of social influence: Informational motives and the consequences for accuracy. Soc. Personal. Psychol. Compass 11, 8 (August 2017), n/a-n/a. https://doi.org/10.1111/spc3.12329
[43]
[43]Emilee Rader and Rick Wash. 2015. Identifying patterns in informal sources of security information. J. Cybersecurity 1, 1 (September 2015), 121–144. https://doi.org/10.1093/cybsec/tyv008
[44]
[44]Emilee Rader, Rick Wash, and Brandon Brooks. 2012. Stories as informal lessons about security. In Proceedings of the 8th Symposium on Usable Privacy and Security (SOUPS ’12), 2012. USENIX Association Berkeley, CA, 1. . https://doi.org/10.1145/2335356.2335364
[45]
[45]E. M. Redmiles, A. R. Malone, and M. L. Mazurek. 2016. I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security. In 2016 IEEE Symposium on Security and Privacy (SP), May 2016. 272–288. . https://doi.org/10.1109/SP.2016.24
[46]
[46]Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. 2016. How I Learned to Be Secure: A Census-Representative Survey of Security Advice Sources and Behavior. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16), 2016, New York, NY, USA. ACM, New York, NY, USA, 666–677. . https://doi.org/10.1145/2976749.2978307
[47]
[47]Everett M. Rogers. 2010. Diffusion of Innovations, 4th Edition. Simon and Schuster.
[48]
[48]Ronald W. Rogers. 1975. A Protection Motivation Theory of Fear Appeals and Attitude Change. J. Psychol. 91, 1 (September 1975), 93–114. https://doi.org/10.1080/00223980.1975.9915803
[49]
[49]Scott Ruoti, Tyler Monson, Justin Wu, Daniel Zappala, and Kent Seamons. 2017. Weighing Context and Trade-offs: How Suburban Adults Selected Their Online Security Posture. 2017. 211–228. . Retrieved February 11, 2021 from https://www.usenix.org/conference/soups2017/technical-sessions/presentation/ruoti
[50]
[50]Michael Hill and Dan Swinhoe. 2022. The 15 biggest data breaches of the 21st century. CSO Online. Retrieved February 9, 2023 from https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
[51]
[51]Kami Vaniea and Yasmeen Rashidi. 2016. Tales of Software Updates: The Process of Updating Software. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI ’16), 2016, New York, NY, USA. ACM, New York, NY, USA, 3215–3226. . https://doi.org/10.1145/2858036.2858303
[52]
[52]Kami Vaniea and Yasmeen Rashidi. 2016. Tales of Software Updates: The Process of Updating Software. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI ’16), 2016, New York, NY, USA. ACM, New York, NY, USA, 3215–3226. . https://doi.org/10.1145/2858036.2858303
[53]
[53]Wayne F. Velicer, Carlo C. DiClemente, James O. Prochaska, and Nancy Brandenburg. 1985. Decisional balance measure for assessing and predicting smoking status. J. Pers. Soc. Psychol. 48, 5 (1985), 1279.
[54]
[54]Rick Wash. 2010. Folk Models of Home Computer Security. In Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS ’10), 2010, New York, NY, USA. ACM, New York, NY, USA, 11:1-11:16. . https://doi.org/10.1145/1837110.1837125
[55]
[55]Dirk Weirich and Martina Angela Sasse. 2001. Pretty good persuasion: a first step towards effective password security in the real world. In Proceedings of the 2001 workshop on New security paradigms (NSPW ’01), September 10, 2001, New York, NY, USA. Association for Computing Machinery, New York, NY, USA, 137–143. . https://doi.org/10.1145/508171.508195
[56]
[56]Robert S. Weiss. 1995. Learning From Strangers: The Art and Method of Qualitative Interview Studies. Simon and Schuster.
[57]
[57]Emma J. Williams, Jan Noyes, and Bogdan Warinschi. 2018. How Do We Ensure Users Engage In Secure Online Behavior? A Psychological Perspective. January 29, 2018. . https://doi.org/10.5176/2251-1865_CBP18.49
[58]
[58]Yuxi Wu, W Keith Edwards, and Sauvik Das. 2022. SoK: Social Cybersecurity. In Proceedings of the 43rd IEEE Symposium on Security & Privacy, 2022, Oakland, CA, USA. IEEE Computer Society, Oakland, CA, USA, 17. . Retrieved from https://sauvikdas.com/uploads/paper/pdf/36/file.pdf
[59]
[59]John Zimmerman, Jodi Forlizzi, and Shelley Evenson. 2007. Research Through Design As a Method for Interaction Design Research in HCI. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI ’07), 2007, New York, NY, USA. ACM, New York, NY, USA, 493–502. . https://doi.org/10.1145/1240624.1240704
[60]
[60]Yixin Zou, Abraham H. Mhaidli, Austin McCall, and Florian Schaub. 2018. “I've Got Nothing to Lose”: Consumers’ Risk Perceptions and Protective Actions after the Equifax Data Breach. 2018. 197–216. . Retrieved October 14, 2022 from https://www.usenix.org/conference/soups2018/presentation/zou
[61]
[61]Yixin Zou, Kevin Roundy, Acar Tamersoy, Saurabh Shintre, Johann Roturier, and Florian Schaub. 2020. Examining the Adoption and Abandonment of Security, Privacy, and Identity Theft Protection Practices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, April 21, 2020, Honolulu HI USA. ACM, Honolulu HI USA, 1–15. . https://doi.org/10.1145/3313831.3376570
[62]
[62]Yixin Zou, Kevin Roundy, Acar Tamersoy, Saurabh Shintre, Johann Roturier, and Florian Schaub. 2020. Examining the Adoption and Abandonment of Security, Privacy, and Identity Theft Protection Practices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, April 21, 2020, Honolulu HI USA. ACM, Honolulu HI USA, 1–15. . https://doi.org/10.1145/3313831.3376570
[63]
[63]2010. Triangulation. In Encyclopedia of Research Design. SAGE Publications, Inc., 2455 Teller Road, Thousand Oaks California 91320 United States. https://doi.org/10.4135/9781412961288.n469
[64]
[64]2017. Social influence. Wikipedia. Retrieved September 13, 2017 from https://en.wikipedia.org/w/index.php?title=Social_influence&oldid=800243709
[65]
[65]2017. Equifax data leak may affect nearly half the US population. CNET. Retrieved October 23, 2017 from https://www.cnet.com/news/equifax-data-leak-hits-nearly-half-of-the-us-population/
[66]
[66]2019. 2019 Data Breach Investigations Report. Verizon Enterprise. Retrieved May 8, 2019 from https://enterprise.verizon.com/resources/reports/dbir/
[67]
[67]2020. 2020 Data Breach Investigations Report. Verizon Enterprise. Retrieved May 28, 2020 from https://enterprise.verizon.com/resources/reports/dbir/
[68]
[68]2021. Making sign-in safer and more convenient. Google. Retrieved January 14, 2022 from https://blog.google/technology/safety-security/making-sign-safer-and-more-convenient/
[69]
[69]Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication - Slashdot. Retrieved January 18, 2018 from https://tech.slashdot.org/story/18/01/18/1836259/less-than-1-in-10-gmail-users-enable-two-factor-authentication
[70]
[70]Home: Oxford English Dictionary. Retrieved January 15, 2022 from https://www.oed.com/
[71]
[71]2021 Data Breach Investigations Report. Verizon Business. Retrieved September 19, 2021 from https://www.verizon.com/business/resources/reports/dbir/
Index Terms
- A Framework for Reasoning about Social Influences on Security and Privacy Adoption
Recommendations
Internal and external influences on social networking site usage in Thailand
The purpose of the study is to investigate internal and external factors influencing the use of social networking sites (SNSs) in Thailand. Overall (N=451) participated in this study. Survey research was employed to examine the interrelationships and ...
Social media adoption
Media uses and gratifications, together with innovation characteristics merge to form a model of social media adoption.Personal, social and tension release needs drive social media adoption.Social media innovation characteristics enhance the likelihood ...
Adoption of social networking sites: an exploratory adaptive structuration perspective for global organizations
Special issue on New Theories and Methods for Technology Adoption ResearchThis research assesses the strategic adoption of social media by large global organizations. To contribute to a better understanding of the topic, this exploratory study analyzed social networking sites used by 72 large global companies, and conducted a ...
Comments
Information & Contributors
Information
Published In
May 2024
4761 pages
ISBN:9798400703317
DOI:10.1145/3613905
Copyright © 2024 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 11 May 2024
Check for updates
Qualifiers
- Work in progress
- Research
- Refereed limited
Funding Sources
Conference
Acceptance Rates
Overall Acceptance Rate 6,164 of 23,696 submissions, 26%
Upcoming Conference
CHI 2025
- Sponsor:
- sigchi
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 416Total Downloads
- Downloads (Last 12 months)416
- Downloads (Last 6 weeks)119
Reflects downloads up to 13 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderFull Text
View this article in Full Text.
Full TextHTML Format
View this article in HTML Format.
HTML Format