Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes

Proceedings of the 12th Symposium on Usable Privacy and Security (SOUPS 2016) 97-111. 2016

Posted: 24 Aug 2022 Last revised: 17 Sep 2022

See all articles by Alain Forget

Alain Forget

Carnegie Mellon University

Sarah Pearman

Carnegie Mellon University

Jeremy Thomas

Carnegie Mellon University

Alessandro Acquisti

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Nicolas Christin

Carnegie Mellon University

Lorrie Faith Cranor

Carnegie Mellon University - School of Computer Science and Carnegie Institute of Technology

Serge Egelman

University of California, Berkeley - Department of Electrical Engineering & Computer Sciences (EECS); International Computer Science Institute (ICSI)

Marian Harbach

International Computer Science Institute (ICSI)

Rahul Telang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Date Written: June 22-24, 2016

Abstract

Computer security problems often occur when there are disconnects between users' understanding of their role in computer security and what is expected of them. To help users make good security decisions more easily, we need insights into the challenges they face in their daily computer usage. We built and deployed the Security Behavior Observatory (SBO) to collect data on user behavior and machine configurations from participants' home computers. Combining SBO data with user interviews, this paper presents a qualitative study comparing users' attitudes, behaviors, and understanding of computer security to the actual states of their computers. Qualitative inductive thematic analysis of the interviews produced "engagement" as the overarching theme, whereby participants with greater engagement in computer security and maintenance did not necessarily have more secure computer states. Thus, user engagement alone may not be predictive of computer security. We identify several other themes that inform future directions for better design and research into security interventions. Our findings emphasize the need for better understanding of how users' computers get infected, so that we can more effectively design user-centered mitigations.

Keywords: security, behavior, computer

Suggested Citation

Forget, Alain and Pearman, Sarah and Thomas, Jeremy and Acquisti, Alessandro and Christin, Nicolas and Cranor, Lorrie Faith and Egelman, Serge and Egelman, Serge and Harbach, Marian and Telang, Rahul, Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes (June 22-24, 2016). Proceedings of the 12th Symposium on Usable Privacy and Security (SOUPS 2016) 97-111. 2016, Available at SSRN: https://ssrn.com/abstract=4182861

Alain Forget

Carnegie Mellon University ( email )

Pittsburgh, PA 15213-3890
United States

Sarah Pearman

Carnegie Mellon University ( email )

Pittsburgh, PA 15213-3890
United States

Jeremy Thomas

Carnegie Mellon University ( email )

Pittsburgh, PA 15213-3890
United States

Alessandro Acquisti (Contact Author)

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

Pittsburgh, PA 15213-3890
United States
412-268-9853 (Phone)
412-268-5339 (Fax)

Nicolas Christin

Carnegie Mellon University ( email )

Pittsburgh, PA 15213-3890
United States

Lorrie Faith Cranor

Carnegie Mellon University - School of Computer Science and Carnegie Institute of Technology ( email )

5000 Forbes Avenue
Pittsburgh, PA 15213
United States

Serge Egelman

International Computer Science Institute (ICSI) ( email )

Berkeley, CA
United States

University of California, Berkeley - Department of Electrical Engineering & Computer Sciences (EECS) ( email )

Berkeley, CA 94720-1712
United States

Marian Harbach

International Computer Science Institute (ICSI) ( email )

Berkeley, CA
United States

Rahul Telang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

4800 Forbes Ave
Pittsburgh, PA 15213-3890
United States
412-268-1155 (Phone)

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
15
PlumX Metrics