Emilee Rader
Rick Wash
ABSTRACT
Non-expert computer users regularly need to make security-relevant decisions; however, these decisions tend not to be particularly good or sophisticated. Nevertheless, their choices are not random. Where does the information come from that these non-experts base their decisions upon? We argue that much of this information comes from stories they hear from other people. We conducted a survey to ask open- and closed- ended questions about security stories people hear from others. We found that most people have learned lessons from stories about security incidents informally from family and friends. These stories impact the way people think about security, and their subsequent behavior when making security-relevant decisions. In addition, many people retell these stories to others, indicating that a single story has the potential to influence multiple people. Understanding how non-experts learn from stories, and what kinds of stories they learn from, can help us figure out new methods for helping these people make better security decisions.
- Microsoft Security: The Latest in Computer Security. http://www.microsoft.com/security/default.aspx.Google Scholar
- Symantec Internet Security Threat Report: Trends for January 06--June 06. Technical report, Symantec, 2006.Google Scholar
- I. Ajzen. The Theory of Planned Behavior. Organizational Behavior and Human Decision Processes, 50:179--211, 1991.Google ScholarCross Ref
- E. Albrechtsen and J. Hovden. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security, 29(4):432--445, June 2010.Google ScholarDigital Library
- C. Anderson. Practicing Safe Computing: A Multimethod Empirical Examination of Home Computer User Security Behavioral Intentions. Citeseer, 34(3):613--643, 2010. Google ScholarDigital Library
- F. Asgharpour, D. Liu, and L. Camp. Mental models of computer security risks. In Workshop on the Economics of Information Security (WEIS), 2007.Google Scholar
- R. F. Baumeister, L. Zhang, and K. D. Vohs. Gossip as Cultural Learning. Review of General Psychology, 8(2):111--121, 2004.Google ScholarCross Ref
- J. Bruner. The narrative construction of reality. Critical inquiry, 18(1):1--21, 1991.Google ScholarCross Ref
- R. B. Cialdini. Influence: Science and Practice. Prentice Hall, 5th edition, 2008.Google Scholar
- L. F. Cranor. A Framework for Reasoning About the Human in the Loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security (UPSec), 2008. Google ScholarDigital Library
- N. F. Doherty, L. Anastasakis, and H. Fulford. The information security policy unpacked: A critical study of the content of university policies. International Journal of Information Management, 29(6):449--457, Dec. 2009. Google ScholarDigital Library
- P. Dourish, R. E. Grinter, J. Delgado De La Flor, and M. Joseph. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8(6):391--401, Sept. 2004. Google ScholarCross Ref
- S. Furnell, P. Bryant, and A. Phippen. Assessing the security perceptions of personal Internet users. Computers & Security, 26(5):410--417, Aug. 2007.Google ScholarDigital Library
- N. J. Goldstein, R. B. Cialdini, and V. Griskevicius. A Room with a Viewpoint: Using Social Norms to Motivate Environmental Conservation in Hotels. Journal of Consumer Research, 35(3):472--482, 2008.Google ScholarCross Ref
- J. Gross and M. Rosson. Looking for Trouble: Understanding End-User Security Management. In Proceedings of the 2007 Symposium on Computer Human interaction For the Management of information Technology, pages 30--31, 2007. Google ScholarDigital Library
- C. Heath, C. Bell, and E. Steinberg. Emotional Selection in Memes: The Case of Urban Legends. Journal of Personality, 81(6):1028--1041, 2001.Google Scholar
- C. Herley. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In NSPW '09 Proceedings of the 2009 New Security Paradigms Workshop, 2009. Google ScholarDigital Library
- P. Johnson-Laird, V. Girotto, and P. Legrenzi. Mental Models: A Gentle Guide for Outsiders, 1998. http://icos.groups.si.umich.edu/gentleintro.html.Google Scholar
- R. Kay and S. Loverock. Assessing emotions related to learning new software: The computer emotion scale. Computers in Human Behavior, 24(4):1605--1623, July 2008. Google ScholarDigital Library
- N. Kumar, K. Mohan, and R. Holowczak. Locking the door but leaving the computer vulnerable: Factors inhibiting home users' adoption of software firewalls. Decision Support Systems, 46(1):254--264, Dec. 2008. Google ScholarDigital Library
- F. T. McAndrew and M. A. Milenkovic. Of Tabloids and Family Secrets: The Evolutionary Psychology of Gossip. Journal of Applied Social Psychology, 32(5):1064--1082, May 2002.Google ScholarCross Ref
- K. Peters, Y. Kashima, and A. Clark. Talking about others: Emotionality and the dissemination of social information. European Journal of Social Psychology, 39(2):207--222, 2009.Google ScholarCross Ref
- L. Steg. Promoting household energy conservation. Energy Policy, 36(12):4449--4453, Dec. 2008.Google ScholarCross Ref
- US Census. Current Population Survey, Computer Use and Ownership Supplement, 2009. http://www.census.gov/population/www/socdemo/computer.html.Google Scholar
- R. Wash. Folk models of home computer security. In Proceedings of the Sixth Symposium on Usable Privacy and Security, pages 1--16. ACM, 2010. Google ScholarDigital Library
- M. Workman, W. Bommer, and D. Straub. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6):2799--2816, Sept. 2008. Google ScholarDigital Library
- M. E. Zurko. User-Centered Security: Stepping Up to the Grand Challenge. In 21st Annual Computer Security Applications Conference (ACSAC'05), pages 187--202. Ieee, 2005. Google ScholarDigital Library
Index Terms
- Stories as informal lessons about security
Recommendations
CHI 2017 Stories Overview
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing SystemsCHI Stories is a new venue introduced at CHI 2017. A diverse set of storytellers describe personal experiences that shaped who they are and how they came to the field of Human-Computer Interaction.
Characteristics of social media stories
An emerging trend in social media is for users to create and publish "stories", or curated lists of Web resources, with the purpose of creating a particular narrative of interest to the user. While some stories on the Web are automatically generated, ...
Mobile video stories
DIMEA '08: Proceedings of the 3rd international conference on Digital Interactive Media in Entertainment and ArtsThe aim of this article is to test how different narrative structures work in mobile video storytelling applications for creative arts. Especially, we are interested in stories made with the mobile phone and for the mobile phone i.e. they are supposed ...
Comments