Help Me With Sign Maryland Banking Presentation

Help me with industry sign banking maryland presentation secure

from the University of Maryland and I'm here to talk to you today about how users learn security behaviors so the title of our paper and our talk is how I learned to be secure a census representative survey of security advice sources and behavior and this is work I did with shawn cross at johns hopkins university and michelle mazrak at the university of maryland so most of us can remember how we learn to ride a bicycle and probably our parents taught us and we didn't have to look very far for an authoritative source on bicycle behavior but when it comes to digital security this is a little bit more challenging and so users are constantly online and they're having to sort through a variety of different security information alerts prompts novel's worth of text in order to figure out which behaviors to practice and which to reject when they make a wrong choice they can have a negative experience and this can lead to financial and emotional consequences that we'd like to prevent so in order to figure out how to prevent these negative experiences we want to understand how users are learning behaviors in the first place as so first we under want to understand where they're getting their advice and more specifically who's learning how are there differences based on demographics or poor skills and where users are getting their advice and then finally what are their reasons for accepting and rejecting a different pieces of advice so in order to answer these questions we conducted an online survey that we rigorously pre-tested and we wanted to ensure that we was senseless representative with a reasonably large sample size so that our findings could be generalized to the US population so more specifically what were we asking about we started by asking about users behaviors and we are interested not only in digital security behaviors but also physical security and so why we care about physical security well physical security advice has been around for a bit longer than digital security and we wanted to see if there are things we can learn from a physical domain that we could bring into digital security so more specifically we asked questions about at passwords behavior antivirus behavior updating behavior and use of two factor authentication as far as digital security and for physical security we asked about personal safety while walking alone at night as sort of our representative behavior and largely we were interested in these behaviors in order to figure out where users were learning that and so for example we asked users where did you learn about making strong passwords and to provide answer choices we drew on our qualitative work that appeared at Oakland earlier this year as well as prior work in the literature so answer choices but they were offered where the media the workplace school family and friends as well as having heard about other people's negative experiences or having one themselves also service providers like Time Warner or bank of america and finally whether their device or the website prompted or required them to use a particular behavior and beyond this sort of general set of answer choices we dug a little deeper so if they said that they you know took workplace security advice we'd asked if that was from an IT colleague from a non IT colleague from a newsletter and so on and finally even if they reported not using a behavior we still ask them what advice they'd seen about it and why they decided not to take it so in addition to all these questions about advice sources like I said we are interested in who's taking what advice as we ask demographic questions so in addition to standard demographic questions we also asked questions about security sensitivity so whether they held a security clearance currently or in the past as well as whether they handled government regulated data like HIPAA or FERPA data we also use the hague rd web use skills index to measure their internet skill level and finally we wanted to understand whether they had a background or job in CS rit to assess whether they had technological expertise so after we developed all these questions we wanted to make sure they are actually measuring the constructs we wanted to measure and so in order to check this used cognitive interviews as well as expert reviews and we invited a diverse sample of people to come and test our survey as well as asking survey methodology and HCI experts to ensure we were following best practices once we finish iterating on our survey we deployed it using an online web panel through survey sampling international and collected 526 response responses here you can see a comparison and on each of the demographic categories between our sample and the census and as you can see it's nearly senseless representative with our example being just a little bit wealthier than the general population so based on this we think that we can draw reasonable reasonably general conclusions about advice behavior in the US so what we actually find first where are people getting their advice the first thing that popped out at us was that people are taking a lot advice a lot of advice from prompts and we know that prompts are important for point behaviors like not passing through certificate warnings but this is sort of one of the first times we're seeing that prompts are providing more general security education so people are learning something my taking something they learned from a point behavior and applying it more broadly and this was true in about eighty percent of our participants so in addition to kind of device bakes prompts we are also seeing human advise sources so family and friends were the most prevalent one but this was fairly closely followed by service providers which we were surprised to see as so it looks like Bank of America and Verizon they're providing more advice than we would expect followed by that there's workplace advice as well as people are learning from negative experiences at which prior work is also shown so beyond umm where people are getting advice we were more interested in who is taking what advice and so or in order to answer this question we constructed a set of logistic regression models and these were binary models where our outcome variable was the probability that you're going to take advice from one of these sources as so for example the probability that you're going to have said you took advice from from the media based on your demographics as is your internet skill level whether your data sensitive your technological background and also your beliefs so we asked questions about how you waited the importance and trustworthiness of digital security advice versus physical security advice so we fed all of these factors into our models to figure out who was taking what advice what we ended up finding was a kind of digital divide and advise taking so those people who had higher internet skills and who are using more who had more sensitive data experience who also tended to be higher income we're more likely to take advice from their workplaces from service providers from the media and to be able to learn from negative experiences and we somewhat consider these advice sources to be the more authoritative ones especially the workplace and service providers so on the other side of this gap those who had lower internet skill hadn't worked with sensitive data intended to be lower income we're more likely to take advice from prompts and from family and friends and so this kind of re-enter scores the importance of these prompts for general security learning and not just point behaviors and it also begs the question of why this is happening and so some of our hypotheses are that at lower skill or potentially lower income workers are not having the opportunity to get workplace training or the information provided in the workplace or in the media might be at the wrong level for their internet skill and so as a specific example we see from media and that those with higher internet skill are about 1.3 times more likely to have taken media advice as so we see in the scrap the number of respondents versus their internet skill level and many more respondents above an Internet skill free are taking media advice than when they're below and in general this holds true so those with higher internet skill are 1.2 to 1.4 times more likely to take advice from media workplace service providers and negative experiences and those who handle sensitive data so either hip or FERPA or security clearance are two to four times more likely as there's certainly some type of divide going on here all right so be honest divided and why are people in general accepting and rejecting advice as far as advice acceptance we drew on our prior work as well as our pre-testing to come up with a list of reasons why people are accepting advice the two that stood out from prior work we're either trusting the source of the advice so my dad's a security expert I trust my dad so I'm just going to take his advice I didn't really think about it and just take it and the other is oh I thought about this advice and you know I have a big scary dog so the police told me to lock my door but I don't need to and then finally another reason that came up in our cognitive interviews was fear of a negative experience your advice made me scared so now I'm going to take it it turned out that for digital security people reported taking advice because they were scared of a negative experience less than ten percent of the time so that's sort of an interesting point in terms of fear-mongering or trying to inspire fear that that may not be so effective and so here I just show the results for trust of advice source and content and so what we found is that users are reporting evaluating the content of advice about physical security and also about passwords and so we hypothesized that this is probably the case and because a physical security is very ubiquitous and also fairly tangible one of our private participants said if you come at me with a gun I know I should be worried and password security is probably one of the most ubiquitous and pieces of advice that we have out there and so that might be a reason it resembles physical security and this group was statistically significantly different than the rest of the advice cases so on the other hand and for updating an antivirus security these tended to be taken because users trusted the source so again this is the my dad said so ah reasoning and this could possibly be because this advice is hard to understand or maybe it's just not as prevalent yeah and then finally to factor landed kind of right in the middle so it was different than both of the group's I talked about before but not quite in with physical security and passwords and we hypothesize this might be because it's sort of like passwords in that it's authentication and but it's a little bit more complicated so it might be harder for people to evaluate and so I generally want to start to think about how we push your behaviors and other behaviors toward allowing people to actually evaluate the advice themselves and have more autonomy in their choices okay so why are people rejecting advice maybe okay um so the first reason probably doesn't surprise anyone that much it's inconvenient these behaviors are sort of annoying to implement and users to want to do them the second one might be a little bit more surprising there's too much marketing material so a number of our respondents were reporting that advice that contained marketing made them not want to take it at all and i'm finally lacking a negative experience so prior work has said okay having negative experiences is a really powerful teacher but so far no one said not having negative experiences might make you not do things um and so this is sort of interesting and that we want to both teach people but maybe not by having negative experiences and prevent them from that doing things also not by giving them negative experiences so we'll get back to that later so more specifically by behavior we see that for antivirus software people are usually rejecting it either because they think it's inevitable I'm just going to get a virus so don't bother because they didn't understand why they needed to use it because they're careful on the internet because they've never had a negative experience or overwhelmingly because there was too much marketing as so many of us probably remember aggressive antivirus marketing campaigns and that the software at least used to be typically for profit and so it looks like that's still holding true at least in participants memory is even if it's changed a little bit recently and then for two factor we see sort of a different set of primary and so the first one here is privacy threat and to talk a little bit more about this hour prior qualitative work saw this slight trend and that people said I don't want to give my phone number to google I don't know what they're doing with it and I'm not really sure what security I'm going to get from it so like it's not worth it and we're seeing that's at least fairly prominent for two-factor authentication and so that might be a design consideration with these types of things in the future and to help reassure respondents about how their personal information is being used next we had that people were reporting they felt their data had no value so there was no reason to protect it again that they had not had a negative experience and then rather largely inconvenience and so there been a lot of strides made for making two-factor more convenient and it looks like it's still a concern and then finally if we look at the light blue bars in the chart they're mostly smaller than the other bars so updating advice and updating behavior seems to be doing the best out of all of these and it's being rejected mostly because it's inconvenient but not too much when we compare it all right so what does that mean for those of you who are security systems or tools developers so first like I said and I'll say it again prompts seem to matter and not just for point behaviors so it's important to kind of think about what your information you're imparting in the prompts and whether perhaps it can be changed to be slightly more general and then also that this is especially true for lower-skilled potentially lower income users and so it's important to think about the readability level as well as the types of technical terms that are being used and whether it's immediately implementable for them and so the second thing is this authentication so like I just mentioned to factor was being rejected both for inconvenience and for privacy concerns so it may be important when designing both to factor and new types of authentication tools to consider how to mitigate these privacy concerns and of course how to continue improving unions and then finally if you want to get people to use your tools what we keep seeing in our work is that you need to provide them with tangible and concrete information as so they're more likely to use them if they can evaluate the content of the advice themselves and the more tangible and concrete and easy to understand you make it the more likely they can make those evaluations and then go and use the tool now in the case that we haven't quite gotten there they're relying on trust of source so it's important to indicate who the tool is coming from whether they're a trustworthy person if someone's giving advice about it make sure they seem trustworthy and this is something that we're going to look into further in the future is what actually makes something trustworthy and also what triggers that marketing reaction on the other side okay and then if you're a usability researcher or interested in usability like I said we highlight kind of two new reasons for rejecting advice beyond inconvenience which is marketing and this lack of negative experience and the lack of negative experience is especially interesting because we should start thinking about how we can simulate these so instead of forcing people to have negative experiences in order to learn how can we help them have the same learning tower but without consequences similarly we provide like a validated list of advice sources that we tested in qual tative work and also evaluated by doing our cognitive interviews so we think these are reasonably exhaustive and similarly for advice source rejection and acceptance and the reasons that we've provided are reasonably well validated so these could be used in future work and finally as I mentioned we found the first evidence of an advice divided in security and this looks like something that we need to try to bridge and understand better in order to prevent as some people from having lots less access to digital security than others so in summary we wanted to find out where people were getting advice who was taking which advice and why they were accepting and rejecting it in order to answer these questions we conducted a since this representative web survey that we rigorously pre-tested and what we found as I just said is this evidence of a digital advise divide that we need to look into further as well as finding that users are accepting advice about passwords and physical security by evaluating the content and accepting advice about updating an antivirus based on the trust of the source and finally we saw that advice was getting rejected for inconvenience as well as too much marketing and a lack of negative experience which invites us to figure out how we can mitigate these rejection reasons as we can give other users less excuses for not using our tools and that's it from me if you have questions for our speaker we have two microphones please come up to the microphone alright make sure to give your name and affiliation hi Christina Shaw University of illinois-chicago this is really really great excuse me uh interesting work the the first mission I had definitely is that to me I imagine that it's hard to remember exactly where I got a certain type of security advice were you able to devise a methodology to evaluate how accurately people are recollecting where they got that advice yes so this is a hard thing that we struggled with a lot um so a lot of what we did was in these cognitive interviews people came in and we asked them to think aloud as they answered every question um and what we eventually figured out was like first we were like where did you hear about this they're like I don't know but when we went back and said where did you first learn about XYZ they're like oh I remember so for some reason that where did you first learn seemed to trigger it um and in the first iteration we offered like another thing and we actually didn't have very many people being like I don't know um which sort of surprised us so it seems like at least for some of these behaviors they were somewhat memorable the other thing I'll say is that younger people seem to have a harder time remembering than older people and because our sample with census representative we actually weren't skewed toward younger people so I think it sort of that stuff yeah before we get to the next question can I have the second speaker come talk to our av person okay we'll go back and forth hi Engelberg University of Waterloo thanks for the great talk so one of your one of your takeaways is that users evaluate the content of these kinds of things but rely on trusted sources for these kinds of things can you give like if I had a new thing how would you predict which bucket it would fall in um so my prediction would be that it would follow him a source bucket and because when we did the qualitative work anything that was sort of new and uncomfortable and potentially hard to understand but either not that hard to understand they were like I'll just trust my person and do what they say and so I predict source but I think and if you're able to make analogies to physical security or even have like pictures or something exciting then you might be able to push it toward the other side hi Greg Shannon off White House Office of Science and Technology Policy so you know there's a effort to improve two-factor authentication used so your your comments about a low income and low knowledge are helpful have you seen what have you seen is especially effective mechanisms especially like from say Google or Apple or whoever in terms of their encouragement Stu get users to understand and I guess related to that have you have you ever considered looking at the mechanism explanations underlying to factor and in terms of how much do people need to understand the extent to which you know what two factors really doing and why it might really help make a difference and then to be able to simulate the negative consequences if they didn't have protection yeah and so a couple of things on that so in the paper we actually and in the survey we asked people why they're like what they thought the purpose was of these different behaviors and we're actually pretty surprised to find that they were the majority of them were right about two-factor authentication so they knew what it was doing but they were still not wanting to use it because of this privacy or inconvenience so that actually surprised me because I thought like oh they must not know that it's useful so I think as far as like what Google or Apple or Facebook are doing right or wrong and some of them I'll see actually literally say like we will use your phone number to also do XYZ so I would recommend not doing that because i think that like immediately raises harry's and i think what might be helpful is actually adding an explicit statement that's like we're not going to use your phone number or you can do these other things if you don't to give us your phone number and but we are very interested in looking at like different descriptions and seeing how users react to them and that's something we want to do in the future yeah or someone else to do with it yeah I'm billion from Bryce I so because I think your survey is mentally on the individual base right so because also like yesterday we hear I hear a talk from so the like industry like automotive industry or out the industry they also have they also should exercise a lot of let's say security awareness but it seems they're not doing that so I'm just curious let is it do you also a plan to like extend your research why they are not doing these type of things which is also very important in securing the whole picture yeah and so thus far we focused on home behavior and there's been a little bit of work into industry behavior and I think there needs to be more and definitely down the line yes right now still kind of looking at this marginalized home user base but yes definitely hi surgery from Stanford did you have any measure of the quality of the advice that is did you see like people getting information from some source is actually bad advice or good advice and did you see a correlation between sources and quality of yeah so no the only so okay so we could sort of look at that in terms of like do you practice the behavior and where did you get the advice but that's you know like a tenuous connection there so not really that's something we want to do in the future but to be honest measuring the quality of advice is something that we're still trying to work on so if people have ideas on how you would do that that would be great but we were not able to do yes okay I have a question before we stop I was very curious on the slide that talked about the where people learned information from what hurt me the most was school was the lowest one white so is it is that reflective of the study and maybe because you mentioned education wasn't you know is more sense as representative and what can we do as educators to fix that right that's what I want to know yeah um so I will say for school um there's actually a hilarious relationship so unsurprisingly younger people more likely to report getting this information from school probably because the internet didn't exist for a lot of people but the strange relationship was for people who had a background or worked in csit they were like way less likely to have gotten advice from school which I could hypothesize is because they think they already know it or maybe they already learned it somewhere else there's something like this um but I think some of it is maybe bringing it in earlier and so like before college teaching people about this which is probably especially important for privacy information so yeah all right let's thank our speaker one more time okay so this is the second hello can you hear me that you can't hear all right all right let me introduce you first they gotta get set up in the back too so I'm slightly delaying great so our next speaker is apologies in advance Vladimir you