Date of Completion

12-15-2017

Embargo Period

12-12-2018

Keywords

cybersecurity, psychology, emotions, social motivations, interventions

Major Advisor

Mohammad Khan

Associate Advisor

Ross Buck

Associate Advisor

Steven Demurjian

Field of Study

Computer Science and Engineering

Degree

Doctor of Philosophy

Open Access

Open Access

Abstract

Security is a priority to most, but studies show that users commonly fail to adopt recommended cybersecurity behavior. Researchers have looked to user factors for explanations of this gap, finding security and convenience to be common considerations, along with perceptions of risks and past experiences. Some have tried to alter user behavior, but are targeted at specific advice and focused on rational motivations to persuade users.

In this thesis, three expertly recommended cybersecurity advice (i.e., updating software regularly, using two-factor authentication, using a secure password manager) are deeply explored. These results inform the design of videos in a systematic study of novel cybersecurity interventions aimed at altering users’ behavior around these advices. First, users’ rational motivations around each, including social motivations are studied, and then each advice is studied with more in-depth instruments, including those that gathered users’ emotions in the varying contexts, which can influence decision-making.

These studies found that those who do not follow expert recommendations commonly see the risks in their decision as lower than those who do follow. Additionally, users rarely make social considerations in these contexts. Finally, negative emotions are found to be prevalent across many specific cases. These emotions may influence and trigger perceptions of negative past experiences, which in-turn hinders adoption. With these leads, novel video-based interventions are developed that incorporate appeals which address social motivations and emotions around cybersecurity advice. Awareness, perceptions, emotions, and behavior were measured before, immediately, two weeks, and one month after an intervention was delivered aimed at altering their behavior around one of the three test advices. This study finds that the emotion-based techniques may have merit since the groups which saw videos that used this approach had the largest and most sustained increases on variables that measured awareness and perceptions of benefits, costs, and risks. Also, the data demonstrates the role social motivations may have in cybersecurity behavior, showing the importance of both of these alternative approaches in this field.

Download
COinS