Tools are available to increase security, but are often not used to their full potential. To understand why people might not be exploiting these opportunities, research from various disciplines explores the factors that impact individuals’ decisions about what to do and say to be secure. Building on this research, Das et al. elaborate on the idea that people base their decisions on understandings of how other people act. This study looks more closely at how social processes influence behaviour and communication related to security.
Previous research has found that several factors, known collectively as security sensitivity, can determine behaviour change in adopting privacy and security tools. Security sensitivity is the sum of awareness of threats and tools, motivation to use the tools, and knowledge of how to use the tools. Security sensitivity can be a barrier to adopting new behaviours and technologies, but can also drive change.
Nineteen participants took part in interviews, in which they were asked to recall recent changes to their use of security and privacy settings on various online media, and also to recall conversations about online security and privacy. In order to understand the context for those changes and conversations, interviews asked follow up questions about what catalyzed the changes. In particular, social catalysts – such as suggestions or warnings from friends – were distinguished from non-social catalysts – for example stemming from a personal negative experience or prompts from media reports.
Most people have experienced at least one change in behaviour or motivation driven by social learning. This suggests that sharing about privacy and security practices is already a common social process. There were specific reasons why people talk about online security and privacy. In many cases, a conversation surfaced when someone’s privacy has been compromised, or when people shared ideas about how to use the features of specific systems. Conversations often arose when a security threat or security tool was observed in action, such as when someone used a authentication feature on a device. This observability was a key theme in exploring the context of conversations. The findings also reveal something of the intent of social processes, which are often to warn others about a threat, to solve a presenting problem or share a solution. The potential benefits of social learning about security are perhaps currently limited as individuals sometimes opt to keep quiet rather than risk appearing paranoid; there remains a stigma surrounding being too diligent with security features.
The design of social interventions to raise security sensitivity could capitalize on this social learning pattern. In particular, increasing the observability of tools and behaviours – while still preserving their privacy function – emerged as a promising avenue for leveraging the power of social influence. Actions that are observed become accessible for discussion, heightening security sensitivity, and conceivably the spread of security and privacy behaviours.
A good portion of what people know about security is learned from socialising and observation. Encouraging talk about security could be a good way of improving employee sensitivity to security issues.