"It's Scary…It's Confusing…It's Dull": How Cybersecurity Advocates Overcome Negative Perceptions of Security


Julie M. Haney and Wayne G. Lutters, University of Maryland, Baltimore County


Cyber attacks are on the rise, but individuals and organizations fail to implement basic security practices and technologies. Cybersecurity advocates are security professionals who encourage and facilitate the adoption of these best practices. To be successful, they must motivate their audiences to engage in beneficial security behaviors, often first by overcoming negative perceptions that security is scary, confusing, and dull. However, there has been little prior research to explore how they do so. To address this gap, we conducted an interview study of 28 cybersecurity advocates from industry, higher education, government, and non-profits. Findings reveal that advocates must first establish trust with their audience and address concerns by being honest about risks while striving to be empowering. They address confusion by establishing common ground between security experts and non-experts, educating, providing practical recommendations, and promoting usable security solutions. Finally, to overcome perceptions that security is uninteresting, advocates incentivize behaviors and employ engaging communication techniques via multiple communication channels. This research provides insight into real-world security advocacy techniques in a variety of contexts, permitting an investigation into how advocates leverage general risk communication practices and where they have security-specific innovations. These practices may then inform the design of security interfaces and training. The research also suggests the value of establishing cybersecurity advocacy as a new work role within the security field.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {219408,
author = {Julie M. Haney and Wayne G. Lutters},
title = {"It{\textquoteright}s {Scary{\textellipsis}It{\textquoteright}s} {Confusing{\textellipsis}It{\textquoteright}s} Dull": How Cybersecurity Advocates Overcome Negative Perceptions of Security},
booktitle = {Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018)},
year = {2018},
isbn = {978-1-939133-10-6},
address = {Baltimore, MD},
pages = {411--425},
url = {https://www.usenix.org/conference/soups2018/presentation/haney-perceptions},
publisher = {USENIX Association},
month = aug