Replication: Stories as Informal Lessons about Security


Katharina Pfeffer and Alexandra Mai, SBA Research; Edgar Weippl, University of Vienna; Emilee Rader, Michigan State University; Katharina Krombholz, CISPA Helmholtz Center for Information Security


Anecdotal stories about security threats told to non-experts by friends, peers, or the media have been shown to be important in forming mental models and secure behaviors. In 2012, Rader et al. conducted a survey (n=301) of security stories with a student sample to determine factors that influence security perceptions and behavior. We replicated this survey with a more diverse sample (n=299), including different age groups and educational backgrounds. We were able to confirm many of the original findings, providing further evidence that certain characteristics of stories increase the likelihood of learning and retelling. Moreover, we contribute new insights into how people learn from stories, such as that younger and higher educated people are less likely to change their thinking or be emotionally influenced by stories. We (re)discovered all of the threat themes found by Rader et al., suggesting that these threats have not been eliminated in the last decade, and found new ones such as ransomware and data breaches. Our findings help to improve the design of security advise and education for non-experts.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {281224,
author = {Katharina Pfeffer and Alexandra Mai and Edgar Weippl and Emilee Rader and Katharina Krombholz},
title = {Replication: Stories as Informal Lessons about Security},
booktitle = {Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022)},
year = {2022},
isbn = {978-1-939133-30-4},
address = {Boston, MA},
pages = {1--18},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video