Social Cybersecurity: Reshaping Security through an Empirical Understanding of Human Social Behavior

How can we design systems that encourage better cybersecurity behaviors? Despite important improvements to the usability of cybersecurity systems, much security advice goes ignored and many security systems remain underutilized. I argue that this disconnect can partially be explained by the fact that there’s a largely unconsidered cost to engaging in good security behaviors: costs of social face. For example, by using two-factor authentication, one might be perceived as “paranoid.” By encrypting one’s phone, one might be perceived as having something to hide. More generally, by caring too strongly about cybersecurity, one may give off the impression of being shady. In this talk, I present evidence in support of the following claim: Social influences strongly affect cybersecurity behaviors, and it is possible to encourage better cybersecurity behaviors by designing security systems that are more social.

First, I empirically modeled how social influences affect the adoption of security behaviors and systems of 1.5 million Facebook users. Second, I designed a notification that informs Facebook users that their friends use optional security systems to protect their own accounts and evaluated these “social” notifications in a randomized, controlled experiment with 50,000 Facebook users. In so doing, I provide some of the first direct evidence that security behaviors are strongly driven by social influence, and that the design of a security system strongly influences its potential for social spread. Specifically, security systems that are more observable, inclusive, and stewarded are positively affected by social influence, while those that are not are often negatively affected by social influence.

Taken together, my work argues for a future of socially intelligent security systems that understand and accommodate basic human behaviors, desires and capabilities.