Security

Inside your users' brains: Where they get security advice

Michael Kassner explains the research of a team that looked at where users tend to get security advice, how they respond to it, and what security pros can learn from their findings.

IT professionals work hard to become experts in their field. They also work hard protecting the infrastructure and users they're responsible for.

Unfortunately, not everyone has access to an IT expert.

What happens if Jill, sitting at home, gets a SSL-certificate error message when she logs into her bank's website? What happens if a pop-up opens on Joe's notebook, while he's at Starbucks, saying XYZ antivirus found malware and he needs to install the fix right away? What are they supposed to do? Who do they ask for help?

Those are all good questions according to Emilee Rader, Rich Wash, and Brandon Brooks, researchers at Michigan State University's Department of Telecommunication, Information Studies, and Media (TISM). That's because they're interested in how 80 million plus household computer users are making security-related decisions. From the team's website:

Current education campaigns have failed to effect widespread changes in the security behaviors of non-technical users. New technologies are being developed, but will do nothing if users intentionally choose to ignore the technology or to work around it.

The National Science Foundation is also concerned about this. Enough so, it awarded the research team a three-year grant:

To find better ways of informing people about security issues, altering their understanding of security threats and thereby their security behaviors, which will ultimately create more secure home computers.

The first piece of the puzzle was figuring out what people without IT help or experience base their security decisions on. The researchers feel they have found the answer, publishing their findings in "Stories as Informal Lessons about Security."

Possibilities

The paper points out there are several methods on how people can learn about computer and information security:

  • Personal experience in dealing with prior security issues.
  • Formal education: classes and training seminars for example.
  • Online resources have advice for most situations.

All logical choices, but not what people are relying on. The paper explains:

In general, when people don't know how to act in a given situation, they either fall back on what little they already know, or they look to others around them to figure out how they should behave.

"Look to others" was a hint to the researchers, particularly Emilee with her psychology background. She mentioned that there is significant research data confirming that people prefer to learn by storytelling. That's right -- storytelling.

Survey says

To see if they were onto something, the team conducted a survey, asking the respondents to:

  • Recall all the stories they had heard about security-related issues.
  • Choose one they remembered the best and provide details.
  • Answer several questions about the story.

The paper has several examples of respondent stories in Appendix A. Here's my favorite:

It appears that Facebook has gotten yet another virus and people are posting weird things onto their friends' walls without them knowing. So if you get a notification about someone posting on your wall be careful and not directly click on it or else your Facebook might get hacked or a virus.

What I took away from reading the stories is their relative accuracy. I asked Emilee if anything about the stories surprised her. She replied:

To be honest, we were surprised respondents had stories, and they were quite effective in getting their point across. We also noticed a problem with storytelling. The stories we received are good at describing consequences, but did not explain how to prevent the incident from occurring.

Interesting statistics

The following statistics were gleaned from the respondent answers:

  • 95 percent believed the story to be true.
  • 55 percent of the stories were about family or friends.
  • 51 percent were about the person telling the story.
  • 35 percent of the stories ended well.
  • 72 percent of the stories had a lesson

The statistic that impressed me was the 95 percent who believed the story to be true. I'm betting most IT experts would like to have that percentage of users believing what they say.

Lessons learned

The research team assembled a list of lessons they learned from the survey:

  • Respondents feel the Internet is a dangerous place, and people must try to be secure and protect themselves.
  • Respondents reported that these security stories frequently changed both their thinking about security issues, and their behavior with respect to security.
  • Stories with lessons were twice as likely to cause a change in behavior as stories without a lesson.
  • Stories that are autobiographical were very likely to cause a change in behavior when compared to stories about others.
  • The odds of a story told in a home context leading to a change in behavior are 95 percent greater than a story told in a formal context, such as an office.

I mentioned to Emilee, with all this positive feedback, it seems they may be onto something. I then asked how the team would use what they learned to improve user education:

We all know that experts are correct in their assertions, but people aren't listening. We want to figure out how to communicate the issues to people in a storytelling fashion rather than "speaking from on high."

Final thoughts

I met a friend for coffee yesterday. I had an ulterior motive -- she's a therapist. I was curious to learn what she thought about the article, and how story-telling enhances user education. She immediately understood, mentioning, "You never tell anyone one what to do. You tell them what may or may not have worked for you." Sound familiar?

I'd like to thank Emilee Rader, Rich Wash, and Brandon Brooks for their help in understanding how one of my favorite things -- storytelling -- may solve a huge problem. I'd also like to thank the Association for Computing Machinery for permission to pull quotes from the team's research paper.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

56 comments
Madsmaddad
Madsmaddad

Do we need Techrepublic to publish an Aesop's Fables book for users? All these stories that we collect need to be collated for the general user. My story is here: Students use the computers in lecture halls to give presentations. More than once I have come in to the lecture hall to give my lecture and discovered a USB stick already plugged in. In one case exploring the stick showed that the students CV/resume was on it, so I was able to get it returned to him. The moral of the story is to always have a small file on a USB stick that identifies the owner. In my case it is a text file called 'this is mine' that has my name email address, and mobile phone number. A text file so that it can be read by any computer operating system.

goodsellus
goodsellus

used in many places, many levels. never was fired fired for it.

mla_ca520
mla_ca520

Hi Michael, This was a really interesting article and well worth reading. I've shared it with my colleagues at my day job. I actually had intended to share a blog post (cautionary tale) that I wrote and get your thoughts: http://blog.mladams.com/2012/09/is-frugality-costing-you-fortune-in.html I also wrote a more technical post describing how I fixed the problems on the same blog, but this link is for the end users. Thanks, Mike A.

kevin.t
kevin.t

'Tell All Your colleagues! This REALLY happenned to a friend of mine' Guaranteed to generate a flood of great pragmatic advice from users in just about any online forum, and it always details a sorry tale that ultimately gets shot down by Snopes etc. It could be a warning about being mugged at road junctions or Microsoft distributing viruses. Its a pity that common sense methods of dealing with such panic headlines arent included with each new PC/Laptop by law. Oh and that includes 'you inherited a fortune....' Now I'm an IT professional and I was bamboozled by a message that popped up on my new laptop: 'Allow updates from Silverlight....?' Never heard of it, so I'll be stripping that off right away.

CharlieSpencer
CharlieSpencer

Sorry, it was just too tempting. I held out as long as I could.

durocshark
durocshark

Joe and Jane User may hear stories, but all they may recall are: "He used some software to fix the computer." or "He had to throw his computer away and buy a new one." This is due to the lack of understanding what really happened. For example, when a person, with no knowledge or interest in cars other as a way to get to work, takes it to the mechanic because of a noise, what do they remember? The cost of the repair and that it was, "something electrical" or "the transmission". Regardless of the real cause (bad alternator pulley bearing and worn solenoid could be the problems). It has nothing to do with the person's ability to learn, or their intelligence. It's simply information they cannot grasp. So, "I had a virus, but my antivirus software caught it and fixed it for me," becomes, "He ran some software." This person is then easily snared by a FakeAV attack because it's "software for viruses". I believe that there will always be a large segment of users who are unable to adequately understand the threats out there, or how to deal with them. Instead, it's unfortunately a burden that must be borne by the software and OS developers.

bboyd
bboyd

All the classics are tales of woe to instruct others to avoid. The best stories have withstood millennium of oral translation. What we need now is a way to get people away from modern media and back to learning from cautionary tales. I find that the worst cases of virus/malware problems come from bad habits. Entirely controllable computer use that is just a bad decision that the user should have avoided by matter of course even without specialized education. I ask two questions, would you give a person on the street you asked for directions all your personal information and would you give a street vendor your buying pirated CD's from your credit card. never mind porn sites... /sigh

r.j.thomas
r.j.thomas

It's not just Java- I'm sick and tired of the number of patches released for Java and Adobe stuff. Our kind-of-base build software is Java, every free Adobe product under the sun and quicktime. Quicktime's not so bad because it isn't patched too often. The other 2, however, are a nightmare. People need them because bits of the web stop working if they're not up to date (fair enough), but no sooner have we downloaded the latest version than another version is released. This is at least 6 bits of software! WSUS won't patch them, so we just have to re-download them and prep for distribution on the LAN and wait 'till next week. In that intervening week, we'll spend time trying to figure out in what novel way they've got an auto-update feature switched on to annoy hundreds of people with exactly this kid of "update me know!" pop-up. @doke... what puzzles me is the inherent trust people place in IT as if it's- as you said- magic, and completely utopian. "I've just put all my bank details into a web site I got sent via email". Would you really do this if someone just knocked on your door and asked for those details? So why do it for a random email? We've also had attachments sent outside the business that shouldn't have been- again, presumably they would (hopefully) never send this data out on a postcard so why do it in email? I suppose a lot of people don't realise that most of the internet is inherently insecure and therefore the data is freely available in "postcard" format with basic tools like WireShark (which is great for tinkering).

ed
ed

When I was teaching, I found the "non-traditional-age" students both challenging and usually quite rewarding. They were great to call on when I made a reference the "traditional-age" students wouldn't recognize. One idea I hit on repeatedly for them is that some of the "ways things are done" were selected arbitrarily--sometimes out of thin air, it seems--and not to feel inadequate because they can't "figure it out." No matter how logical they are and how hard they try, it isn't going to happen. Among the important skills is using the search methods to chase these "way things are done." However, the vocabulary can be arbitrary and frustrating, so there's another stumbling block. Who decided it was going to be "records" and "fields" and "files"? "Records"--that's LPs and 45s and how we listened to Elvis before he went into the Army. "Fields"--Ooh! Ooh! I know that one! That has something to do with growing corn and soybeans. "Files" are how you sharpen a hoe. I used to tell them one of my major functions in life was teaching them to translate Nerd into Hillbilly. More than once I said to a student, "I'm sorry, I can't make that one make sense to you--or me. We just have to live with it." And they accepted that. Convincing these people to give themselves a break is tremendously important. This is incredibly new to them. Teach them to be patient with themselves.

doke
doke

I work in the security field, one of the problems I've faced with stories is that pervasive attitude that everything happens to someone else, it will never happen to me. I have a network analyst that I have referred dozens of stories about attacks and breaches that are happening in neighboring communities and he believes through and through that it will not happen to our network, they must be doing something wrong. It's magical thinking, like people that drive after drinking, because it doens't affect them the same way it affects others.

pgit
pgit

is most of my users have more awareness of the problems than they let on. They therefor knowingly do not follow the right practices they know they should. I'd chalk that up to the 'it happens to other people, not to me' invincibility complex. I base this on the assumption that when the task at hand is a survey of what one knows, one is more likely to want to prove they do know something about whatever the subject of the survey. So that 95% knows, but doesn't apply that knowledge to the same degree, probably for numerous reasons. "[doing the right thing] is too much work" is the excuse I hear most often for obviously inappropriate actions. (eg globally disabling noscript)

boucaria
boucaria

I started out teaching myself computers and how to approach things, so I try and give people an option of either a little bit of advice, a link, or just a little tool to get things fixed. Sometimes the tips I have sent out have helped people, since they have printed them out. The best help yourself tool so far is the USB drive portableapps utility, that allows you to look up things yourself. Or, just let them call me. The goal of course is to provide resources for people, and so far this has worked with people I have worked with, especially with thise who want to be able to fix their own issues.

richard.gardner
richard.gardner

[q]The statistic that impressed me was the 95 percent who believed the story to be true. I’m betting most IT experts would like to have that percentage of users believing what they say.[/q] Believe? My users ask me what to do in a given context and I tell them. It's not a question of belief, more a simple case of an ability (or otherwise) to follow instructions. Also, this confused the hell out of me : [q]“You never tell anyone one what to do. You tell them what may or may not have worked for you.” Sound familiar?[/q] I don't quite understand the point here, my job involves almost exclusively telling people what to do, there's very little point implementing a system and then being vague about how it works or going all allegorical on their asses. I get that in a wider context security education is a difficult thing to achieve, and appreciate the research from a consumer perspective, but in business users should do what they're told, it's work, that thing the company needs them to do in order to make a profit. The trick is to make sure you can catch it if they do it wrong then tell them again (in a security context that's blocking malicious websites and emails and a decent virus strategy), I can't see any mileage in this approach to educating business users about processes excepting what they learn from each other, making the whole point of the article moot, surely?

bob3160
bob3160

As someone who travels all around this great country visiting Computer Clubs and other clubs where the common factor is computer usage, I know from first hand experience that a majority of our Seniors lack computer education. It is my job to explain, in simple language, computer security to the members of these various clubs. Simple language and a willingness to take the time to explain the importance of cyber security has always been greeted with a warm thanks and usually the comments of "Gee, I didn't know that." or, "No one ever really explained it that way."

beck.joycem
beck.joycem

Of course users have brains. The attitude of 'you don't understand or are not interested in computers and therefore you have no brain' needs to go, completely. It's arrogant and unproductive. Some of our less computer-knowledgeable clients are surgeons, senior engineers, authors, financial wizards and architects. I know a lot less about their subjects than they do about ours.

Michael Kassner
Michael Kassner

All your examples included an expert. That is not what the researchers were studying. Also, unable to understand is considerably different from choosing not to.

Michael Kassner
Michael Kassner

I was thinking along those lines when putting the article together. It is my hope that once the power of storytelling is understood, it might become part of the solution.

JCitizen
JCitizen

I snagged a job once by telling the boss that I didn't speak "geek-a-nese". She laughed so hard I thought she was going to fall off her chair. I got hired immediately.

NickNielsen
NickNielsen

Files and records have been around since long before the computer. Think personnel or financial records stored in a filing cabinet. Records, as applied to LPs and 45s, is shorthand for recordings. As for who decided, who knows? I want to say Adm. Grace Hopper, but I would probably be wrong.

Michael Kassner
Michael Kassner

I have experienced the same thing, particularly with people to whom English is a second language. That piles on even more to work through. But the reward is well worth it.

Michael Kassner
Michael Kassner

What you refer to is not atypical to be sure. What I find more significant are those who have something happen to them and deny it.

Michael Kassner
Michael Kassner

To nit pick, Sorry. As for whether they apply what they learn, that is another story.

Michael Kassner
Michael Kassner

You are one of those in the know. The hard part is always figuring out how someone wants to learn or receive information.

JCitizen
JCitizen

I worked in a non-profit organization that was very business like, and I didn't tell anyone what to do. I pretty much told them what the requirements were, and in a way not too much different that what is related in this article. Our CIO backed us up on this; and if the clients didn't listen - they got fired. But then we had classes on HIPAA and other security requirements, so it wasn't like they didn't know that this was important.

Michael Kassner
Michael Kassner

The article was focused on home and users that do not have IT-experts at their beck and call. That said, I've been in "The biz" for 35 years and I find ordering people about has more negative impact than explaining why they need to do or not do something. I believe there is more "buy-in" that way. How would you prefer it done to you?

Michael Kassner
Michael Kassner

I also would like to thank you for going the extra mile. I'm betting you get a whole lot of smiles in your travels.

CharlieSpencer
CharlieSpencer

I haven't seen a service or occupation yet where the practitioners didn't express a degree of contempt, real or feigned or even affectionate, for the customers. Ask any auto mechanic or LPN.

CharlieSpencer
CharlieSpencer

not a serious comment. I regularly tell those I support that I just have a different skill set, one that wouldn't help me much if we had to change places.

Michael Kassner
Michael Kassner

If that were to happen, I think we all would play nicer together.

ed
ed

The situation we hit once in a while is a person whose background is quite different. Think of a farmer who had a heart attack in his 50s and is working toward a career within his capabilities, a truck driver who had a bad wreck, or an assembly line worker with a back injury. One of them didn't get a high school diploma, but got a GED in the service. None has been in a school environment in twenty-plus years. Possibly getting a little farther afield from "where do they get their security advice?" throw into the mix that a few of the farmers, truck drivers, and others who weren't dealing with the public on a daily basis still have attitudes toward women and minorities left over from the 60s. Now give me an intelligent and articulate 24 year-old female Japanese-American lab assistant who has lived in the Midwest all her life, speaks with an Ozarks accent, and can do ANYTHING. Oh, and she looks 17 and is cute as...she's very attractive. Or take it to business/industry and make her one of the techs who goes to the user who can't login because the password must have upper and lower case letters, numbers, and punctuation marks, but can't use dictionary words or $^&*. Sometimes these trouble tickets are handled with, "Uh, maybe we better let Jim take care of that one."

Michael Kassner
Michael Kassner

It's something one doesn't really think about until presented with the situation. I have a new friend and English is not her first language. It's real easy to see the frustration when multiple meanings are involved.

JimTheEngineer
JimTheEngineer

I remember one class in which the instructors talked about "spawning" a task. One student (Chinese?) couldn't understand that, until another student said it was like a fish spawning. That got the point across to the student, but the instructor also had one of those "AHA" moments - so THAT'S where "spawn" came from! - Jim Garrity

JCitizen
JCitizen

I discovered that it is common for regulators to harass flight maintenance centers to death - the idea being that if anything goes wrong - they can show either records or bulletins that "something" was wrong. It got so bad in the early '90s that my brother's boss finally had to pull some strings. It turns out his boss was hand picked to run maintenance for President Johnson in the sixties; he was an Army Aviation section leader, and was highly STRAC. So the FAA pulled the inspector from his location and sent him to - Alaska, I think - that is - if he didn't quit! HA! My brother was more interested in keeping the helicopters flying and not falling out of the sky. Every time another customer dropped from his business, they had a flying coyboy, geologist, or police pilot die from a crash. Every time it ended up being a maintenance issue that the FAA concluded was A&P related. One thing for sure - my brother sleeps real good at night!

HAL 9000
HAL 9000

As the Aircraft had the possibility of flying over water the Marine Bulletin must apply and the necessary Mods should have been made. This is particularly important in the event of needing to ditch the aircraft in water, in a case like that you would want to be sure that the engines worked wouldn't you? :^0 Col

pgit
pgit

I was chief pilot/director of ops of a corporate flight department. I wrote the whole op, including the maintenance schedules. (yet another wild story, I grounded the dept and insisted my predecessor was doing it wrong... imagine a "new hire" immediately shutting down the op) We had a 'whole house' inspection one day, a fellow not known to be prone to vindictiveness, but a serious hard ass nonetheless. To get to the point, when he was done ripping every detail apart he could find nothing wrong. He outright admitted that regardless, he had to find something to fault us on, something about justifying his job. So here's what he came up with... One aircraft had Pratt and Whitney PT6-11 power plants, which are also used in marine applications. There was a service bulletin out for the marine-only applications, in fact it involved parts that don't even exist on the airplane version. The directive clearly stated not only that it applied only to marine systems, it mentioned, for clarity, tat it was definitely NOT applicable to the Cheyenne I (the only plane to be cursed with these down rated sulfur gathering beasts) Well, there's a bulletin, and it mentions PT6-11... the FAA fellow asked me where the log book entry was for this not-an-AD. Um... we don't need one. He insisted, and wrote me up for it. He said he's be back in a few weeks to see we'd "straightened out this situation." We were in western New York, our Cheyenne maint was handled by a specialist firm in Groton Connecticut. I called and explained the deal, and they couldn't stop laughing. We arranged to mail the logs, they make the entry and mail back. In the end it said something very close to "P&W service bulletin XXXX is not applicable to aircraft installations." I think the shop was impressed with the outcome of my 'grilling,' but they were relentless about this, every chance they could a joke would slide out referencing putting whatever in the logs. eg I'd come back from lunch (waiting for some minor day maintenance) and someone would grab a log book and pen, and ask me what I had for lunch, pretending to be writing it down. I'm glad I bailed when I did. I can't imagine what I would do to some lowbrow with blue gloves trying to grope my executives before they get on their own damn plane. (They are starting to show up at general aviation) When we dissolved out department I had a few job offers to fly Gulfstreams. They all entailed being on the road far more than being home, and I had young boys at the time. But one of the things that turned me off was they all also showed me the handguns secretly stashed in the cockpit and elsewhere, and told me I'd have to be proficient (and fast) with them, because in a lot of their remote destinations you deal in huge wads of US money. I'd say a non-sworn "officer" with a 85 IQ and blue rubber gloves groping my passengers and bossing me around would warrant a measure of lead in their a$$... I'd be soooo tempted. . .but deliver us from evil.

JCitizen
JCitizen

I've left an inspection story somewhere on TechRepublic; I'd be interested in yours as well! :)

pgit
pgit

You're right, people may measure their skills, success or whatever against themselves, some standards, or what other people accomplish, and may lose sight of the reason for being in the process. The good news, I suppose, is this A&P ended up being an inspector for the FAA. Thought we didn't relish seeing them coming, in the long run you do want a hard-a$$ wearing that hat. BTW he tried hard to get me to join the agency, too. I ran a perfect general aviation op (I mean perfect, I have a funny story about an inspection..) and he knew literally nobody else did, and wanted me to crack heads. (I'd know where the skeletons are buried)

JCitizen
JCitizen

and the men that do it; but if I were a passenger on a flight that revealed what THAT A&P mechanic thought about people on board, I might select to go ground route. Dont' get me wrong - I got a brother that knows it is a fly or die world, and he is so anal about his work, he would probably commit Seppuku rather than face failure of technical proficiency ! He'd be mad as hell at failure, because he is so into accuracy and job proficency, that he would be just as dissapointed at not catching mechanical failure as losing precious lives. Also don't get me wrong that he, or I for that matter, consider our job history as more important than people's lives - we are as proud of our good work, as if we flew in the aircraft our selves. To many of our friends are helicopter and weather modification pilots, and we consider their lives irreplaceable, just as we do ourselves. I just want to emphasis that there are still those who's work ethic is at Mt. Everest level, not at AFL CIO union level!!

NickNielsen
NickNielsen

I knew the stuff, and could pass along, but nothing I did to make it interesting seemed to get the students motivated. I gave it up as bad for my mental health.

Michael Kassner
Michael Kassner

That you were a great teacher and your comment was a jest on your part.

NickNielsen
NickNielsen

"Teaching would be a great job...if it weren't for the students."

Michael Kassner
Michael Kassner

He would be in trouble if everyone knew as much as he did about airplanes.

pgit
pgit

"..if it weren't for all the people." The mechanic that worked on the company aircraft used to mumble that line when particularly frustrated. He was full of 'em. He's the one who introduced me to the "[turd] sandwich" concept of employment.

Michael Kassner
Michael Kassner

But, as my wise grandfather used to say, without them we wouldn't have a job.

NickNielsen
NickNielsen

Older students with "traditional" attitudes toward women and minorities and a young, mixed-race, highly-competent, and attractive lab assistant. Which gives them more fits? The "female" part? Or the "Asian" part? I'll bet she's been addressed as "Honey", "Sugar", or "Sweetie" more times than she cares to think about.

Michael Kassner
Michael Kassner

Thanks for sharing that moment. Language is one fascinating subject.

Editor's Picks