Michael Kassner explains the research of a team that looked at where users tend to get security advice, how they respond to it, and what security pros can learn from their findings.
Unfortunately, not everyone has access to an IT expert.
What happens if Jill, sitting at home, gets a SSL-certificate error message when she logs into her bank's website? What happens if a pop-up opens on Joe's notebook, while he's at Starbucks, saying XYZ antivirus found malware and he needs to install the fix right away? What are they supposed to do? Who do they ask for help?
Those are all good questions according to Emilee Rader, Rich Wash, and Brandon Brooks, researchers at Michigan State University's Department of Telecommunication, Information Studies, and Media (TISM). That's because they're interested in how 80 million plus household computer users are making security-related decisions. From the team's website:
Current education campaigns have failed to effect widespread changes in the security behaviors of non-technical users. New technologies are being developed, but will do nothing if users intentionally choose to ignore the technology or to work around it.
The National Science Foundation is also concerned about this. Enough so, it awarded the research team a three-year grant:
To find better ways of informing people about security issues, altering their understanding of security threats and thereby their security behaviors, which will ultimately create more secure home computers.
The first piece of the puzzle was figuring out what people without IT help or experience base their security decisions on. The researchers feel they have found the answer, publishing their findings in "Stories as Informal Lessons about Security."
The paper points out there are several methods on how people can learn about computer and information security:
- Personal experience in dealing with prior security issues.
- Formal education: classes and training seminars for example.
- Online resources have advice for most situations.
All logical choices, but not what people are relying on. The paper explains:
In general, when people don't know how to act in a given situation, they either fall back on what little they already know, or they look to others around them to figure out how they should behave.
"Look to others" was a hint to the researchers, particularly Emilee with her psychology background. She mentioned that there is significant research data confirming that people prefer to learn by storytelling. That's right -- storytelling.
To see if they were onto something, the team conducted a survey, asking the respondents to:
- Recall all the stories they had heard about security-related issues.
- Choose one they remembered the best and provide details.
- Answer several questions about the story.
The paper has several examples of respondent stories in Appendix A. Here's my favorite:
It appears that Facebook has gotten yet another virus and people are posting weird things onto their friends' walls without them knowing. So if you get a notification about someone posting on your wall be careful and not directly click on it or else your Facebook might get hacked or a virus.
What I took away from reading the stories is their relative accuracy. I asked Emilee if anything about the stories surprised her. She replied:
To be honest, we were surprised respondents had stories, and they were quite effective in getting their point across. We also noticed a problem with storytelling. The stories we received are good at describing consequences, but did not explain how to prevent the incident from occurring.
The following statistics were gleaned from the respondent answers:
- 95 percent believed the story to be true.
- 55 percent of the stories were about family or friends.
- 51 percent were about the person telling the story.
- 35 percent of the stories ended well.
- 72 percent of the stories had a lesson
The statistic that impressed me was the 95 percent who believed the story to be true. I'm betting most IT experts would like to have that percentage of users believing what they say.
The research team assembled a list of lessons they learned from the survey:
- Respondents feel the Internet is a dangerous place, and people must try to be secure and protect themselves.
- Respondents reported that these security stories frequently changed both their thinking about security issues, and their behavior with respect to security.
- Stories with lessons were twice as likely to cause a change in behavior as stories without a lesson.
- Stories that are autobiographical were very likely to cause a change in behavior when compared to stories about others.
- The odds of a story told in a home context leading to a change in behavior are 95 percent greater than a story told in a formal context, such as an office.
I mentioned to Emilee, with all this positive feedback, it seems they may be onto something. I then asked how the team would use what they learned to improve user education:
We all know that experts are correct in their assertions, but people aren't listening. We want to figure out how to communicate the issues to people in a storytelling fashion rather than "speaking from on high."
I met a friend for coffee yesterday. I had an ulterior motive -- she's a therapist. I was curious to learn what she thought about the article, and how story-telling enhances user education. She immediately understood, mentioning, "You never tell anyone one what to do. You tell them what may or may not have worked for you." Sound familiar?
I'd like to thank Emilee Rader, Rich Wash, and Brandon Brooks for their help in understanding how one of my favorite things -- storytelling -- may solve a huge problem. I'd also like to thank the Association for Computing Machinery for permission to pull quotes from the team's research paper.