Social Cybersecurity, or, A Computer Scientist's View of HCI and Theory, at HCIC 2015

©2015CarnegieMellonUniversity:1
Social Cybersecurity
Applying Social Psychology
to Cybersecurity
Jason Hong
Laura Dabbish
Sauvik Das
Hyun-Jin Kim
HCIC
June 30, 2015
Computer
Human
Interaction:
Mobility
Privacy
Security

or, A Computer Scientist’s
View of HCI and Theory
Jason Hong
Laura Dabbish
Sauvik Das
Hyun-Jin Kim
HCIC
June 30, 2015
Computer
Human
Interaction:
Mobility
Privacy
Security

Introduction
• This is the most unusual talk
I’ve ever given
• Got lots of funny looks from people
You’re going to talk
about theory??
about theory??
about theory??
Ed Chi Leila Takayama James Landay

Who am I? What am I doing here?

Most of My Work is Athereotical
• I do work in privacy, cybersecurity,
ubicomp
• But little of it grounded in theory

But It’s Not Just Me
Technical HCI work
doesn’t seem to build
a lot on top of each
other’s work. There
doesn’t seem to be a
lot of theory either.*
*not an exact quote
Bob Kraut
(Jedi Master, CMU)

Examples of Tech HCI

Why Little Theory Building in
Tech HCI?
• Is it because it’s engineering?
– I would say no
– Civil Eng has traffic modeling, materials
– MechE has heat transfer, mass transfer
– EE has AC theory, circuit models, signal

Tech HCI?
• Science of the artificial
– Outside of speed of light, few limits
to computing
– We make a lot of the rules, and mostly
limited by our imagination and market
• Compare to natural science
– Only one way DNA works
– Only one way brain circuit works
– (And only one research team can win)

Tech HCI?
• No clear natural objective function
• Instead, goal of Tech HCI is to:
– Expand frontiers of what’s possible
(expand our imagination)
– Sweep parameter space to understand
principles and tradeoffs
• And while Tech HCI doesn’t build
theory, it will occasionally use it

Themes in This Talk
• Role of theory for Tech HCI?
• Kinds of theories useful for Tech HCI?
– Some theories more useful than others
• Will describe our work on cybersec
– Social Psych / Diffusion of Innovations
• My perspectives:
– Tech HCI research
– (Successful?) startup
– Helped run Master’s of HCI program

Cybersecurity Research Today
• Most research focused on computers
– Protocols, detection, static analysis
• Some research on individuals
– Mostly usability of tools
• But cybersec faces deep problems
– How do people learn cybersecurity?
– How can we fix misconceptions?
– How to change people’s behaviors?

A True Story
Did you hear what happened
to Moe? He slipped on ice
and damaged his laptop. Now
he can’t get his data.

A True Story
Did you hear what happened
to Moe? He slipped on ice
and damaged his laptop. Now
he can’t get his data.
I’m going to back
up my data right
now!

Light Bulb Moment
• Hung around behavioral scientists
for many years
– Learned about basics of social psych
thru osmosis
• Realized that this simple interaction
led to desirable action

How can we use social
influences to help
improve cybersecurity?

Social Proof

• Baseline effectiveness is 35%

• “showing each user pictures of friends who
said they had already voted, generated
340,000 additional votes nationwide”
• “they also discovered that about 4 percent of
those who claimed they had voted were not
telling the truth”

Energy Consumption

• Focus on usability has gotten us far,
but security features rarely adopted
• Pop Quiz: How many of you have
heard of / use these features?
– Two-factor authentication
– Login notifications on Facebook
– Trusted contacts on Facebook

• Adoption rate typically single digits
[Das et al 2015]
• Why develop new tools if we can’t
get people to adopt existing ones?

Reflection 1
Good Theory Can Offer Inspiration
• Cybersecurity research somewhat
stuck in its approaches
• Diminishing returns after exploring,
need new ideas and perspectives
– See Lakhani08 paper on Innocentive

Our Team’s Work to Date
• Interviews about why people
changed behaviors and what they
talk about with others [SOUPS 2014]
• Study w/ Facebook evaluating social
interventions [CCS 2014]
• Analysis of who does and doesn’t
adopt features [CSCW 2015]

Semi-Structured Interviews
• Interviewed 19 people
– Mobile authentication
– App installation / uninstallation
– Online privacy settings
• What caused the change?
• Hear about incident thru a friend?
• Talk to others about the change?
Das, S., H.J. Kim, L. Dabbish, and J.I. Hong. The Effect of Social
Influence on Security Sensitivity. SOUPS 2014.

Cybersec Behavior Changes
• 114 behavior changes coded
• 48 had social influences (42%)
– Observing friends (14 of 48)
– Social sensemaking (9 of 48)
– Pranks and demonstrations (8)
– Experiencing security breach (6)
– Sharing access (3)

Insight #1 - Observability
• One person stopped in coffee shop
and asked about the Android 9-dot:
“We were just sitting in a
coffee shop and I wanted
to show somebody
something and [they said], ‘
My phone does not have
that,’ and I was like, ‘I
believe it probably does.’”

Diffusion of Innovations
• Five major factors
for successful
innovations:
– Relative Advantage
– Trialability
– Complexity
– Compatibility
– Observability

Most Cybersecurity not very
Observable
• How strong are Gary’s passwords?
• What privacy settings does Leysia
have for Facebook?
• What does Jofish look for to avoid
phishing attacks?
• Low observability -> hard to diffuse

Reflection 2
Good Theory Offers Vocabulary
• If we weren’t aware of Diffusion of
Innovations, might have overlooked
the comments about Observability
• Act of having a name focuses

Insight #2 – Social Factors
Might Work Against Adoption
• A lot of early adopters tend to be:
– Security experts
– People with clear reason (e.g. job)
– Viewed as “Nutty” or paranoid [Gaw et al 06]
• Brand disenfranchisement
– Illusory correlation between something
(use of security tools) and attributes of
users

Who Uses What Computer?
• “These people aren’t like me”
– (Regardless of whether true or not)

What are Professors Like?

Social Proof + Make
Cybersecurity Observable
• Variants
– Control
– Over # / %
– Only # / %
– Raw # / %
– Some
Das, S., A. Kramer, L. Dabbish, J.I. Hong. Increasing Security Sensitivity
With Social Proof: A Large-Scale Experimental Confirmation. CCS 2014.

Method
• Controlled, randomized study
with 50k active Facebook users
– 8 conditions, so N=6250
• Part of annual security awareness
campaign Facebook was going to
run anyway

Results of Experiment

Social Influences on Adoption
• Analyzed 1.5M people on Facebook
– No interventions, existing behaviors
– More adopters a person can see,
more likely to adopt (but J-curve)
– More social circles, stronger effects
– More observable and social feature
(trusted contacts), stronger effects
Das, S., A.D.I. Kramer, L. Dabbish, J.I.Hong. The Role of Social Influence
In Security Feature Adoption. CSCW 2015.

Ongoing Work
• Are there other ways to make
security more observable (+ safe)?
– Note that this is counter to
conventional wisdom of security
• Other social techniques to influence
people’s awareness, knowledge,
motivation?

Reflection 3
Good Theory Should Offer Guidance
• We could have done mass A/B tests
of interventions without theory
– (This is essentially what industry does)
– Instead, Social psych and Diffusion of
Innovations gave us direction
• Blind searches unsatisfying
– Dan Russell’s talk at HCIC 2009
– Eric Brill’s talk at HCIC 2013

Dan Russell’s HCIC 2009 Slides

What to Name Buttons?

Why Unsatisfying?
• What’s generalizable?
• What did we as a community learn?

Reflection 4
Good Theory Should Offer Insight

Reflection 4
“For instance, when Appel and Haken completed a
proof of the 4-color map theorem using a massive
automatic computation, it evoked much
controversy.
I interpret the controversy as having little to do
with doubt people had as to the veracity of the
theorem or the correctness of the proof. Rather, it
reflected a continuing desire for human
understanding of a proof, in addition to knowledge
that the theorem is true.”
- William Thurston, On Proof and Progress in Mathematics

Reflection 4
• Alternative formulation by Tim Gowers
The Two Cultures of Mathematics
– (i) The point of solving problems is to
understand mathematics better.
– (ii) The point of understanding mathematics is
to become better able to solve problems.
– Mathematicians lie on spectrum

Pasteur’s Quadrant
Good Science + Good Applications

• Situated Action
• Activity Theory
• Distributed Cognition
• Embodied Interaction
• Ethnography
• Fitts’ Law
• Learning science
• Visual Perception
• Social Psych
• Motivation
Advice for Theory Builders
Consider Insight + Guidance
Guidance (What to Build / How to Build it Better)
Insight
• Heuristic Evaluation
• Contextual Inquiry
• 41 Shades of Blue (A/B)
• Iterative Design
• Agile / Lean

• Situated Action
• Activity Theory
• Distributed Cognition
• Embodied Interaction
• Ethnography
• Fitts’ Law
• Learning science
• Visual Perception
• Social Psych
• Motivation
Advice for Theory Builders
Consider Repackaging Too
Guidance (What to Build / How to Build it Better)
Insight
• Heuristic Evaluation
• Contextual Inquiry
• 41 Shades of Blue
• Iterative Design
• Agile / Lean

Wishlist for Tech HCI and
for Master’s Students
• Design Theory
– Service design
– Engagement, stickiness
• Emotional Attachment
• Innovation Theory
– What’s more likely to have impact?
– Product lifecycles
– Feature / Product / Business

Example for Innovation
Christensen’s Disruption Model

Lifecycle of Product

• New product starts out with
lots of chaos
• Eventually dominant design
appears, right combination
of existing features / ideas

• Less innovation in features,
few changes to dominant
design
• More innovation in process
of production
• Dominant design only
obvious in retrospect too

• Extreme focus on cost,
volume, capacity
• Very little innovation

• Cycle starts anew
• But winner of last cycle
rarely winner of next
• Formed network, doesn’t
want to anger them

Conjecture: These Can Help
Tech HCI Research
• Can focus research on the phase
your company is in
– More useful to help industry research
for connecting research to product
– A/B tests only useful in later phases
• Can look forward to next fluid phase
– We already do this
– More useful for academic

Other Advice For Theory
Builders
• Five major factors:
– Relative Advantage
– Trialability
– Complexity
– Compatibility
– Observability
• How might you apply
these to your work?

Summary
• Reflections: Good Theory…
– Can Offer Inspiration
– Offers Vocabulary
– Should Offer Guidance
– Should Offer Insight
• For theory builders: Consider…
– Insight + Building Apps
– Diffusion of Innovations

Reflection N
Be Prepared to Invest a lot of Time
• This work only came about b/c of
hanging around behavioral folks
• And because cross-trained students
• Big open question: how to train PhD
students, given breadth of HCI?

Technical HCI Rarely Uses
or Builds Theory
• Mostly uses low-level perception
and interaction
– Ex. Fitts’ law, psychoacoustics,
visual perception, reaction times
– (Often built into toolkits)

Social Cybersecurity, or, A Computer Scientist's View of HCI and Theory, at HCIC 2015

Recommended

Recommended

More Related Content

Similar to Social Cybersecurity, or, A Computer Scientist's View of HCI and Theory, at HCIC 2015

Similar to Social Cybersecurity, or, A Computer Scientist's View of HCI and Theory, at HCIC 2015 (20)