Presented July 15, 2018 to the 2018 Organizational Science and Cybersecurity Workshop, George Mason University, Fairfax, VA, USA. In this talk, I present the Transtheoretical Model (TTM) of Behavior Change for use in an organizational context as part of a larger reframing of end-user cybersecurity as a problem of organization health and wellness. I explain a visual diagram of six TTM Stages of Change and associated intervention strategies, as adapted from medical and wellness literature, and relate these to examples of security interventions currently in use, such as password strength indicators and Facebook Trusted Contacts. I conclude with my view that this framing can help researchers and practitioners approach “wicked problems” of organizational security that are not “tame” or one-and-done engineering problems but socio-cultural conditions that call for sustained, empowered action.

1. Reframing
Organizational Cybersecurity
to Design for “Cyber Health”
Cori Faklaris | July 15, 2018
Presentation to the 2018 Organizational Science and Cybersecurity Workshop,
George Mason University, Fairfax, VA, USA

2. 1. About me
2. Background for my work
3. Big idea
4. How to use this big idea (in theory)
5. Does this big idea work in practice
Agenda
Cori Faklaris - July 2018 - Carnegie Mellon University - Page 2

3. ● PhD student researcher at Carnegie Mellon HCII
○ Social cybersecurity, Design of information systems,
Emerging trends in social media and messaging apps
● M.S., Human-Computer Interaction
○ Indiana University School of Informatics and Computing
○ Thesis: The State of Digital ‘Fair Use’
● B.S., Journalism, News-Editorial sequence
○ University of Illinois at Urbana-Champaign College of Media
● Social Media Consultant and Editor/Writer
● Previous job titles in news media included:
○ Engagement Producer, Page Designer, Copy Editor,
Correspondent, Columnist, Reporter ...
○ “Doer of Things No One Else Wants to Do” (IT, UX :-)
3Cori Faklaris - July 2018 - Carnegie Mellon University - Page 3

4. 4

5. Many problems in human-computer interaction are
ill-defined, complex and/or involve unknown factors.
The “Design Thinking” methodology provides a
solutions-based approach to solving these problems.
https://www.interaction-design.org/literature/article/5-stages-in-the-design-thinking-process
5
Empathize Define Ideate TestPrototype
Cori Faklaris - July 2018 - Carnegie Mellon University - Page 5

6. “Wicked Problems”:
As opposed to “tame problems” or one-and-done
engineering problems, these are social conditions that call
for sustained, empowered action - and for which solving
one problem often creates another problem.
Horst W.J. Rittel and Melvin M. Webber. 1973. “Dilemmas in a general theory of planning.” Policy
sciences, 4(2), 155-169.
6Cori Faklaris - July 2018 - Carnegie Mellon University - Page 6

7. ● Use multiple systems
● Be flexible in approaches
● Work collaboratively
Christopher Crouch and Jane Pearce. 2012. Doing Research in Design. Bloomsbury.
7Cori Faklaris - July 2018 - Carnegie Mellon University - Page 7

8. Is Organizational Cybersecurity
a “Wicked Problem?”
● A lack of definitive formulation.
● No stopping rule that determines when a solution has been found.
● Good or bad solutions rather than true or false solutions.
● Lack of immediate and ultimate tests of solutions.
● Solutions are “one-shot” operations rather than trial and error.
● Lack of criteria that indicate all solutions have been identified.
● The uniqueness of every wicked problem.
8Cori Faklaris - July 2018 - Carnegie Mellon University - Page 8

9. 9
Social contagion
Herd immunity
Viral hoaxes

10. Transtheoretical Model of (Health) Behavior Change
● Based on James Prochaska, Carlo DiClemente and others’ work on
“self-change” for smokers, substance abusers, anorexics, more.
● Attempt to pull together concepts from many different psychosocial theories
into one model covering the spectrum of readiness to change.
○ Precontemplation, Contemplation, Preparation, Action, Relapse, Maintenance.
○ Termination is considered an idealistic stage and often not achieved in practice.
● In this model, humans’ readiness to change is the result of a decisional
balance of pros and cons for the self and for significant others (Janis &
Mann, 1977) along with self-efficacy and temptation.
○ Different cognitive values are emphasized at different stages of change.
○ Different processes are emphasized at each stage of change to move people from one stage
to the next.
10Cori Faklaris - July 2018 - Carnegie Mellon University - Page 10

11. Source: “The Transtheoretical Model ( Stages of Change)”. 2016. Boston University School of Public Health. Last visited Feb. 7, 2018
at http://sphweb.bumc.bu.edu/otlt/MPH-Modules/SB/BehavioralChangeTheories/BehavioralChangeTheories6.html
(Awareness)
(Motivation)
(Knowledge)
(Resistance)
(Reinforcement)
(Denial)
11

12. Pre-Contemplation
AW
ARENESS
MOTIVATION
Contemplation
Preparation
(Determination)Action
M
aintenance
-Regulations
-Government
-Society
-Culture
Relapse
-Larger
system
environment
-Global
internet
infrastructure
SELF-EFFICACY
TEMPTATION
KNOWLEDGE
REINFORCEMENT
R
ESISTAN
C
E
DENIAL
SITUATIONAL FACTORS
SOCIAL FACTORS
OTHER
INDIVIDUAL
FACTORS
EXTERNAL
FACTORS
EXTERNAL
FACTORS
12Cori Faklaris - July 2018 - Carnegie Mellon Univ. - Page 12

13. 13

14. 14

15. 15

16. 16

17. 17
Fish’n’Steps: Encouraging
physical activity with an
interactive computer game
James J. Lin, Lena Mamykina,
Silvia Lindtner, Gregory Delajoux,
and Henry B. Strub. 2006. In
International conference on
ubiquitous computing, 261–278.
Cori Faklaris - July 2018 - Carnegie Mellon University - Page 17

18. 18
Research plan to test TTM as security design model
● Create security interventions that help end users to reflect on their
security practices and leverages their natural interest in helping
themselves and their significant others - family, friends, partners, work
teams, other social groups - to get things done and to maintain bonds.
○ Already exist and/or are in development for the Social Cybersecurity project.
○ Quiz on cybersecurity knowledge, a game application to simulate an IT help desk working on
software updates, a browser plugin to crowdsource recommended settings for social media
accounts, Thumprint user-authentication system.
● Assess whether there is evidence that the interventions help to move
them from one Stage of Change to another stage.
○ Developing Security Sensitivity psychometric scale.
○ Conduct interviews with participants and log their system actions.
Cori Faklaris - July 2018 - Carnegie Mellon University - Page 18

20. ● Lens: Security as health
● Design model adapts TTM
● How to use the model
Any questions?
You can find me at
○ Twitter: @heycori | Email: heycori @cmu.edu
○ Website: http://corifaklaris.com
20
20Cori Faklaris - July 2018 - Carnegie Mellon University - Page 20