SlideShare a Scribd company logo

Components of a Model of Cybersecurity Behavior Adoption

Cori Faklaris, profile picture
Cori Faklaris

Cori Faklaris presented a model for understanding the process of adopting or not adopting cybersecurity behaviors. Existing models focus on concepts like expectancy and value but do not account for time or how thinking evolves. Stage models break the process into chunks like stages of change. Faklaris proposes exploring whether there are two trajectories for adoption - mandatory behaviors imposed by authorities versus voluntary behaviors influenced more by peers. The goal is to specify stages to target security interventions more effectively and improve adoption of behaviors.

Technology
Related topics:
Information Security
1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Components of a Model of Cybersecurity Behavior Adoption Cori Faklaris, Carnegie Mellon University Workshop on Security Information Workers Symposium on Usable Privacy and Security Aug. 8, 2021 August 2021
Agenda ▪ Introduction ▪ Existing models and their relevant components ▪ Overview of my thesis research to start defining the learning/adoption trajectories for end-user cybersecurity behavior ▪ Implications Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 2
About Cori (@heycori) ▪ 5th year PhD candidate and researcher at the Human-Computer Interaction Institute, School of Computer Science, Carnegie Mellon University. ▪ Knight Fellow of the Center for Informed Democracy and Social Cybersecurity (IDeaS); CMU Presidential Fellow of the CyLab Security & Privacy Institute. ▪ Co-principal investigator on the NSF Social Cybersecurity project at the HCII (https://socialcybersecurity.org/ ). ▪ Past career in journalism, IT and social media (https://corifaklaris.com). ▪ Published at the USENIX Symposium on Usable Privacy and Security (SOUPS) and in Proceedings of the ACM: Human-Computer Interaction (CSCW), other venues. 3
Problem: Cyberdefense (Non-) Adoption ▪ Computing systems are increasingly central to society. ▪ But, many people do not understand enough about how they work - or what cyber-threats to guard against. ▪ Meanwhile, global costs of cybercrime jumped >50% in 2019-20, to over $1T. Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 4 Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. “My Data Just Goes Everywhere:” User Mental Models of the Internet and Implications for Privacy and Security. In Symposium on Usable Privacy and Security (SOUPS), USENIX Association Berkeley, CA, 39–52. Retrieved from https://www.usenix.org/conference/soups2015/proceedings/presentation/kang Zhanna Malekos Smith, Eugenia Lostri, and James A Lewis. 2020. The Hidden Costs of Cybercrime. McAfee.
Problem: Cyberdefense (Non-) Adoption ▪ Enterprise security training can cost around $300,000 + 100s of staff hours. ▪ Difficult to persuade users to accept and adopt security measures when they or their peers do not view these measures positively. Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 5 Tara Seals. 2017. Cost of User Security Training Tops $290K Per Year. Infosecurity Magazine. Retrieved January 20, 2021 from https://www.infosecurity-magazine.com:443/news/cost-of-user-security-training/ Cori Faklaris, Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. 2015. The Role of Social Influence in Security Feature Adoption. In Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing (CSCW ’15), ACM, New York, NY, USA, 1416–1426. DOI:https://doi.org/10.1145/2675133.2675225
To reduce costs and improve awareness + adoption, we should apply insights from: ▪ social psychology, ▪ marketing, and ▪ public health. 6 Key Insight for Cyberdefense
An empirical understanding of the cyberdefense adoption process will help us to specify the mental states and social influences acting at each step, leading to better targeting and timing of security interventions. 7 My Thesis
8 Cori Faklaris. 2021. Components of a Model of Cybersecurity Behavior Adoption. In Workshop on Security Information Workers. Retrieved from https://corifaklaris.com/files/Faklaris_WS IW2021_stagemodels.pdf ● Many models of behavior adoption focus on concepts of expectancy (how likely it is thought that a desired, instrumental outcome will occur) and value (how much the outcome has importance or utility). ● They do not account for time or how thinking evolves. Search string in Google Scholar using an "incognito" browser window in July 2021 Results fogg behavior model and cybersecurity 395 decisional balance theory and cybersecurity 1210 prospect theory and cybersecurity 13700 health belief model and cybersecurity 19500 theory of reasoned action and cybersecurity 18900 theory of planned behavior and cybersecurity 25000 protection motivation theory and cybersecurity 27800 technology acceptance model and cybersecurity 31300 Focus: Understand Process of Cyberdefense (Non-) Adoption Theoretical Modeling Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 8
Theory of Planned Behavior (TPB) 9
Protection Motivation Theory (PMT) 10
Technology Acceptance Model (TAM) 11
12 Cori Faklaris. 2021. Components of a Model of Cybersecurity Behavior Adoption. In Workshop on Security Information Workers. Retrieved from https://corifaklaris.com/files/Faklaris_WS IW2021_stagemodels.pdf ● Stage models of behavior change account for the progress of time, breaking the continuum into chunks. ● The Transtheoretical Model sees change as a cyclical process, in which the associated processes of change help move people from one stage to the next. ● The Precaution Adoption Process Model break down “inaction” into unawareness, unengaged, undecided, and decided not to act; “action’ stages are like TTM. ● The Diffusion of Innovations process model accounts for more “action” stage changes such as confirmation, later adoption, and discontinuance of adoption. Search string in Google Scholar using an "incognito" browser window in July 2021 Results transtheoretical model and cybersecurity 112 precaution adoption process model and cybersecurity 9610 diffusion of innovations and cybersecurity 17300 Focus: Understand Process of Cyberdefense (Non-) Adoption Theoretical Modeling
Transtheoretical Model (TTM) 13 Experiential processes Behavioral processes
Diffusion of Innovations (DoI) Process Model 14
RQ: What stages do people go through in adoption (or non-adoption) of cybersecurity behaviors? 15
Phase 3 Method: Exploratory Sequential Mixed-Methods 16 John W. Creswell and J. David Creswell. 2017. Research Design: Qualitative, Quantitative, and Mixed Methods Approaches. SAGE Publications. Retrieved from https://play.google.com/store/books/details?id=KGNADwAAQBAJ Surveys Interviews Analysis Survey Design Analysis Triangulation and Integration Phase 1 - Qualitative Phase 2 - Quantitative
Mandatory adoption Cybersecurity has two different learning/ adoption trajectories Voluntary adoption 17 Learning Persuasion Adoption Learning Threat Authorities Adoption Threat Peers/Media Persuasion Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 17
Implications: Specify how the stages might vary for different security measures For tool-based practices such as password managers, 2FA authentication: How many are aware of, motivated, and/or able to use each of the tools? How much do social influences and voluntariness weigh in the decision to adopt? Why do people stop using the tools, once adopted? For knowledge-based practices such as timely updates, alertness to “fake news”: How many people are aware of which practices have merit, and when? Which cognitions or contexts cue them to act out practices? Whiat defeats their intention to act out practices? 18 Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 18
Outcome: Stage Model of Cybersecurity Behavior Adoption ▪ Moves the field of usable security away from “one size fits all” strategies ▪ Use to create a classification algorithm to direct resources, “interventions” (such as security tips or interface nudges) to those most likely to benefit. ▪ Boost effectiveness of cybersecurity risk assessments in resource-tight orgs ▪ Help adoption researchers to sharpen strategies, build business value Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 19
Future work Collect experimental evidence for targeting security interventions by stage and by tool: ▪ Password managers ▪ Software updates Examine how this and/or other stage models, such as Diffusion of Innovations, can be adapted for enterprise teams Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 20
Mandatory adoption What are your questions / feedback on these ideas? Voluntary adoption 21 Learning Persuasion Adoption Learning Threat Authorities Adoption Threat Peers/Media Persuasion Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 21

More Related Content

PPTX
Behavior Change Using Social Influences
Cori Faklaris
 
PPTX
Ethics and Big Data
Pew Research Center's Internet & American Life Project
 
PPTX
The Internet of Things and Future Shock: Too Much Change Too Fast?
Pew Research Center's Internet & American Life Project
 
PPTX
LEPC: Social media and disasters
Duty Officer
 
PDF
Toolkit on factchecking by shreedeep rayamajhi
Shreedeep Rayamajhi
 
PDF
Report on data breach and privacy in nepal during covid19 by shreedeep rayamajhi
Shreedeep Rayamajhi
 
PDF
Final survey on disinformation and its practice during covid 19 in developing...
Shreedeep Rayamajhi
 
PDF
Privacy and Security on Social Media
YogeshIJTSRD
 
Behavior Change Using Social Influences
Cori Faklaris
 
Ethics and Big Data
Pew Research Center's Internet & American Life Project
 
The Internet of Things and Future Shock: Too Much Change Too Fast?
Pew Research Center's Internet & American Life Project
 
LEPC: Social media and disasters
Duty Officer
 
Toolkit on factchecking by shreedeep rayamajhi
Shreedeep Rayamajhi
 
Report on data breach and privacy in nepal during covid19 by shreedeep rayamajhi
Shreedeep Rayamajhi
 
Final survey on disinformation and its practice during covid 19 in developing...
Shreedeep Rayamajhi
 
Privacy and Security on Social Media
YogeshIJTSRD
 

What's hot (20)

PPTX
LifeLock Javelin Presentation
LifeLockBusinessSolutions
 
PPTX
The future of technology
Pew Research Center's Internet & American Life Project
 
PPTX
I4ADA 2019 - presentation Catherine Garcia-van Hoogstraten
Paul van Heel
 
PDF
Opportunities and Challenges in Crisis Informatics
Lea Shanley
 
PDF
SECUREWALL-A FRAMEWORK FOR FINEGRAINED PRIVACY CONTROL IN ONLINE SOCIAL NETWORKS
Zac Darcy
 
PPT
Privacy and Social Networks
blogzilla
 
PDF
OSA - Internet Security in India
Dinesh O Bareja
 
PDF
Fall2015SecurityShow
Adam Heller
 
PPT
eMarketer Webinar: Perspectives on Digital Privacy—Marketers, Consumers, Feds
EMARKETER
 
PDF
Impact of trust, security and privacy concerns in social networking: An explo...
Anil Dhami
 
PDF
Cyber Surveillance - Honors English 1 Presentation
axnv
 
PPTX
Trusting the internet
Aireen Sinong
 
PDF
Digital Fault-Lines
Cyril Foday-Kailie
 
PDF
Thesis proposal v3
lroddesign
 
PDF
Raytheon Millennial Cybersecurity Survey
- Mark - Fullbright
 
PDF
A week is a long time in computer ethics
UltraUploader
 
PPTX
I4ADA 2019 - Accountability, Social Media & Journalism
Paul van Heel
 
DOC
Order 32740459
gracyatpassessays
 
PPTX
Presentation slides
andrewdyoung
 
PPTX
Cyber intelligence sharing and protection act research
LaVerne Kemp
 
LifeLock Javelin Presentation
LifeLockBusinessSolutions
 
The future of technology
Pew Research Center's Internet & American Life Project
 
I4ADA 2019 - presentation Catherine Garcia-van Hoogstraten
Paul van Heel
 
Opportunities and Challenges in Crisis Informatics
Lea Shanley
 
SECUREWALL-A FRAMEWORK FOR FINEGRAINED PRIVACY CONTROL IN ONLINE SOCIAL NETWORKS
Zac Darcy
 
Privacy and Social Networks
blogzilla
 
OSA - Internet Security in India
Dinesh O Bareja
 
Fall2015SecurityShow
Adam Heller
 
eMarketer Webinar: Perspectives on Digital Privacy—Marketers, Consumers, Feds
EMARKETER
 
Impact of trust, security and privacy concerns in social networking: An explo...
Anil Dhami
 
Cyber Surveillance - Honors English 1 Presentation
axnv
 
Trusting the internet
Aireen Sinong
 
Digital Fault-Lines
Cyril Foday-Kailie
 
Thesis proposal v3
lroddesign
 
Raytheon Millennial Cybersecurity Survey
- Mark - Fullbright
 
A week is a long time in computer ethics
UltraUploader
 
I4ADA 2019 - Accountability, Social Media & Journalism
Paul van Heel
 
Order 32740459
gracyatpassessays
 
Presentation slides
andrewdyoung
 
Cyber intelligence sharing and protection act research
LaVerne Kemp
 
Ad

Similar to Components of a Model of Cybersecurity Behavior Adoption (20)

PDF
Reframing Usable Privacy + Security to Design for 'Cyber Health'
Cori Faklaris
 
PPTX
Connecting Attitudes and Social Influences with Designs for Usable Security a...
Cori Faklaris
 
PDF
Reframing Organizational Cybersecurity to Design for “Cyber Health”
Cori Faklaris
 
PPTX
How can we boost 'cyber health' ? Psychometrics, social appeals and tools for...
Cori Faklaris
 
PDF
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
DOCX
L. Marinos and I. Askoxylakis (Eds.) HASHCII 2013, LNCS 8030.docx
croysierkathey
 
DOCX
Current cybersecurity solutions leave a wide gap in coverage,” .docx
dorishigh
 
PPTX
Jonas hallberg. securit
NordForsk
 
DOCX
Common Models in Health Informatics Evaluation.docx
write31
 
PDF
THE RELATIONSHIP BETWEEN THE CHARACTERISTICS OF SOFTWARE DEVELOPERS AND SECUR...
IJNSA Journal
 
PDF
TECHNOLOGY ACCEPTANCE MODELS & FRAMEWORKS
Hamed Taherdoost
 
PPT
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Novell
 
PDF
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
DOCX
Common Models in Health Informatics EvaluationHave you ever watche.docx
bartholomeocoombs
 
PPTX
Research proposal presentation ver 3.0
Brian Pinnock
 
PDF
Spo2 t17
SelectedPresentations
 
PDF
Designing for Usable Security and Privacy
Cori Faklaris
 
PPTX
Cyber Security PPT.pptx
BhanuRoyal4
 
PDF
A Case for Expectation Informed Design
gloriakt
 
PDF
Investigating the Determinants of College Students Information Security Behav...
AIRCC Publishing Corporation
 
Reframing Usable Privacy + Security to Design for 'Cyber Health'
Cori Faklaris
 
Connecting Attitudes and Social Influences with Designs for Usable Security a...
Cori Faklaris
 
Reframing Organizational Cybersecurity to Design for “Cyber Health”
Cori Faklaris
 
How can we boost 'cyber health' ? Psychometrics, social appeals and tools for...
Cori Faklaris
 
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
L. Marinos and I. Askoxylakis (Eds.) HASHCII 2013, LNCS 8030.docx
croysierkathey
 
Current cybersecurity solutions leave a wide gap in coverage,” .docx
dorishigh
 
Jonas hallberg. securit
NordForsk
 
Common Models in Health Informatics Evaluation.docx
write31
 
THE RELATIONSHIP BETWEEN THE CHARACTERISTICS OF SOFTWARE DEVELOPERS AND SECUR...
IJNSA Journal
 
TECHNOLOGY ACCEPTANCE MODELS & FRAMEWORKS
Hamed Taherdoost
 
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Novell
 
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Common Models in Health Informatics EvaluationHave you ever watche.docx
bartholomeocoombs
 
Research proposal presentation ver 3.0
Brian Pinnock
 
Spo2 t17
SelectedPresentations
 
Designing for Usable Security and Privacy
Cori Faklaris
 
Cyber Security PPT.pptx
BhanuRoyal4
 
A Case for Expectation Informed Design
gloriakt
 
Investigating the Determinants of College Students Information Security Behav...
AIRCC Publishing Corporation
 
Ad

More from Cori Faklaris (14)

PDF
Understanding and Mitigating SMiShing Vulnerability: Insights from U.S. Surve...
Cori Faklaris
 
PDF
A Guide to AI for Smarter Nonprofits - Dr. Cori Faklaris, UNC Charlotte
Cori Faklaris
 
PPTX
Human Factors at the Grid Edge
Cori Faklaris
 
PDF
An Introduction to Generative AI
Cori Faklaris
 
PDF
A Self-Report Measure of End-User Security Attitudes (SA-6)
Cori Faklaris
 
PPTX
Social Cybersecurity: Ideas for Nudging Secure Behaviors Through Social Influ...
Cori Faklaris
 
PDF
Share & Share Alike? An Exploration of Secure Behaviors in Romantic Relations...
Cori Faklaris
 
PDF
Social Media Best Practices - CMU Fall 2017
Cori Faklaris
 
PPT
If You Are Going To Skydive, You Need a Parachute: Navigating the World of H...
Cori Faklaris
 
PPTX
"Visualizing Email Content": Article discussion slides
Cori Faklaris
 
PPTX
Together: An app to foster community for young urbanites
Cori Faklaris
 
PPTX
The State of E-Discovery as Social Media Goes Mobile
Cori Faklaris
 
PPT
5 ideas for paying for college as an adult returning student
Cori Faklaris
 
PPTX
Social media boot camp: "HeyCori"'s tips for successful engagement online
Cori Faklaris
 
Understanding and Mitigating SMiShing Vulnerability: Insights from U.S. Surve...
Cori Faklaris
 
A Guide to AI for Smarter Nonprofits - Dr. Cori Faklaris, UNC Charlotte
Cori Faklaris
 
Human Factors at the Grid Edge
Cori Faklaris
 
An Introduction to Generative AI
Cori Faklaris
 
A Self-Report Measure of End-User Security Attitudes (SA-6)
Cori Faklaris
 
Social Cybersecurity: Ideas for Nudging Secure Behaviors Through Social Influ...
Cori Faklaris
 
Share & Share Alike? An Exploration of Secure Behaviors in Romantic Relations...
Cori Faklaris
 
Social Media Best Practices - CMU Fall 2017
Cori Faklaris
 
If You Are Going To Skydive, You Need a Parachute: Navigating the World of H...
Cori Faklaris
 
"Visualizing Email Content": Article discussion slides
Cori Faklaris
 
Together: An app to foster community for young urbanites
Cori Faklaris
 
The State of E-Discovery as Social Media Goes Mobile
Cori Faklaris
 
5 ideas for paying for college as an adult returning student
Cori Faklaris
 
Social media boot camp: "HeyCori"'s tips for successful engagement online
Cori Faklaris
 

Recently uploaded (20)

PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Approach and Philosophy of On baking technology
30anthuong17
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Components of a Model of Cybersecurity Behavior Adoption

  • 1. Components of a Model of Cybersecurity Behavior Adoption Cori Faklaris, Carnegie Mellon University Workshop on Security Information Workers Symposium on Usable Privacy and Security Aug. 8, 2021 August 2021
  • 2. Agenda ▪ Introduction ▪ Existing models and their relevant components ▪ Overview of my thesis research to start defining the learning/adoption trajectories for end-user cybersecurity behavior ▪ Implications Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 2
  • 3. About Cori (@heycori) ▪ 5th year PhD candidate and researcher at the Human-Computer Interaction Institute, School of Computer Science, Carnegie Mellon University. ▪ Knight Fellow of the Center for Informed Democracy and Social Cybersecurity (IDeaS); CMU Presidential Fellow of the CyLab Security & Privacy Institute. ▪ Co-principal investigator on the NSF Social Cybersecurity project at the HCII (https://socialcybersecurity.org/ ). ▪ Past career in journalism, IT and social media (https://corifaklaris.com). ▪ Published at the USENIX Symposium on Usable Privacy and Security (SOUPS) and in Proceedings of the ACM: Human-Computer Interaction (CSCW), other venues. 3
  • 4. Problem: Cyberdefense (Non-) Adoption ▪ Computing systems are increasingly central to society. ▪ But, many people do not understand enough about how they work - or what cyber-threats to guard against. ▪ Meanwhile, global costs of cybercrime jumped >50% in 2019-20, to over $1T. Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 4 Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. “My Data Just Goes Everywhere:” User Mental Models of the Internet and Implications for Privacy and Security. In Symposium on Usable Privacy and Security (SOUPS), USENIX Association Berkeley, CA, 39–52. Retrieved from https://www.usenix.org/conference/soups2015/proceedings/presentation/kang Zhanna Malekos Smith, Eugenia Lostri, and James A Lewis. 2020. The Hidden Costs of Cybercrime. McAfee.
  • 5. Problem: Cyberdefense (Non-) Adoption ▪ Enterprise security training can cost around $300,000 + 100s of staff hours. ▪ Difficult to persuade users to accept and adopt security measures when they or their peers do not view these measures positively. Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 5 Tara Seals. 2017. Cost of User Security Training Tops $290K Per Year. Infosecurity Magazine. Retrieved January 20, 2021 from https://www.infosecurity-magazine.com:443/news/cost-of-user-security-training/ Cori Faklaris, Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. 2015. The Role of Social Influence in Security Feature Adoption. In Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing (CSCW ’15), ACM, New York, NY, USA, 1416–1426. DOI:https://doi.org/10.1145/2675133.2675225
  • 6. To reduce costs and improve awareness + adoption, we should apply insights from: ▪ social psychology, ▪ marketing, and ▪ public health. 6 Key Insight for Cyberdefense
  • 7. An empirical understanding of the cyberdefense adoption process will help us to specify the mental states and social influences acting at each step, leading to better targeting and timing of security interventions. 7 My Thesis
  • 8. 8 Cori Faklaris. 2021. Components of a Model of Cybersecurity Behavior Adoption. In Workshop on Security Information Workers. Retrieved from https://corifaklaris.com/files/Faklaris_WS IW2021_stagemodels.pdf ● Many models of behavior adoption focus on concepts of expectancy (how likely it is thought that a desired, instrumental outcome will occur) and value (how much the outcome has importance or utility). ● They do not account for time or how thinking evolves. Search string in Google Scholar using an "incognito" browser window in July 2021 Results fogg behavior model and cybersecurity 395 decisional balance theory and cybersecurity 1210 prospect theory and cybersecurity 13700 health belief model and cybersecurity 19500 theory of reasoned action and cybersecurity 18900 theory of planned behavior and cybersecurity 25000 protection motivation theory and cybersecurity 27800 technology acceptance model and cybersecurity 31300 Focus: Understand Process of Cyberdefense (Non-) Adoption Theoretical Modeling Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 8
  • 9. Theory of Planned Behavior (TPB) 9
  • 12. 12 Cori Faklaris. 2021. Components of a Model of Cybersecurity Behavior Adoption. In Workshop on Security Information Workers. Retrieved from https://corifaklaris.com/files/Faklaris_WS IW2021_stagemodels.pdf ● Stage models of behavior change account for the progress of time, breaking the continuum into chunks. ● The Transtheoretical Model sees change as a cyclical process, in which the associated processes of change help move people from one stage to the next. ● The Precaution Adoption Process Model break down “inaction” into unawareness, unengaged, undecided, and decided not to act; “action’ stages are like TTM. ● The Diffusion of Innovations process model accounts for more “action” stage changes such as confirmation, later adoption, and discontinuance of adoption. Search string in Google Scholar using an "incognito" browser window in July 2021 Results transtheoretical model and cybersecurity 112 precaution adoption process model and cybersecurity 9610 diffusion of innovations and cybersecurity 17300 Focus: Understand Process of Cyberdefense (Non-) Adoption Theoretical Modeling
  • 14. Diffusion of Innovations (DoI) Process Model 14
  • 15. RQ: What stages do people go through in adoption (or non-adoption) of cybersecurity behaviors? 15
  • 16. Phase 3 Method: Exploratory Sequential Mixed-Methods 16 John W. Creswell and J. David Creswell. 2017. Research Design: Qualitative, Quantitative, and Mixed Methods Approaches. SAGE Publications. Retrieved from https://play.google.com/store/books/details?id=KGNADwAAQBAJ Surveys Interviews Analysis Survey Design Analysis Triangulation and Integration Phase 1 - Qualitative Phase 2 - Quantitative
  • 17. Mandatory adoption Cybersecurity has two different learning/ adoption trajectories Voluntary adoption 17 Learning Persuasion Adoption Learning Threat Authorities Adoption Threat Peers/Media Persuasion Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 17
  • 18. Implications: Specify how the stages might vary for different security measures For tool-based practices such as password managers, 2FA authentication: How many are aware of, motivated, and/or able to use each of the tools? How much do social influences and voluntariness weigh in the decision to adopt? Why do people stop using the tools, once adopted? For knowledge-based practices such as timely updates, alertness to “fake news”: How many people are aware of which practices have merit, and when? Which cognitions or contexts cue them to act out practices? Whiat defeats their intention to act out practices? 18 Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 18
  • 19. Outcome: Stage Model of Cybersecurity Behavior Adoption ▪ Moves the field of usable security away from “one size fits all” strategies ▪ Use to create a classification algorithm to direct resources, “interventions” (such as security tips or interface nudges) to those most likely to benefit. ▪ Boost effectiveness of cybersecurity risk assessments in resource-tight orgs ▪ Help adoption researchers to sharpen strategies, build business value Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 19
  • 20. Future work Collect experimental evidence for targeting security interventions by stage and by tool: ▪ Password managers ▪ Software updates Examine how this and/or other stage models, such as Diffusion of Innovations, can be adapted for enterprise teams Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 20
  • 21. Mandatory adoption What are your questions / feedback on these ideas? Voluntary adoption 21 Learning Persuasion Adoption Learning Threat Authorities Adoption Threat Peers/Media Persuasion Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 21