Social Cybersecurity, or, A Computer Scientist's View of HCI and Theory, at HCIC 2015

Social CybersecurityApplying Social Psychology to Cybersecurity

Jason HongLaura Dabbish

Sauvik DasHyun-Jin Kim

HCICJune 30, 2015

ComputerHumanInteraction:MobilityPrivacySecurity

or, A Computer Scientist’s View of HCI and Theory

Jason HongLaura Dabbish

Sauvik DasHyun-Jin Kim

HCICJune 30, 2015

ComputerHumanInteraction:MobilityPrivacySecurity

Introduction

• This is the most unusual talk I’ve ever given

• Got lots of funny looks from people

You’re going to talk about theory??

Ed Chi Leila Takayama James Landay

4Who am I? What am I doing here?

Most of My Work is Athereotical

• I do work in privacy, cybersecurity, ubicomp

• But little of it grounded in theory

But It’s Not Just Me

Technical HCI work doesn’t seem to build a lot on top of each other’s work. There doesn’t seem to be a lot of theory either.*

*not an exact quote

Bob Kraut (Jedi Master, CMU)

Examples of Tech HCI

Why Little Theory Building in Tech HCI?

• Is it because it’s engineering?– I would say no– Civil Eng has traffic modeling, materials– MechE has heat transfer, mass transfer– EE has AC theory, circuit models, signal

• Science of the artificial– Outside of speed of light, few limits

to computing– We make a lot of the rules, and mostly

limited by our imagination and market

• Compare to natural science– Only one way DNA works– Only one way brain circuit works– (And only one research team can win)

• No clear natural objective function• Instead, goal of Tech HCI is to:

– Expand frontiers of what’s possible (expand our imagination)

– Sweep parameter space to understand principles and tradeoffs

• And while Tech HCI doesn’t build theory, it will occasionally use it

Themes in This Talk

• Role of theory for Tech HCI?• Kinds of theories useful for Tech HCI?

– Some theories more useful than others

• Will describe our work on cybersec– Social Psych / Diffusion of Innovations

• My perspectives:– Tech HCI research– (Successful?) startup– Helped run Master’s of HCI program

Cybersecurity Research Today

• Most research focused on computers– Protocols, detection, static analysis

• Some research on individuals– Mostly usability of tools

• But cybersec faces deep problems– How do people learn cybersecurity?– How can we fix misconceptions?– How to change people’s behaviors?

A True Story

Did you hear what happened to Moe? He slipped on ice and damaged his laptop. Now he can’t get his data.

A True Story

Did you hear what happened to Moe? He slipped on ice and damaged his laptop. Now he can’t get his data.

I’m going to back up my data right now!

Light Bulb Moment

• Hung around behavioral scientists for many years– Learned about basics of social psych

thru osmosis

• Realized that this simple interaction led to desirable action

How can we use social influences to help improve cybersecurity?

Social Proof

• Baseline effectiveness is 35%

• “showing each user pictures of friends who said they had already voted, generated 340,000 additional votes nationwide”

• “they also discovered that about 4 percent of those who claimed they had voted were not telling the truth”

Energy Consumption

Social Cybersecurity

• Focus on usability has gotten us far, but security features rarely adopted

• Pop Quiz: How many of you have heard of / use these features?– Two-factor authentication– Login notifications on Facebook– Trusted contacts on Facebook

Social Cybersecurity

• Adoption rate typically single digits [Das et al 2015]

• Why develop new tools if we can’t get people to adopt existing ones?

Reflection 1Good Theory Can Offer Inspiration

• Cybersecurity research somewhat stuck in its approaches

• Diminishing returns after exploring, need new ideas and perspectives– See Lakhani08 paper on Innocentive

Social CybersecurityOur Team’s Work to Date

• Interviews about why people changed behaviors and what they talk about with others [SOUPS 2014]

• Study w/ Facebook evaluating social interventions [CCS 2014]

• Analysis of who does and doesn’t adopt features [CSCW 2015]

Semi-Structured Interviews

• Interviewed 19 people– Mobile authentication– App installation / uninstallation– Online privacy settings

• What caused the change?• Hear about incident thru a friend?• Talk to others about the change?

Das, S., H.J. Kim, L. Dabbish, and J.I. Hong. The Effect of Social Influence on Security Sensitivity. SOUPS 2014.

Cybersec Behavior Changes

• 114 behavior changes coded• 48 had social influences (42%)

– Observing friends (14 of 48)– Social sensemaking (9 of 48)– Pranks and demonstrations (8)– Experiencing security breach (6)– Sharing access (3)

Insight #1 - Observability

• One person stopped in coffee shop and asked about the Android 9-dot:

“We were just sitting in a coffee shop and I wanted to show somebody something and [they said], ‘My phone does not have that,’ and I was like, ‘I believe it probably does.’”

Diffusion of Innovations

• Five major factorsfor successful innovations:– Relative Advantage– Trialability– Complexity– Compatibility– Observability

Most Cybersecurity not very Observable

• How strong are Gary’s passwords?• What privacy settings does Leysia

have for Facebook?• What does Jofish look for to avoid

phishing attacks?

• Low observability -> hard to diffuse

Reflection 2Good Theory Offers Vocabulary

• If we weren’t aware of Diffusion of Innovations, might have overlooked the comments about Observability

• Act of having a name focuses

Insight #2 – Social Factors Might Work Against Adoption

• A lot of early adopters tend to be:– Security experts– People with clear reason (e.g. job)– Viewed as “Nutty” or paranoid [Gaw et al 06]

• Brand disenfranchisement– Illusory correlation between something

(use of security tools) and attributes of users

Who Uses What Computer?

• “These people aren’t like me”– (Regardless of whether true or not)

What are Professors Like?

Social Proof + Make Cybersecurity Observable

• Variants– Control– Over # / %– Only # / %– Raw # / %– Some

Das, S., A. Kramer, L. Dabbish, J.I. Hong. Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation. CCS 2014.

Method

• Controlled, randomized study with 50k active Facebook users– 8 conditions, so N=6250

• Part of annual security awareness campaign Facebook was going to run anyway

Results of Experiment

Social Influences on Adoption

• Analyzed 1.5M people on Facebook– No interventions, existing behaviors– More adopters a person can see,

more likely to adopt (but J-curve)– More social circles, stronger effects– More observable and social feature

(trusted contacts), stronger effects

Das, S., A.D.I. Kramer, L. Dabbish, J.I.Hong. The Role of Social Influence In Security Feature Adoption. CSCW 2015.

Ongoing Work

• Are there other ways to make security more observable (+ safe)?– Note that this is counter to

conventional wisdom of security

• Other social techniques to influence people’s awareness, knowledge, motivation?

Reflection 3Good Theory Should Offer Guidance

• We could have done mass A/B tests of interventions without theory– (This is essentially what industry does)– Instead, Social psych and Diffusion of

Innovations gave us direction

• Blind searches unsatisfying– Dan Russell’s talk at HCIC 2009– Eric Brill’s talk at HCIC 2013

Dan Russell’s HCIC 2009 Slides

What to Name Buttons?

Dan Russell’s HCIC 2009 Slides

Why Unsatisfying?

• What’s generalizable?• What did we as a community learn?

Reflection 4Good Theory Should Offer Insight

“For instance, when Appel and Haken completed a proof of the 4-color map theorem using a massive automatic computation, it evoked much controversy. I interpret the controversy as having little to do with doubt people had as to the veracity of the theorem or the correctness of the proof. Rather, it reflected a continuing desire for human understanding of a proof, in addition to knowledge that the theorem is true.” - William Thurston, On Proof and Progress in Mathematics

Reflection 4Good Theory Should Offer Insight

• Alternative formulation by Tim Gowers The Two Cultures of Mathematics– (i) The point of solving problems is to

understand mathematics better.– (ii) The point of understanding mathematics is to

become better able to solve problems.– Mathematicians lie on spectrum

Pasteur’s QuadrantGood Science + Good Applications

• Situated Action• Activity Theory• Distributed Cognition• Embodied Interaction• Ethnography

• Fitts’ Law• Learning science• Visual Perception• Social Psych• Motivation

Advice for Theory BuildersConsider Insight + Guidance

Guidance (What to Build / How to Build it Better)

• Heuristic Evaluation• Contextual Inquiry• 41 Shades of Blue (A/B)• Iterative Design• Agile / Lean

• Situated Action• Activity Theory• Distributed Cognition• Embodied Interaction• Ethnography

• Fitts’ Law• Learning science• Visual Perception• Social Psych• Motivation

Advice for Theory BuildersConsider Repackaging Too

Guidance (What to Build / How to Build it Better)

• Heuristic Evaluation• Contextual Inquiry• 41 Shades of Blue• Iterative Design• Agile / Lean

Wishlist for Tech HCI and for Master’s Students

• Design Theory– Service design– Engagement, stickiness

• Emotional Attachment• Innovation Theory

– What’s more likely to have impact?– Product lifecycles– Feature / Product / Business

Example for InnovationChristensen’s Disruption Model

Lifecycle of Product

56• New product starts out with

lots of chaos• Eventually dominant design

appears, right combination of existing features / ideas

57• Less innovation in features,

few changes to dominant design

• More innovation in process of production

• Dominant design only obvious in retrospect too

• Extreme focus on cost, volume, capacity

• Very little innovation

59• Cycle starts anew

• But winner of last cycle rarely winner of next

• Formed network, doesn’t want to anger them

Conjecture: These Can Help Tech HCI Research

• Can focus research on the phase your company is in– More useful to help industry research

for connecting research to product– A/B tests only useful in later phases

• Can look forward to next fluid phase– We already do this– More useful for academic

Other Advice For Theory Builders

• Five major factors:– Relative Advantage– Trialability– Complexity– Compatibility– Observability

• How might you applythese to your work?

Summary

• Reflections: Good Theory…– Can Offer Inspiration– Offers Vocabulary– Should Offer Guidance– Should Offer Insight

• For theory builders: Consider…– Insight + Building Apps– Diffusion of Innovations

Reflection NBe Prepared to Invest a lot of Time

• This work only came about b/c of hanging around behavioral folks

• And because cross-trained students• Big open question: how to train PhD

students, given breadth of HCI?

Technical HCI Rarely Uses or Builds Theory

• Mostly uses low-level perception and interaction– Ex. Fitts’ law, psychoacoustics,

visual perception, reaction times– (Often built into toolkits)

Social Cybersecurity, or, A Computer Scientist's View of HCI and Theory, at HCIC 2015

Documents

Lev Konstantinovskiy_The modern Data Scientist's skills set

IEEE XXX, VOL. XX, NO. X, 2018. 1 HCIC: Hardware-assisted

Jacques Vallee - Confrontations - A Scientist's Search for Alien Contact (1990)

Hci-1 Intro to Hci

HCI 530 : Seminar (HCI)

Greystone HCIC - Fathom presentation

Lodders, Katharina - ThThe Planetary Scientist's Companion Booke Planetary Scientist's Companion Book

LIGNUM: Towards Forest Scientist's Workbench

A Scientist's View of Twitter

HAZARD and CONTROL IDENTIFICATION CHECKLIST [HCIC]

Hcic muller guha davis geyer shami 2015 06-29

A Scientist's Guide to Successful Presentations to High School

Solving the Air Pollution Problem: A Social Scientist's

Phonology and perception: A cognitive scientist's perspective James

A FORENSIC SCIENTIST'S GUIDE TO PHOTOGRAPHY Brian J

HCI 510 : HCI Methods I HCI Methods –Controlled Experiments

Hadoop - the data scientist's toolbox

Scientist's Idealism versus User's Realism on Radarsat-2 HR Stereo

HCIC 2018 Master Slide Deck - McGill University...2019/07/12 · Pollara Strategic Insights has provided th is master slide deck of 2018 HCIC results which includes section summaries

Hci-ts 102622v070500(Hci Protocol)