Staying Safe Online

Required Reading

• "… no one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices by Ion, Iulia, Rob Reeder, and Sunny Consolvo

Learning Outcomes

Understand

• Your own security posture
• Its easy to impact the views of others just by how a question is asked.
• Match approaches to the type of information you want to know

Apply

• Try asking friends or family what three things they would suggest other people do to stay safe online. Do their suggestions match the common suggestions?

Referenced in class

• Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection by Nicholson, James, Lynne Coventry, and Pam Briggs

Lecture Notes

For this module you will start by thinking about how you yourself think about and act in regards to security. People rarely take the time to think about their security and therefore you may find yourself forming opinions as you think. The various activities in this module are inteded to ellicit preferences, attitudes, opinions, knowledge, and intended behavior from people.

Security is known as a “secondary task” that is something that has to be done in order to complete other tasks. For example, people rarely have the goal of unlocking the door to their home, instead they have a goal like “go inside” which has a sub-task of “unlock the door”. Similarly people rarely go to the Facebook homepage to login, instead they go to view their feed or post. Logging in is a sub-task of gaining further access.

Staying safe online Online safety is a deceptively complex task for most users. It involves everything from their understanding of the threats, to their models of how computers work, and even their expectations around how effective different mitigation strategies are. In this module we will be discussing how people go about keeping themselves safe and what they define “safe” as. Towards the end of the module we will also discuss the widely accepted definiton of security and how that aligns with what we have learned about people.

Eliciting views and preferences Asking people about security views, preferences, attitudes, and behaviors can be supprisingly complex. There are two main problems. 1) There is a known “correct” answer which is that they are as secure as possible. People like to look like they are doing the right thing, so when you ask them they may answer as if they are doing the best thing even if they are not. 2) People don’t think about security very often and as people we develop opinions by talking and thinking about things. So when you ask them about security they start thinking about the problem and generate opinons as they are talking. For example, most Canadians can easily answer questions like “what is your favorite type of music” or “which hocky team do you support” because they have thought about these issues before. Compare that to “What door in Davis Center do you most enjoy walking through?” You probably never thought about the issue of Davis Center doors before, but you are now thinking about the issue and developing an opinion. Perhapse you are recalling the experience of walking through the door nearest the Tim Hortons and smelling the coffee. Or the sound of library wispers when you walk through the library entrance door. Asking about security is somewhat similar to asking about Davis Center doors. Most people have at best a vauge opinion before being asked and then develop an opinion as they answer the question.

Elliciting views and preferences in security can be challenging but there are a range of ways to do it that minimize bias. There are also a range of methods meant to help with self-reflection that allows people to assess and possibly improve their own security approaches.

Additional Resources

• Boyd, M. J., Sullivan Jr, J. L., Chetty, M., & Ur, B. (2021, May). Understanding the security and privacy advice given to black lives matter protesters. In Proceedings of the 2021 CHI conference on human factors in computing systems (pp. 1-18).

• Are you using cookies? Then this Ultimate Guide is for you. by Frank Moraes

• Kami Vaniea, Yasmeen Rashidi (2016). Tales of Software Updates: The process of updating software. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.

• Sara S. Albakry, Kami Vaniea, Maria K. Wolters (2020). What is this URL’s Destination? Empirical Evaluation of Users’ URL Reading. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems.

• Kholoud Althobaiti, Nicole Meng-Schneider, Kami Vaniea (2021). I Don’t Need an Expert! Making URL Phishing Features Human Comprehensible. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems.

• Paper on computing agreement for qualitative coding: Assessing agreement on classification tasks: the kappa statistic (arxiv.org)**

Papers linked to survey scales

• Serge Egelman and Eyal Peer. 2015. Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS). In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI ‘15). Association for Computing Machinery, New York, NY, USA, 2873–2882. https://doi.org/10.1145/2702123.2702249

• Serge Egelman, Marian Harbach, and Eyal Peer. 2016. Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS). In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI ‘16). Association for Computing Machinery, New York, NY, USA, 5257–5261. https://doi.org/10.1145/2858036.2858265