Social Cybersecurity: Reshaping Security through an Empirical Understanding of Human Social Behavior

Tuesday, January 16, 2018 - 9:00 am9:30 am

Sauvik Das, Georgia Institute of Technology

Abstract: 

How can we design systems that encourage better cybersecurity behaviors? Despite important improvements to the usability of cybersecurity systems, much security advice goes ignored and many security systems remain underutilized. I argue that this disconnect can partially be explained by the fact that there’s a largely unconsidered cost to engaging in good security behaviors: costs of social face. For example, by using two-factor authentication, one might be perceived as “paranoid.” By encrypting one’s phone, one might be perceived as having something to hide. More generally, by caring too strongly about cybersecurity, one may give off the impression of being shady. In this talk, I present evidence in support of the following claim: Social influences strongly affect cybersecurity behaviors, and it is possible to encourage better cybersecurity behaviors by designing security systems that are more social.

First, I empirically modeled how social influences affect the adoption of security behaviors and systems of 1.5 million Facebook users. Second, I designed a notification that informs Facebook users that their friends use optional security systems to protect their own accounts and evaluated these “social” notifications in a randomized, controlled experiment with 50,000 Facebook users. In so doing, I provide some of the first direct evidence that security behaviors are strongly driven by social influence, and that the design of a security system strongly influences its potential for social spread. Specifically, security systems that are more observable, inclusive, and stewarded are positively affected by social influence, while those that are not are often negatively affected by social influence.

Taken together, my work argues for a future of socially intelligent security systems that understand and accommodate basic human behaviors, desires and capabilities.

Sauvik Das, Georgia Institute of Technology

Dr. Sauvik Das is an Assistant Professor of Interactive Computing at the Georgia Institute of Technology. His research, which intersects HCI, data science and cybersecurity, aims to empower people with novel security systems that mitigate costs of time, effort and social capital. His work has won three best paper and best paper honorable mention awards at premier venues (UbiComp 2013, CHI 2016 and 2017) as well as an Honorable Mention for the NSA’s Best Scientific Cybersecurity Paper Award in 2014. His work has also been widely covered by the popular press, including features on the Financial Times, Slate, Ars Technica and The Atlantic. In addition, he was a NDSEG Fellow, a Qualcomm Innovation Fellow, a Stu Card Graduate Fellow, and a NSF EAPSI Fellow. Sauvik earned his Ph.D. and M.S. in Human-Computer Interaction at Carnegie Mellon University and his B.S. in Computer Science at Georgia Institute of Technology.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {208147,
author = {Sauvik Das},
title = {Social Cybersecurity: Reshaping Security through an Empirical Understanding of Human Social Behavior},
booktitle = {Enigma 2018 (Enigma 2018)},
year = {2018},
address = {Santa Clara, CA},
url = {https://www.usenix.org/node/208148},
publisher = {USENIX Association},
month = jan
}

Presentation Video