People tend to focus more on the losses that will affect their immediate goal than the gains when making decisions under time pressure [ 12]. Users are often called on by the system to make a security decision while they are in the middle of an activity. In these cases, the user is often motivated to get on with the primary task as quickly as possible and, therefore, less likely to make a decision that further interrupts that task. In cases where users are prompted to install software updates, scan a file for viruses before opening, and so forth, users are less likely to comply when in the middle of another task, especially if in a hurry.
Losses perceived disproportionately to gains. People do not perceive gains and losses equally. Tversky and Kahneman [ 8] showed that when individuals perceive a gain and a loss to have the same value, the loss is more motivating in the decision (see Figure 2). In short, this means that a loss of $100 is more adverse than a gain of $100 is attractive to a decision maker.
This suggests that while a system designer may consider the cost of security effort small, the loss could be perceived as worse than the greater gain in safety. Put simply, the user must perceive a greater magnitude of gain than of loss.
IMPROVING SECURITY COMPLIANCE AND
DECISION MAKING
Using the principles at work in security decision making, there are several avenues that may improve user security behavior.
Reward pro-security behavior. There must be a tangible reward for making good security decisions. Some suggest that corporate IT organizations would be encouraged to adopt stronger security practices if insurance companies offered lower premiums to those who protect themselves by certain measures [ 5]. Like-
Figure 3. Can you spot the security message? (Part 2)
Well-designed security
messages have distinct visual and auditory properties that make them stand apart from all other message dialogs and indicate the criticality of the message.
wise, end users must be motivated to take pro-security actions.
Increasing the immediate and tangible reward for secure actions may increase compliance. One form of reward is to see that the security mechanisms are working and that the action the user chose is, in fact, making them safer. This makes safety a visible gain when evaluating gains and losses in a security decision.
A good example of this is when an antivirus or antispy-ware product finds and removes malicious code. In these cases, the security application often issues a notification that it has found and mitigated a threat. This is an effective way for a
security system to prove its value to the user by showing there was a risk and that the system protected them. By returning to the access control scenario for file sharing, it would be possible to report attempts at unauthorized access to the file owner.
Improve the awareness of risk. As discussed earlier, people often believe they are at less risk compared to others. One way to increase security compliance is to increase user awareness of the risks they face. This could be achieved through user training and education in general but should also be built into systems to support specific events.
One classically deficient area in the security of systems is messages and alerts. Security messages often resemble other messages dialogs (Figure 2). As a result, security messages may not stand out in importance and users often learn to disregard them.
To avoid the response bias
problems faced by most message dialogs, security messages should be instantly distinguishable from other message dialogs. Security messages should look and sound very different (illustrated in Figure 3). This helps mitigate the blasé attitude with which users attend to the information. Once the message dialog has the user’s attention, they are more likely to read
Figure 2. Can you spot the security message? Message dialogs often look similar enough that no message stands out as more important that than others.
References:
Archives