Why do people follow computer security advice?

Add to my custom PDF

Why Do They Do What They Do?: A Study of What Motivates Users to (Not) Follow Computer Security Advice

Computer and data privacy are important, but not everyone follows best security practices. Researchers have long been curious as to what motivates individuals to follow computer security advice. Decision-making is a complicated process. People might make decisions by considering the benefts or consequences of an action. In a rational process, humans make informed choices based on the perceived costs or risks of their actions. Social motivations, such as the desire to please others, may also infuence their decision. It is important to understand what motivates the decision-making process in order to help people make better security decisions.

Fagan and Khan wanted to clarify computer security decision-making. They used a short screening survey to gather 805 survey participants on Amazon Mechanical Turk; an online worker marketplace. They wanted to know if participants followed certain security recommendations and why. They looked at four common recommendations: updating software, using a password manager, using two-factor authentication and changing passwords. They then created 8 groups of 30-40 participants who completed follow-up surveys. They formed “yes” and “no” groups for each security recommendation based on whether participants said they followed the advice or not. The researchers then considered the rational and social aspects of each decision. They looked at the perceived beneft, cost and risk of following a recommendation or not.

Participants felt as if their decision brought them the most beneft. Whether they followed advice or not, users justifed their decisions by saying the benefts outweighed the risks or inconveniences. Those who followed security recommendations rated the risk more highly. For them, the security benefts outweighed the cost of the inconvenience. Conversely, the convenience benefts outweighed the security risks for the people who did not follow security recommendations. They rated the convenience cost higher than those who did follow the advice. Participants felt that their current decision provided them with a greater beneft than they would get from changing. Social motivations seemed to have very little infuence on computer security decisions.

It may be tempting to assume that people who choose not to follow security advice simply need to be better educated on the benefts of doing so. However, it is important to consider how people perceive the value of these benefts. Communicating convenience may be a greater motivator than risk for those not following advice.

Not everyone is motivated by recommendations focused on risk. Convenience and social reasons might have more effect.