Content uploaded by Cori Faklaris
Author content
All content in this area was uploaded by Cori Faklaris on Jul 06, 2018
Content may be subject to copyright.
Content uploaded by Cori Faklaris
Author content
All content in this area was uploaded by Cori Faklaris on Jul 06, 2018
Content may be subject to copyright.
The continued susceptibility of end users to
cybersecurity attacks suggests an incomplete
understanding of why some people ignore security
advice and neglect to use best practices and tools to
prevent threats. A more detailed and nuanced
approach can help more accurately target security
interventions for end users according to their stage
of intentional security behavior change.
In this work, we adapt the Transtheoretical Model of
Behavior Change for use in acybersecurity design
context.We provide avisual diagram of each stage
and the associated causative concept (right, top) as
adapted from public health and security literature.
We then contribute advice for designers’ use of our
model (right, bottom) in the context of human-
computer interaction and the specific domain of
usable privacy and security, such as for encouraging
timely software updates, voluntary use of two-factor
authentication and attention to password hygiene.
Adapting the Transtheoretical Model
for the Design of Security Interventions
ABSTRACT CYCLICAL MODEL OF SECURITY BEHAVIOR CHANGE
HOW DESIGNERS CAN USE THE MODEL
BACKGROUND
Cori Faklaris, Laura Dabbish and Jason Hong
Carnegie Mellon University, Pittsburgh, PA 15213, USA; cfaklari@cs.cmu.edu
The Unified Theory of Use and Acceptance of
Technology synthesizes the ideas of Davis et al.and
Venkatesh et al.into one model of how users take
action inside acomputer system.In this view,
situational and social factors,moderated by
individual factors,precede the individual’s intention
to use and actual use of the system.
Security Sensitivity is defined by Das as “the
awareness of, motivation to use, and knowledge of
how to use security tools”.This is based on prior
findings that many people believe themselves in no
danger of falling victim to asecurity breach and are
unaware of the existence of tools to protect them
against those threats;they perceive the
inconvenience and cost to their time and attention
as outweighing the harm of experiencing asecurity
breach, and they think they are too difficult to use
or lack the knowledge to use them effectively.Stage Evidence Goal/Task Effective
Interventions Examples Successful
Result
Precontemplation
“I don’t need to
use / I don’t
have time to use
security
practices.“
Creating
awareness
and
interest in
users
Feedback,
Education, Reading
materials,
Storytelling, Media
campaigns, Empathy
training
Password strength indicator;
CyberQuiz-type materials;
social media articles
“It may be a
good idea to
use security
practices.“
Contemplation
“I worry I don’t
use / I may want
to use security
practices.“
Motivating
users and
changing
values
“Family
interventions”;
Role playing;
Documentaries;
Imagery, Value
reflection/
clarification
IT workshops; “Choose your
own adventure” game
“I will regret it
if I do not start
using security
practices.“
Preparation
(Determination)
“I want / I need
to change my
security
practices.”
Persuading
users to put
knowledge
into action
Empowerment
procedures and
policies, Advocacy
for marginalized
users
; Resolutions +
Public Testimonies;
Providing choices
among 2-3
alternatives
“Magic link” alternative to
password (Slack); signing
security change contracts
“I feel better
for committing
to my chosen
security
practices.”
Action
“I intend to use /
I know why to use
security
practices.”
Creating action
and
reinforcement
of acts
Rewards,
Punishments and
Group recognitions;
Rapport building,
Coaching and Buddy
systems;
Self-help groups,
Learning
recommended
substitute behaviors;
Environmental Re-
engineering;
Controlling stimuli to
avoid harmful or
inadvisable actions
Thumprint (Das et al.);
Facebook Trusted Contacts;
chatbot to praise secure
behaviors and offer tips;
Inputting prank phrase on
peer’s unlocked laptop;
interface re-design to direct
or nudge behaviors
“I ask for help
with using /
I get help with
using /
I am successful
with /
I keep improving
my security
practices.“
Maintenance
“I am already
using
/ I
value security
practices.“
Maintaining
and solidifying
change
In our Cyclical Model of Security Behavior Change,the factors of Awareness,Motivation,Knowledge,Resistance,Reinforcement
and Denial cause users to move through Stages of Change as they weigh pros and cons comprised of Situational and Social Factors
(Performance Expectancy, Effort Expectancy, Social Influence and Facilitating Conditions), along with Self-Efficacy and Temptation.
Other Individual (Gender,Age, Experience and Voluntariness of Use) and External Factors (such as Regulations) impact the model.
Prochaska and DiClemente’s Transtheoretical
Model of Behavior Change has been identified in
the literature as auseful framework for privacy and
security research.The TTM marks ashift from
thinking of behavior change as occurring in asingle,
decisive moment to that of alonger-term, cyclical
process in which people balance pros and cons
along with Self-Efficacy and Temptat ion to make
decisions and move through identifiable stages:
Precontemplation,Contemplation,Preparation
(also called Determination), Action,Relapse,and
longer-term Maintenance of desired behaviors.