Chapter

SeBeST: Security Behavior Stage Model and Its Application to OS Update

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

To protect computers from various types of cyberattack, users are required to learn appropriate security behaviors. Different persuasion techniques to encourage users to take security behaviors are required according to user attitude toward security. In this paper, we first propose a Security Behavior Stage Model (SeBeST) which classifies users into five stages in terms of attitude toward security measurements; having security awareness and taking security behaviors. In addition, we focus on OS updating behaviors as an example of security behaviors and evaluated effective OS update messages for users in each stage. We create message dialogs which can promote user OS updating behaviors. We conduct two online surveys; we analyze the validity of SeBeST in Survey1 and then evaluate effective messages for each stage in Survey2. We find that SeBeST has high validity and appropriate messages for the users in each stage differ from one another.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... In security and privacy, Sano et al. [49,50], Faklaris et al. [30], and Ting et al. [55] have explored applying the Stages of Change and Processes of Change to end user studies. These researchers identified a theoretical and/or empirical basis for classifying computer users by whether they are in either precontemplation (Stage 1), contemplation/preparation (Stages 2-3), or action/maintenance (Stages 4-5) of adopting practices such as updating their operating systems, checking for https in URLs, and using antivirus software. ...
... These researchers identified a theoretical and/or empirical basis for classifying computer users by whether they are in either precontemplation (Stage 1), contemplation/preparation (Stages 2-3), or action/maintenance (Stages 4-5) of adopting practices such as updating their operating systems, checking for https in URLs, and using antivirus software. Sano et al. [49,50] tested messaging strategies by stage, for example, finding that a message emphasizing ease of the OS update was significantly associated with users in the preparation stage answering "I update OS now" to a survey item. ...
Preprint
Full-text available
Behavior change ideas from health psychology can also help boost end user compliance with security recommendations, such as adopting two-factor authentication (2FA). Our research adapts the Transtheoretical Model Stages of Change from health and wellness research to a cybersecurity context. We first create and validate an assessment to identify workers on Amazon Mechanical Turk who have not enabled 2FA for their accounts as being in Stage 1 (no intention to adopt 2FA) or Stages 2-3 (some intention to adopt 2FA). We randomly assigned participants to receive an informational intervention with varied content (highlighting process, norms, or both) or not. After three days, we again surveyed workers for Stage of Amazon 2FA adoption. We found that those in the intervention group showed more progress toward action/maintenance (Stages 4-5) than those in the control group, and those who received content highlighting the process of enabling 2FA were significantly more likely to progress toward 2FA adoption. Our work contributes support for applying a Stages of Change Model in usable security.
Conference Paper
To improve the rate of taking security action, it is important to promote personalized approaches for each user. Related works indicate phrases and UIs of dialog messages and incentives that influence a user’s action. In our previous work, we focused on smartphone users updating software, and proposed appropriate phrases of dialog messages according to the user’s understanding of the updating procedure, as well as the type of software. We also analyzed appropriate incentives. However, in the terms of level of literacy, the effectiveness of the UI of dialog messages and the volume of incentives remain unclear. In this paper, we conducted a user survey to analyze appropriate UIs according to the user’s understanding of the updating procedure and the appropriate volume of incentives. As a result, we confirmed different UIs are effective according to the user’s understanding of the updating procedure. In addition, we found an appropriate volume of points, mobile data, and coupons in order to promote the updating of software.
Chapter
Some users (“Help recipients”) delegate necessary security actions to their family, friends, or others close to them. It is important to be able to take appropriate defensive actions against security threats by themselves when help is not available from neighbors (“Helpers”). In this paper, we interviewed 9 users who used to be Help recipients, but who have now started to take security actions by themselves. We investigated the reason why Help recipients delegated their security actions to Helpers and the human factors that have an impact when one takes security actions by oneself. As a result, Help recipients take their own security actions when they try new hobbies or feel a sense of ownership. Based on these findings, we classify Help recipients into four groups and propose an optimized system that shows security action lists according to user situation. These findings are useful when providing appropriate intervention for Help recipients.
Chapter
It is important to provide personalized interventions that focus on the different security awareness of each user. We focus on updating operating system (OS) and seven major types of applications (Communication, Finance, Lifestyle, Games, Utility, Health, Entertainment) for smartphone users and aim to provide approaches that lead to updating of OS and seven types of applications (hereinafter, this is called “software”). We consider that user awareness of updating software may differ, and this relates to user understanding of the updating procedure. In this paper, we propose intervention methods according to users’ knowledge about update procedures. We conduct an online survey to evaluate effective approaches such as dialog message and type of incentive that increases the intention of smartphone users to update. We found that effective phrases of dialog messages differ according to the users’ understanding of the update procedures and that reward points are the best incentive for many users.
Article
Full-text available
Presents an integrative theoretical framework to explain and to predict psychological changes achieved by different modes of treatment. This theory states that psychological procedures, whatever their form, alter the level and strength of self-efficacy. It is hypothesized that expectations of personal efficacy determine whether coping behavior will be initiated, how much effort will be expended, and how long it will be sustained in the face of obstacles and aversive experiences. Persistence in activities that are subjectively threatening but in fact relatively safe produces, through experiences of mastery, further enhancement of self-efficacy and corresponding reductions in defensive behavior. In the proposed model, expectations of personal efficacy are derived from 4 principal sources of information: performance accomplishments, vicarious experience, verbal persuasion, and physiological states. Factors influencing the cognitive processing of efficacy information arise from enactive, vicarious, exhortative, and emotive sources. The differential power of diverse therapeutic procedures is analyzed in terms of the postulated cognitive mechanism of operation. Findings are reported from microanalyses of enactive, vicarious, and emotive modes of treatment that support the hypothesized relationship between perceived self-efficacy and behavioral changes. (21/2 p ref)
Article
Full-text available
Discusses the use of transtheoretical model for population-based approaches to health promotion and disease prevention. The author states that health behaviors (tobacco use, diet, physical inactivity, risky sexual practices, etc.) account for approximately 50% of all premature mortality. There is growing evidence that the behavioral determinants of disease can be successfully modified. The Transtheoretical Model has served as the conceptual basis for developing successful interventions. The central organizing construct of the model is the Stages of Change. The model also includes a series of independent variables, the Processes of Change, and a series of outcome measures including the Decisional Balance and the Temptation scales. Applications from smoking cessation illustrate how the model can be used to guide recruitment, intervention design, feedback, and outcome assessment. The author maintains that successful intervention must combine high recruitment rates with effective interventions in order to produce behavior change at the population level. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Full-text available
The transtheoretical model posits that health behavior change involves progress through six stages of change: precontemplation, contemplation, preparation, action, maintenance, and termination. Ten processes of change have been identified for producing progress along with decisional balance, self-efficacy, and temptations. Basic research has generated a rule of thumb for at-risk populations: 40% in precontemplation, 40% in contemplation, and 20% in preparation. Across 12 health behaviors, consistent patterns have been found between the pros and cons of changing and the stages of change. Applied research has demonstrated dramatic improvements in recruitment, retention, and progress using stage-matched interventions and proactive recruitment procedures. The most promising outcomes to date have been found with computer-based individualized and interactive interventions. The most promising enhancement to the computer-based programs are personalized counselors. One of the most striking results to date for stage-matched programs is the similarity between participants reactively recruited who reached us for help and those proactively recruited who we reached out to help. If results with stage-matched interventions continue to be replicated, health promotion programs will be able to produce unprecedented impacts on entire at-risk populations.
Article
Billions of smartphones, globally, are running out-of-date Operating Systems (OS) which make them vulnerable to cyberattacks. Behaviours of users in updating their OS vary between different geographic locations considering various demographic factors. For instance, developing countries have a very different stance compared to developed ones on how their users perceive device updates. To assert our claim, we first investigated security behaviours among different demographics in Japan and Tanzania. The results indicate that demographic factors such as culture, income, and geographic location highly impact behaviours of participants on OS updating. However, education and awareness do not seem to have significant impact on security behaviours. Consequently, insecure behaviours were equally exhibited among most participants regardless of their education levels or awareness. We also found that most participants do not update their application software on their smartphones despite being aware. Moreover, in the developing country settings, most participants tend to avoid certain security advice because they necessitate incurring data charges that take up a high percentage of their incomes. Then, we surveyed and evaluated the participants' preferences for different redesigned security notifications for improving update compliance. Finally, we propose color-coded fear-appeal designs for persuading users into updating their devices' application software.
Article
Two experimental studies were conducted to examine the influence of elaboration on the framing of a medical decision. Subjects (N = 344) were undergraduate students randomly assigned to one cell of a 2 × 2 design (high- and low-elaboration conditions; positive and negative decision frame versions). In the low-elaboration condition, a framing effect (Tversky & Kahneman, 1981) was observed: Most of the subjects chose the riskless option when decision options were phrased positively in terms of gains, whereas most chose the risky option when options were phrased negatively in terms of losses. However, in the high-elaboration condition, the framing effect was not observed.
Article
We investigated how variations in the way information is presented to patients influence their choices between alternative therapies. Data were presented summarizing the results of surgery and radiation therapy for lung cancer to 238 ambulatory patients with different chronic medical conditions and to 491 graduate students and 424 physicians. We asked the subjects to imagine that they had lung cancer and to choose between the two therapies on the basis of both cumulative probabilities and life-expectancy data. Different groups of respondents received input data that differed only in whether or not the treatments were identified and whether the outcomes were framed in terms of the probability of living or the probability of dying. In all three populations, the attractiveness of surgery, relative to radiation therapy, was substantially greater when the treatments were identified rather than unidentified, when the information consisted of life expectancy rather than cumulative probability, and when the problem was framed in terms of the probability of living rather than in terms of the probability of dying. We suggest that an awareness of these effects among physicians and patients could help reduce bias and improve the quality of medical decision making.
Article
The psychological principles that govern the perception of decision problems and the evaluation of probabilities and outcomes produce predictable shifts of preference when the same problem is framed in different ways. Reversals of preference are demonstrated in choices regarding monetary outcomes, both hypothetical and real, and in questions pertaining to the loss of human lives. The effects of frames on preferences are compared to the effects of perspectives on perceptual appearance. The dependence of preferences on the formulation of decision problems is a significant concern for the theory of rational choice.
Article
Messages designed to motivate participation in physical activity usually emphasize the benefits of physical activity (gain-framed) as well as the costs of inactivity (loss-framed). The framing implications of prospect theory suggest that the effectiveness of these messages could be enhanced by providing gain-framed information only. We compared the effectiveness of gain-, loss-, and mixed-framed messages for promoting moderate to vigorous physical activity. Randomized trial. Sedentary, healthy callers to the US National Cancer Institute's Cancer Information Service (N=322) received gain-, loss-, or mixed-framed messages on three occasions (baseline, Week 1, and Week 5). Social cognitive variables and self-reported physical activity were assessed at baseline, Week 2, and Week 9. Separate regression analyses were conducted to examine message effects at each assessment point. At Week 2, gain- and mixed-framed messages resulted in stronger intentions and greater self-efficacy than loss-framed messages. At Week 9, gain-framed messages resulted in greater physical activity participation than loss- or mixed-framed messages. Social cognitive variables at Week 2 did not mediate the Week 9 framing effects on physical activity participation. Using gain-framed messages exclusively may be a means of increasing the efficacy of physical activity materials.