Security Messages: Or, How I Learned to Stop Disregarding and Heed the Warning

Attacks on information security continue to be reported in the media, and result in large losses for organizations. While some attacks are the result of sophisticated threats, others can be traced to failures by organizational insiders to observe basic security policies such as using caution when opening unsolicited email attachments. Faced with the challenges and time demands of everyday stressors, security policy compliance can be costly for individuals; security actions require time and distract attention from other primary tasks. This costliness can lead individuals to ignore prompts to perform security updates, scan their computers for threats, or reboot their computers to apply security updates. This dissertation contains three studies that address the following overarching research question: How can end-user adherence to security messages be better understood and improved, and how can theory inform security-message design? First, two complementary studies are presented that examine the integration of media naturalness theory into a security message context using field study and fMRI designs. Study 1, the field study, unobtrusively captures objective measures of attention from Amazon Mechanical Turk users (N=510) as they perform a between-subjects deception protocol. Study 2, the fMRI study, examines neural activations from a within-subjects participant design (N=23) in response to different security message designs with integrated emotive human facial expressions. Data from studies 1 and 2 show that warnings with integrated facial expressions of threat (fear, disgust) generally elicited greater adherence rates and higher evidence of cognition and elaboration than did warnings with integrated neutral facial expressions or than did warnings with no integrated facial expressions, supporting our hypotheses. Study 3 explores the pattern of risk taking and analysis that users engage in when interacting with interruptive security messages. The corroboration of multiple behavioral dependent variables suggests that users predominantly use a bimodal risk tradeoff paradigm when interacting with interruptive security messages. All three studies address the overarching research question of understanding and improving end user adherence to security messages

Security Messages: Or, How I Learned to Stop Disregarding and Heed the Warning

Attacks on information security continue to be reported in the media, and result in large losses for organizations. While some attacks are the result of sophisticated threats, others can be traced to failures by organizational insiders to observe basic security policies such as using caution when opening unsolicited email attachments. Faced with the challenges and time demands of everyday stressors, security policy compliance can be costly for individuals; security actions require time and distract attention from other primary tasks. This costliness can lead individuals to ignore prompts to perform security updates, scan their computers for threats, or reboot their computers to apply security updates. This dissertation contains three studies that address the following overarching research question: How can end-user adherence to security messages be better understood and improved, and how can theory inform security-message design? First, two complementary studies are presented that examine the integration of media naturalness theory into a security message context using field study and fMRI designs. Study 1, the field study, unobtrusively captures objective measures of attention from Amazon Mechanical Turk users (N=510) as they perform a between-subjects deception protocol. Study 2, the fMRI study, examines neural activations from a within-subjects participant design (N=23) in response to different security message designs with integrated emotive human facial expressions. Data from studies 1 and 2 show that warnings with integrated facial expressions of threat (fear, disgust) generally elicited greater adherence rates and higher evidence of cognition and elaboration than did warnings with integrated neutral facial expressions or than did warnings with no integrated facial expressions, supporting our hypotheses. Study 3 explores the pattern of risk taking and analysis that users engage in when interacting with interruptive security messages. The corroboration of multiple behavioral dependent variables suggests that users predominantly use a bimodal risk tradeoff paradigm when interacting with interruptive security messages. All three studies address the overarching research question of understanding and improving end user adherence to security messages