At this week’s linux.conf.au, Serena Chen talked about why everyday people and non-expert users don’t follow security advice, and how concepts from behavioural psychology, public health, and YouTube influencers can be of use to infosec professionals and anyone else wanting to communicate the importance of security.
Serena used her father as an example — “literally a rocket scientist”, who happens to also use Windows XP — saying, “We say to people like my dad, if you’re doing the wrong thing I can’t help you, sorry…but in saying so, we give up on the vast majority of people who use the Internet.”
She added that the scope of the problem of “security” is such a large one that security professionals tend to cut their losses and focus on more winnable targets, before reminding us that “everyone deserves security”, and that these non-expert users may be our parents, bosses, colleagues and friends.
Serena’s research used data gathered from user surveys with people who did not work in tech. Through the process, users started to fall into two groups – those who didn’t quite have the right idea about good security practices, and those who did but hadn’t implemented these practices.
Quotes from the participants like “I know I shouldn’t do this, but I cycle through two or three passwords for all of my accounts” and “I know about password managers, I just haven’t gotten around to it yet” surely rang familiar in the minds of many, raising the question of how to provide advice that will be acted upon.
Good security advice is incremental
One participant made the observation that good security was like exercise, in that building good security has to be incremental. Serena explained that “all skills in life are built upon progressively…if you don’t usually run, like me, it’s probably a bad idea to suggest that I go run a marathon tomorrow. Similarly, if you don’t usually think about security, telling someone to change all their passwords and get a password manager is probably not the best next step.”
The incremental approach, on the other hand, focuses on baby steps. “If they’ve got old software, just accept the next update. If they use the same password for everything, maybe just change your e‑mail password, start with that, see how you go. The perfect is the enemy of the good,” she says.
With that in mind, Serena introduced three factors to consider when providing advice; technological capability, privacy needs and likely adversaries. Taking these considerations a step further, the Open Internet Tools Project’s Secure User Practices program has created personas for all kinds of people who may have specific security needs. As the previous examples of ‘baby steps’ demonstrate, the key message was to meet people where they are, with these considerations in mind.
Starting out with small achievable steps also creates the foundations for “a program of slow but steady improvement where each step is immediately accessible from the last.”
Now we know what advice to give, how do we deliver it?
Serena said, “tell, sell and shame doesn’t work. Which sounds fine, until you realise that this is literally all we do”, speaking to the culture of shaming in the the security industry. “We laugh at people and belittle them for doing silly things at every opportunity…Windows XP isn’t just a problem, it’s a punchline”.
Shaming tends to make people scared to ask for advice, Serena explained, referring to a participant who admitted that in an attempt to obtain a copy of Adobe Reader, they downloaded several ‘cracks’ from the Internet and tried them all until one worked.
Show, don’t tell
Serena then introduced the idea from behavioural psychology called reactive theory, “the idea that when you directly instruct someone on what to do it harms their feeling of choice and free will, so they’ll either ignore your instructions or do the exact opposite to try and regain that feeling of control.” Instead, a more effective method is leading by example, for instance, saying “can I show you how I do it?” or by demonstrating a successful approach.
The idea of giving people successful examples to emulate was demonstrated through a successful anti-smoking campaign, which used radio ads in the style of a soap opera to demonstrate ways of politely refusing when someone offers you a cigarette.
Serena closed by showing how many YouTubers are great at showing not telling, providing scripts or examples, and even sharing their vulnerabilities and failures. Viewers have a choice whether or not to take their advice, but are never ‘told to’.
In order to put “show, don’t tell” into practice, Serena started her own YouTube channel. She admitted initially falling into the trap of “tell, sell and shame”, but learned along the way the value of being authentic and vulnerable, adding that the videos were a great conversation starter between her and her friends and colleagues. “Being authentic and vulnerable reaches people, it really does…you’ll be amazed at how far just being nice and helpful and open can get you”.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.