Stories as Informal Lessons About Security
by: Emilee Rader, Rick Wash and Brandon Brooks
Non-expert computer users regularly need to make security-relevant decisions; however, these decisions tend not to be particularly good or sophisticated. Nevertheless, their choices are not random. Where does the information come from that these non-experts use to base their decisions upon? We argue that much of this information comes from stories that they hear from other people. We conducted a survey to ask open- and closed- ended questions about security stories people hear from others. We found that most people have learned lessons from stories about security incidents informally from family and friends. These stories impact the way people think about security, and their subsequent behavior when making security-relevant decisions. In addition, many people retell these stories to others, indicating that a single story has the potential of influencing multiple people. Understanding how non-experts learn from stories, and what kinds of stories they learn from, can help us figure out new methods for helping these people make better security decisions.
Emilee Rader, Rick Wash and Brandon Brooks. “Stories as Informal Lessons About Security” Symposium on Usable Privacy and Security (SOUPS). Washington, DC. July 2012.