Presentation to the Three Rivers Information Security Symposium (TRISS 2018) on Oct. 19, 2018, in Monroeville, Pennsylvania. Based on ideas developed at Carnegie Mellon University.
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Social Cybersecurity: Ideas for Nudging Secure Behaviors Through Social Influences
1. Social Cybersecurity:
Ideas for Nudging Secure Behaviors
Through Social Influences
Cori Faklaris | Oct. 19, 2018
Presentation to the
2018 Three Rivers Information Security Symposium
(TRISS 2018),
Monroeville, Pa., USA
@heycori
Human-Computer Interaction Institute
2. 2
Cialdini’s ‘Weapons of Influence’
1. Reciprocation
2. Commitment and
Consistency
3. Social Proof
4. Liking
5. Authority
6. Scarcity
Robert B. Cialdini. 2001 (4th ed.). Influence.
A. Michel Port Harcourt.
Cori Faklaris - October 2018 - TRISS 2018 | Page2
@heycori
3. Agenda
✖ About me
✖ About the Social Cybersecurity project
✖ Ideas to apply this work in your context
✖ Next steps for our research
Feel free to ask questions at any point.
Cori Faklaris - October 2018 - TRISS 2018 | Page3
@heycori
4. Cori Faklaris - October 2018 - TRISS 2018 | Page4
● PhD student researcher at Carnegie Mellon University
○ Social cybersecurity, Design of information systems, Emerging
trends in social media and messaging apps
● M.S., Human-Computer Interaction
○ Indiana University School of Informatics and Computing
○ Thesis: The State of Digital ‘Fair Use’
● B.S., Journalism, News-Editorial sequence
○ University of Illinois at Urbana-Champaign College of Media
● Social Media Consultant and Editor/Writer
● Previous job titles in news media included:
○ Engagement Producer, Page Designer, Copy Editor, Correspondent,
Columnist, Reporter ...
○ “Doer of Things No One Else Wants to Do” (IT, UX :-)
About me
@heycori
7. 7
Cialdini’s ‘Weapons of Influence’
1. Reciprocation
2. Commitment and
Consistency
3. Social Proof
4. Liking
5. Authority
6. Scarcity
Robert B. Cialdini. 2001 (4th ed.). Influence.
A. Michel Port Harcourt.
Cori Faklaris - October 2018 - TRISS 2018 | Page7
@heycori
8. 1.
Reciprocation
We desire to repay in kind
what someone else does for us.
“I’ll scratch your back if you scratch mine.”
- English idiom, Latin: quid pro quo
8Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori
9. 9
Reciprocation & Cybersecurity …
1. Give a gift that
obliges behaviors.
a. USB drive
containing safe
software & apps
b. ‘Thank you’ card
2. Frame requests as
a “big ask,”
followed by the
real ask.
Cori Faklaris - October 2018 - TRISS 2018 | Page9
@heycori
10. 2.
Commitment
and Consistency
Once we make a choice and take a stand,
we feel pressure to live up to that commitment.
“How are you? Good, are you willing to donate ...”
- the ‘Foot-in-the-door’ sales technique
10Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori
11. 11
Commitment and Consistency
& Cybersecurity …
1. Ask system users
to “please watch
out for” mistakes
in security
protocol.
2. Ask users to sign
their names to a
public promise to
use security tools
and practices.
Cori Faklaris - October 2018 - TRISS 2018 | Page11
@heycori
12. 3.
Social Proof
We view a behavior as correct in a given situation
to the degree that we can observe others
performing it.
“Fifty million Americans can’t be wrong ...”
- Type of phrase often used in advertising copy
12Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori
13. 13
Social Proof & Cybersecurity …
1. Display statistics
or facts about
security behaviors
via a lock screen or
new browser tab.
2. Crowdsource
security tips, then
publicize them to
the work group.
Cori Faklaris - October 2018 - TRISS 2018 | Page13
@heycori
FACT: Carnegie
Mellon University
has not suffered a
breach of payroll
systems since
adopting 2FA.
14. 4.
Liking
Our personal affinities are bound up in cooperation
and compliance – and vice versa.
“Flattery will get you everywhere.”
- Mae West, 20th century movie actress
- See also “Good Cop, Bad Cop”
14Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori
15. 15
Liking & Cybersecurity …
1. Recruit a popular
member of a
workgroup as a
helper and ally for
InfoSec initiatives.
2. Set a group goal
for security
behaviors, with
rewards for
improvements.
Cori Faklaris - October 2018 - TRISS 2018 | Page15
@heycori
16. 5.
Authority
We have an instinct to obey people who are
presented to us as authority figures and/or experts.
“The apparel oft proclaims the man.”
- Polonius in Hamlet, William Shakespeare
16Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori
17. 17
Authority & Cybersecurity …
1. Cite security
experts or
research to back
up why you
require a security
tool or practice.
2. Train end users to
avoid being
tricked by fake
authorities.
Cori Faklaris - October 2018 - TRISS 2018 | Page17
You should be
thinking right now:
Is this a legitimate
business card???
@heycori
19. 6.
Scarcity
Limiting access to a resource (or seeming to)
makes it more desirable.
“Don’t wait! Last chance before they’re gone!”
- Type of phrase often used in advertising copy
19Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori
20. 20
Scarcity & Cybersecurity …
1. Frame the use of
security tools or
practices in terms
of losses rather
than benefits.
2. Avoid erratic
enforcement that
leads to revoking
privileges from
end users.
Cori Faklaris - October 2018 - TRISS 2018 | Page20
1 in 5 breaches can’t be prevented
by implementing 2FA - I need to
stay vigilant for hackers!
@heycori
21. 21
Cialdini’s ‘Weapons of Influence’
1. Reciprocation
2. Commitment and
Consistency
3. Social Proof
4. Liking
5. Authority
6. Scarcity
Robert B. Cialdini. 2001 (4th ed.). Influence.
A. Michel Port Harcourt.
Cori Faklaris - October 2018 - TRISS 2018 | Page21
@heycori
22. Works in Progress
✖ Psychometric scale to help target end-user
interventions by security sensitivity.
✖ “Security score” for end users.
✖ Game apps to simulate social actions and
competition around security practices.
✖ Interviews with IT professionals about
challenges for workgroups who share
accounts and devices.
✖ Browser plugin to make crowd opinions
about privacy & security settings observable.
Cori Faklaris - October 2018 - TRISS 2018 | Page22
@heycori
23. 23Cori Faklaris - October 2018 - TRISS 2018 | Page23
@heycori
Das, Sauvik, "Social
Cybersecurity:
Reshaping Security
Through An Empirical
Understanding of
Human Social
Behavior" (2017).
Dissertations. 982.
http://repository.cmu.e
du/dissertations/982
“Security Sensitivity” indicates an end user’s
degree of receptiveness to advice and to using
security tools and best practices in everyday life.
24. Works in Progress
✖ Psychometric scale to help target security
interventions by readiness to change.
✖ “Security score” for end users.
✖ Game apps to simulate social actions and
competition around security practices.
✖ Interviews with IT professionals about
challenges for workgroups who share
accounts and devices.
✖ Browser plugin to make crowd opinions
about privacy & security settings observable.
Cori Faklaris - October 2018 - TRISS 2018 | Page24
@heycori
26. Works in Progress
✖ Psychometric scale to help target security
interventions by readiness to change.
✖ “Security score” for end users.
✖ Game apps to simulate social actions and
competition around security practices.
✖ Interviews with IT professionals about
challenges for workgroups who share
accounts and devices.
✖ Browser plugin to make crowd opinions
about privacy & security settings observable.
Cori Faklaris - October 2018 - TRISS 2018 | Page26
@heycori
27. 27Cori Faklaris - October 2018 - TRISS 2018 | Page27
@heycori
Try it at https://tinyurl.com/CrowdFBTool
28. Cialdini’s ‘Weapons of Influence’
1. Reciprocation
2. Commitment and Consistency
3. Social Proof
4. Liking
5. Authority
6. Scarcity
Any Questions? Partnership Ideas?
You can find me at
● Email: heycori @cmu.edu
● Website: http://corifaklaris.com
@heycori
Hinweis der Redaktion
We are looking at how to apply Cialdini et al.’s social influence theory to problems in end-user cybersecurity. Such as, how your close friends influence your actions, or how your larger community or social network influences you.
An example of Cialdini’s “social proof” concept in action is Facebook’s visual cues to which of your “friends” have engaged with a recent post. These social cues nudge user behaviors such as posting more often to get the reward of social approval (and, maybe, nudge offline behaviors as well).