Presentation to the Three Rivers Information Security Symposium (TRISS 2018) on Oct. 19, 2018, in Monroeville, Pennsylvania. Based on ideas developed at Carnegie Mellon University.

1. Social Cybersecurity:
Ideas for Nudging Secure Behaviors
Through Social Influences
Cori Faklaris | Oct. 19, 2018
Presentation to the
2018 Three Rivers Information Security Symposium
(TRISS 2018),
Monroeville, Pa., USA
@heycori
Human-Computer Interaction Institute

2. 2
Cialdini’s ‘Weapons of Influence’
1. Reciprocation
2. Commitment and
Consistency
3. Social Proof
4. Liking
5. Authority
6. Scarcity
Robert B. Cialdini. 2001 (4th ed.). Influence.
A. Michel Port Harcourt.
Cori Faklaris - October 2018 - TRISS 2018 | Page2
@heycori

3. Agenda
✖ About me
✖ About the Social Cybersecurity project
✖ Ideas to apply this work in your context
✖ Next steps for our research
Feel free to ask questions at any point.
Cori Faklaris - October 2018 - TRISS 2018 | Page3
@heycori

4. Cori Faklaris - October 2018 - TRISS 2018 | Page4
● PhD student researcher at Carnegie Mellon University
○ Social cybersecurity, Design of information systems, Emerging
trends in social media and messaging apps
● M.S., Human-Computer Interaction
○ Indiana University School of Informatics and Computing
○ Thesis: The State of Digital ‘Fair Use’
● B.S., Journalism, News-Editorial sequence
○ University of Illinois at Urbana-Champaign College of Media
● Social Media Consultant and Editor/Writer
● Previous job titles in news media included:
○ Engagement Producer, Page Designer, Copy Editor, Correspondent,
Columnist, Reporter ...
○ “Doer of Things No One Else Wants to Do” (IT, UX :-)
About me
@heycori

5. 5Cori Faklaris - October 2018 - TRISS 2018 | Page5
@heycori

6. 6Cori Faklaris - October 2018 - TRISS 2018 | Page6
Friend 1, Friend 2, Friends 3 & 4,
6
@heycori

7. 7
Cialdini’s ‘Weapons of Influence’
1. Reciprocation
2. Commitment and
Consistency
3. Social Proof
4. Liking
5. Authority
6. Scarcity
Robert B. Cialdini. 2001 (4th ed.). Influence.
A. Michel Port Harcourt.
Cori Faklaris - October 2018 - TRISS 2018 | Page7
@heycori

8. 1.
Reciprocation
We desire to repay in kind
what someone else does for us.
“I’ll scratch your back if you scratch mine.”
- English idiom, Latin: quid pro quo
8Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori

9. 9
Reciprocation & Cybersecurity …
1. Give a gift that
obliges behaviors.
a. USB drive
containing safe
software & apps
b. ‘Thank you’ card
2. Frame requests as
a “big ask,”
followed by the
real ask.
Cori Faklaris - October 2018 - TRISS 2018 | Page9
@heycori

10. 2.
Commitment
and Consistency
Once we make a choice and take a stand,
we feel pressure to live up to that commitment.
“How are you? Good, are you willing to donate ...”
- the ‘Foot-in-the-door’ sales technique
10Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori

11. 11
Commitment and Consistency
& Cybersecurity …
1. Ask system users
to “please watch
out for” mistakes
in security
protocol.
2. Ask users to sign
their names to a
public promise to
use security tools
and practices.
Cori Faklaris - October 2018 - TRISS 2018 | Page11
@heycori

12. 3.
Social Proof
We view a behavior as correct in a given situation
to the degree that we can observe others
performing it.
“Fifty million Americans can’t be wrong ...”
- Type of phrase often used in advertising copy
12Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori

13. 13
Social Proof & Cybersecurity …
1. Display statistics
or facts about
security behaviors
via a lock screen or
new browser tab.
2. Crowdsource
security tips, then
publicize them to
the work group.
Cori Faklaris - October 2018 - TRISS 2018 | Page13
@heycori
FACT: Carnegie
Mellon University
has not suffered a
breach of payroll
systems since
adopting 2FA.

14. 4.
Liking
Our personal affinities are bound up in cooperation
and compliance – and vice versa.
“Flattery will get you everywhere.”
- Mae West, 20th century movie actress
- See also “Good Cop, Bad Cop”
14Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori

15. 15
Liking & Cybersecurity …
1. Recruit a popular
member of a
workgroup as a
helper and ally for
InfoSec initiatives.
2. Set a group goal
for security
behaviors, with
rewards for
improvements.
Cori Faklaris - October 2018 - TRISS 2018 | Page15
@heycori

16. 5.
Authority
We have an instinct to obey people who are
presented to us as authority figures and/or experts.
“The apparel oft proclaims the man.”
- Polonius in Hamlet, William Shakespeare
16Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori

17. 17
Authority & Cybersecurity …
1. Cite security
experts or
research to back
up why you
require a security
tool or practice.
2. Train end users to
avoid being
tricked by fake
authorities.
Cori Faklaris - October 2018 - TRISS 2018 | Page17
You should be
thinking right now:
Is this a legitimate
business card???
@heycori

18. http://www.shsu.edu/dept/it@sam/tech
nology-tutorials/duo/
18

19. 6.
Scarcity
Limiting access to a resource (or seeming to)
makes it more desirable.
“Don’t wait! Last chance before they’re gone!”
- Type of phrase often used in advertising copy
19Cori Faklaris - October 2018 - TRISS 2018 | Page 2
@heycori

20. 20
Scarcity & Cybersecurity …
1. Frame the use of
security tools or
practices in terms
of losses rather
than benefits.
2. Avoid erratic
enforcement that
leads to revoking
privileges from
end users.
Cori Faklaris - October 2018 - TRISS 2018 | Page20
1 in 5 breaches can’t be prevented
by implementing 2FA - I need to
stay vigilant for hackers!
@heycori

21. 21
Cialdini’s ‘Weapons of Influence’
1. Reciprocation
2. Commitment and
Consistency
3. Social Proof
4. Liking
5. Authority
6. Scarcity
Robert B. Cialdini. 2001 (4th ed.). Influence.
A. Michel Port Harcourt.
Cori Faklaris - October 2018 - TRISS 2018 | Page21
@heycori

22. Works in Progress
✖ Psychometric scale to help target end-user
interventions by security sensitivity.
✖ “Security score” for end users.
✖ Game apps to simulate social actions and
competition around security practices.
✖ Interviews with IT professionals about
challenges for workgroups who share
accounts and devices.
✖ Browser plugin to make crowd opinions
about privacy & security settings observable.
Cori Faklaris - October 2018 - TRISS 2018 | Page22
@heycori

23. 23Cori Faklaris - October 2018 - TRISS 2018 | Page23
@heycori
Das, Sauvik, "Social
Cybersecurity:
Reshaping Security
Through An Empirical
Understanding of
Human Social
Behavior" (2017).
Dissertations. 982.
http://repository.cmu.e
du/dissertations/982
“Security Sensitivity” indicates an end user’s
degree of receptiveness to advice and to using
security tools and best practices in everyday life.

24. Works in Progress
✖ Psychometric scale to help target security
interventions by readiness to change.
✖ “Security score” for end users.
✖ Game apps to simulate social actions and
competition around security practices.
✖ Interviews with IT professionals about
challenges for workgroups who share
accounts and devices.
✖ Browser plugin to make crowd opinions
about privacy & security settings observable.
Cori Faklaris - October 2018 - TRISS 2018 | Page24
@heycori

25. https://sijier.000webhostapp.com/
25Cori Faklaris - October 2018 - TRISS 2018 | Page25
@heycori

26. Works in Progress
✖ Psychometric scale to help target security
interventions by readiness to change.
✖ “Security score” for end users.
✖ Game apps to simulate social actions and
competition around security practices.
✖ Interviews with IT professionals about
challenges for workgroups who share
accounts and devices.
✖ Browser plugin to make crowd opinions
about privacy & security settings observable.
Cori Faklaris - October 2018 - TRISS 2018 | Page26
@heycori

27. 27Cori Faklaris - October 2018 - TRISS 2018 | Page27
@heycori
Try it at https://tinyurl.com/CrowdFBTool

28. Cialdini’s ‘Weapons of Influence’
1. Reciprocation
2. Commitment and Consistency
3. Social Proof
4. Liking
5. Authority
6. Scarcity
Any Questions? Partnership Ideas?
You can find me at
● Email: heycori @cmu.edu
● Website: http://corifaklaris.com
@heycori