Behavioral Security Projects
The New Security Calculus: Incentivizing Good User Security Behavior
This is a multi-study project. The first study was a lab experimental study that explores the effect of financial incentives on people’s compliance with security policies in a student sample, with handling phishing emails as a specific target. The study found that incentives had an effect on participants information security behavior which varied across the framing (gain vs. loss) of incentives and by different types of emails, and that under different framing conditions, the screening and decision-making processes might be different when people handle phishing emails.
The second study was a longitudinal field study with a local company to test how the effect of financial incentives unfold and sustain. We started with interviews with employees to learn about the organization’s information security climate, needs of training and intervention and people’s psychological expectation about rewards attached to information security performance. Based on the information collected from the interviews, employees were asked to voluntarily participate in the six month study during in which their information-security-related behaviors were monitored and rewarded. The results indicated a clear drop-down in the number of people who violated the policies after the training session was provided and the number remained low. In addition, rewards exerted a delayed effect on reducing the number of employees using non-work emails.
The third study was a longitudinal online experimental study the purpose of which is to replicate the effect of financial incentives on compliance with information security behaviors. The study currently at the data collection stage.
Researchers
Faculty: Sanjay Goel, Kevin Williams
Students: Jingyi Huang
Is Privacy Really a Paradox? Laying the Groundwork to Study the Gap between Privacy Valuation and Behavior
This is an ongoing multiple study project which aims to examine the cause of privacy paradox and to find ways to help people avoid such dissonance. The study has conducted one qualitative study and one quantitative study exploring how people understand privacy. In the qualitative study, we asked people to give definitions to privacy in different domains and to privacy in general. Based on people’s answers, we generated 14 privacy domains and corresponding definitions which were used in the quantitative study in which people were asked to assign an importance rating to privacy in each of the 14 domains and privacy in general.
The study found people regard different domains with different levels of importance and that the ratings people give to individual domain does not correspond to the rating they give to privacy in general, indicating that they construe the concept of privacy differently at a general and broad level, than at a specific and narrow level. Our next step is to design a scenario study which looks into personal and situational factors that may influence the occurrence of privacy paradox.
Researchers
Faculty: Sanjay Goel, Kevin Williams
Students: Jingyi Huang
Personality and Security Decisions under Competing Priorities
This study explores personality traits as predictors of people’s information security decisions using scenarios. The study also brings in some less studied concepts such as competing priorities and apathy. Apathy is a general lack of interest towards the specific behavior, whereas competing priorities intends to look at how the many demands at work also contribute to security decisions.
Researchers
Faculty: Sanjay Goel, Kevin Williams
Students: Jingyi Huang
Short-Term and Long-Term Attitude Change of American Public with the use of E-Health Technique under Coronavirus Pandemic
This is a longitudinal study that examines changes in Americans’ attitude toward and use of e-health technique under the frame of Theory of Planned Behavior. The participants’ understanding and beliefs about e-health technique and their actual use of it have been traced and measured four times, once each month, starting from the outburst of the pandemic.
Researchers
Faculty: Sanjay Goel, Victoria Kisekka
Students: Jingyi Huang
Theory of Strained Betrayal and Malicious Intent
The Theory of Strained Betrayal formalizes a model of the process of a loyal employee transforming into a malicious one that captures the dynamics of job strain manifestation and its culmination in malicious insider activity. A series of studies was designed to test the evolution model of insider threat and develop emotion-focused and problem-focused interventions aimed at disrupting the manifestation of malicious behavior originating from strain in four stages.
The first stage using interview to understand employees’ emotional and behavioral reactions when facing a hypothetical scenario to form the initial theoretical model. The second stage study using online survey that ensure massive data collection to test and refine the model. The third stage will use experiment design to replicate the findings from stage one and two in lab setting and last stage of study will develop interventions to interrupt the evolution process of malicious insiders and test the effectiveness of interventions.
This research help clarify the evolution of the malicious insider, and how situational and dispositional factors associated with employees and their workplace contribute to this evolution. This work can assist in reducing strain on employees in organization and improving quality of work. The outcomes of this work can help protect organizational intellectual property and national secrets.
Researchers
Faculty: Sanjay Goel, Kevin Williams
Students: Wei Zhuang
The Threat of Misinformation and Disinformation: The Impact of Personal Biases on News Dissemination
The power of disseminating information through digital means such as social media, crowdsourced news sites, and online forums has had a significant effect on all aspects of our society, from politics to humanities response to a pandemic. However, with many individuals utilizing information received online to make significant decisions, such as who to vote for, which stocks to invest in, or how to stay healthy, it is important that we understand the nature and validity of this information and how it affects decision-making mechanisms.
Research has been conducted on several fronts, including analyzing the effects of both misinformation and disinformation on the financial market, which offers a quantitative response to the spread of false information. Intraday volatility of a stock’s price will be compared the 5-month historical volatility to see exactly how a confirmed misinformation and disinformation event can affect a particular stocks price. Not only is it important to understand the effects of misinformation and disinformation on critical systems such as the financial market, but it is also important to understand how individuals’ decision-making processes can be affected.
All individuals have biases, and disinformation is often crafted in a way to play into these biases. Some of the biases include confirmation and availability biases driven by political beliefs, tendencies to use analytical or intuitive thinking, and anxiety biases. A study will be conducted to identify individuals’ biases and relate them to how they respond to instances of both decision-based healthcare and financial news. Both new categories will present individuals with left leaning, centered, and right leaning articles that are either legitimate or false. Based on an individuals’ reactions to these articles combined with their pre-existing biases, we can understand how biases affect decision-making when ingesting information.
Researchers
Faculty: Devipsita Bhattacharya, Sanjay Goel
Students: Dominick Foti, Gage Matyasovszky