The Role of Social Influence In Security Feature Adoption

Sauvik Das

Carnegie Mellon University

Adam Kramer

Facebook, Inc.

Laura Dabbish

Carnegie Mellon University

Jason Hong

Carnegie Mellon University

1

Security Tools Needed

2Background

Today's user-facing security technology can prevent many of the security breaches average people experience.

With more and more of our lives being digitized and widely available online, the widespread awareness and use of security tools is becoming increasingly important.

Yet, many people are not aware of, do not have the motivation to use, or do not know how to use security tools.

What explains low security awareness and adoption?

3Background

Usability for the individual?

4Background

Our focus on usability has gotten us far. But security feature adoption remains lower than it could be.

What’s missing?

Usability beyond the individualHuman beings are social creatures, and the decisions we make about security and privacy should be viewed within the context of a social system.

5

Social Proof

6

We look to others for cues on how to act when we are uncertain.

7Background

Social proof can be used to increase security announcement click-throughs and security feature adoptions on Facebook (CCS 2014).

Social proof is a key catalyst for security related behavior change (SOUPS 2014).

Social proof against security

8Background

Prior work presents social proof at its best: when a behavior change was actually made made or when proof of widespread adoption was made explicit. What about at its worst?

But if social proof is so great, why does security feature awareness and adoption remain low?

Social proof against security

9Background

Security features are preventative and intrusive.

Thus, early adopters tend to be either security experts, people with a clear reason (e.g., it’s their job), or people who others perceive as “nutty” (Das et al., ’14) or paranoid (Gaw et al. ’06).

Early adopters could create some level of “brand disenfranchisement” on security tools—i.e., lay people could develop an illusory correlation between use of a security tool and the “attributes” of its early adopters.

Social influence could have either a positive or a negative effect on security feature adoption.

10Background

Research Questions

11

What affects the directionality and magnitude of the effect of social influence on security feature adoption?

Operationalized Parameter Space

12Research Questions

P1. The current rate of feature adoption among one’s friends.

P2. The number of distinct social circles those friends come from.

P3. The design attributes of a security tool it self.

Social Proof Parameter Space

13Research Question

The more existing adopters an observer can see, the stronger the effect. But, negative effect at low levels of adoption & positive effect at high levels of adoption.

The more social circles an observer believes existing adopters come from, the stronger the effect (e.g., a friend and a co-worker should have a stronger effect than two co-workers).

The more observable and socially inclusive a security feature, the stronger the effect.

Social Proof Parameter Space

14Research Question

The more existing adopters an observer can see, the stronger the effect. But, negative effect at low levels of adoption & positive effect at high levels of adoption.

The more social circles an observer believes existing adopters come from, the stronger the effect (e.g., a friend and a co-worker should have a stronger effect than two co-workers).

The more observable and socially inclusive a security feature, the stronger the effect.

Methodology

15

16Summary

We analyzed whether and how the adoption of three Facebook security features propagated through people’s social networks.

Login Notifications Login Approvals Trusted Contacts

Data Collection - Sample

17Background

For 12 days in late 2013, we selected a random subset of 250,000 people who newly adopted one of the aforementioned features.

For each day and feature, we also selected a random subset of 250,000 people who never adopted one of the aforementioned features.

In total, we had 250,000 people x 3 features x 2 usage states (uses / not uses) = 1,500,000 people.

Analysis Method

18Background

Can’t just stick in a logistic regression: - will not measure non-linearities in relationship between

collected variables and likelihood to adopt a feature. - correlational; confounds homophily with social

influence.

With observational data, how can we distinguish homophily from social influence?

Matched Propensity Sampling

19Background

Analytic technique developed by Aral et al. (2012).

Matched Propensity Sampling

20Background

Analytic technique developed by Aral et al. (2012).

1. Specify exposure levels along independent variable we believe is a proxy for the effect of “social influence” (i.e., percent of friends who have adopted a feature). Make exposure at different levels a binary variable (exposed or not).

% friends who use Login Notifications

E1 E2 E3 E4 E5

2.0 7.3 10.0 12.3 15.1

Matched Propensity Sampling

21Background

2. For each exposure level, calculate “propensity” that each user is exposed at that level, conditioned on a set of covariates thought to account for homophily.

DV: Exposed or not IV: Age, gender, etc.

Logistic Regression

Exposure Propensity Score

Data Collection - Covariates

22Background

Demographics Behavioral Friend Composition

Age Posts created & deleted Friend count

Gender Comments created & deleted Friend age mean

Account age Likes Friend age variance

Days active in last 30 Friends added & removed Percent male friends

Photos added Mean friends’ account age

Videos addedMean friends of friends count

Matched Propensity Sampling

23Background

3. For each exposure level, pair people with similar propensity scores. One should be exposed, the other should not be exposed. Compare the adoption rate between the exposed and unexposed.

Exposed Unexposed

Results

24

Expectations

25Research Questions

The more existing adopters an observer can see, the stronger the effect. But, negative effect at low levels of adoption & positive effect at high levels of adoption.

Perc

ent A

dopt

ed F

eatu

re

Exposure to feature adopting friendsE1 E2 E3 E4 E5

Unexposed Exposed

26Results

Login NotificationsPe

rcen

t Ado

pted

Fea

ture

0

22.5

45

67.5

90

Exposure to feature adopting friendsE1 (>2.0%) E2 (>7.3%) E3 (>10.0%) E4 (>12.3%) E5 (>15.1%)

Unexposed Exposed

All differences significant at p = 2e-16

27Results

Login NotificationsPe

rcen

t Ado

pted

Fea

ture

0

25

50

75

100

Exposure to feature adopting friendsE1 (>2.0%) E2 (>7.3%) E3 (>10.0%) E4 (>12.3%) E5 (>15.1%)

Unexposed Exposed

Critical Threshold

28Results

Login ApprovalsPe

rcen

t Ado

pted

Fea

ture

0

22.5

45

67.5

90

Exposure to feature adopting friendsE1 (>0.2%) E2 (>0.8%) E3 (>1.3%) E4 (>1.8%) E5 (>2.7%)

Unexposed Exposed

Critical Threshold

All differences significant at p = 2e-16

29Results

Trusted ContactsPe

rcen

t Ado

pted

Fea

ture

0

22.5

45

67.5

90

Exposure to feature adopting friendsE1 (>0.1%) E2 (>0.4%) E3 (>0.7%) E4 (>1.1%) E5 (>2.0%)

Unexposed Exposed

All differences significant at p = 2e-16

Differences across features

30Summary

The design of a security tool affects how amenable it is to social spread.

Security tools that are more observable and socially inclusive are more likely to be positively affected by social.

31Results

Similarities across featuresEx

pose

d -

Unex

pose

d Ad

optio

n Ra

te

-50

-37.5

-25

-12.5

0

12.5

25

37.5

50

Exposure to feature adopting friendsE1 E2 E3 E4 E5

Login Approvals Login Notifications Trusted Contacts

Critical Threshold

Summary & Conclusion

32

33Summary

We analyzed whether and how the adoption of three Facebook security features propagated through people’s social networks.

Login Notifications Login Approvals Trusted Contacts

34Summary

Key finding Social influence does appear to affect security feature adoption. But, the magnitude and directionality of its effect depend on:

Current level of adoption among one’s friends.

The attributes of the security tool, itself.

Implications

35Summary

Our work offers a social lens that helps explain why and how many security features live in obscurity despite providing an important service.

Social influence plays a significant role in both driving and inhibiting the adoption of security features, and the design of a security feature affects its social spread.

Security features should be designed to be more observable and socially inclusive to maximize social spread.

Take-aways

36

The Role of Social Influence In Security Feature Adoption

Sauvik Das [sauvik@cmu.edu]

Carnegie Mellon University

1. Social influence plays a significant role in driving or inhibiting security feature adoptions.

2. More feature-adopting friends predicts for lower likelihood of feature adoption below a critical threshold; higher above.

3. Security features that are more observable and socially inclusive are more amenable to social spread.