The Challenges of Understanding Users’ Security-related Knowledge, Behaviour, and Motivations

Sara Motiee ; Kirstie Hawkey ; Konstantin Beznosov

08 July 2010

Abstract: In order to improve current security solutions or devise novel ones, it is important to understand users' knowledge, behaviour, motivations and challenges in using a security solution. However, achieving this understanding is challenging because of the limitations of current research methodologies. We have been investigating the experiences of users with two practical implementations of the principle of least privilege (PLP) Windows Vista and Windows 7. PLP requires that users be granted the most restrictive set of privileges possible for performing the task at hand; in other words, they should not use accounts with administrator privileges. By following this principle, users will be better protected from malware, security attacks, accidental or intentional modifications to system configurations, and accidental or intentional unauthorized access to confidential data. To obtain an understanding of their knowledge, behaviour, motivations and challenges in following PLP, we had participants complete realistic tasks during a lab study that would raise user account control prompts and then performed a contextual interview to probe their behaviours. We faced numerous challenges during our study, including reflecting the realistic behaviour of participants, understanding their knowledge and challenges managing their user accounts and dealing with security warnings, and generalizing our results to a wider community. We discuss how we addressed these challenges, how well our methodological design decisions worked, and the ongoing challenges.

Keyword(s): Usable security ; User Study ; Methodology ; Contextual Interview ; Ecological Validity ; UACP

Published in: S. Motiee, K. Hawkey, and K. Beznosov. The Challenges of Understanding Users’ Security-related Knowledge, Behaviour, and Motivations. In SOUPS Usable Security Experiment Reports (USER) Workshop, 2010.:

The record appears in these collections:
Refereed Conference Papers
Usable Security

 Record created 2010-07-08, last modified 2013-05-22

Transfer from CDS 0.99.7:
Download fulltext

Rate this document:

Rate this document:
(Not yet reviewed)