Towards targeted security awareness raising
Security Research Institute
Users are frequently cited as being the weakest link in the information security chain. However, in many cases they are ill-positioned to follow good practice and make the necessary decisions. Part of the reason here is that, even if security awareness, training and/or education have been provided, some of the key points may have been forgotten by the time that users find themselves facing security-related decisions. A potential solution in this context is to ensure that security guidance and feedback is available at the point of need, providing effective information to help users to make the right decision at the right time to avoid security risks. This paper examines the issue of targeted security awareness raising, and presents the results of an experimental study conducted to test the effectiveness of the approach. This experiment was based around the scenario of connecting to Wi-Fi networks, and determining whether participants could make informed and correct decisions about which networks were safe to connect to. Four alternative interfaces were tested (ranging from a version that mimicked the standard Windows Wi-Fi network selection interface, through to versions with security ratings and additional guidance). The aim of the experiment was to determine the extent to which providing such information could affect user decisions when presented with a range of networks to connect to, and help to move them more effectively in the direction of security. The findings revealed that, while they still exhibited far from perfect behaviour in terms of selecting more secure networks in preference to less protected ones, there was a tangible improvement amongst the users that had been exposed to the selection interfaces offering and promoting more security-related information. In common with findings from other security contexts, these results suggest that users’ security behaviours can be positively influenced purely through the provision of additional information, enabling them to make better choices even if the system does not provide any further means of enforcement.