A Self-Report Measure of End-User Security Attitudes (SA-6)
3 likes•266 views
The document presents the SA-6, a lightweight psychometric tool designed to measure and compare end-user security attitudes towards recommended security practices. It highlights the tool's potential for improving predictive modeling of security behavior adoption and the need for reliable scales in usability research. Additionally, it discusses the development, validation, and applicability of the SA-6 in enhancing security tool effectiveness and understanding user engagement with cybersecurity measures.
![Samples not significantly
different by age
[overall X^2(4,
N=475)=11.42, p = n.s.]
or gender
[X^2(1, N = 475) =2.95,
p = n.s.]
Amazon Mechanical Turk
sample
15
Best practice: Use a large, diverse sample for finalizing scale items
Meets recommended ratio (5:1 to 10:1) of responses to scale items
N =
475
University-run study pool
sample
Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion](https://image.slidesharecdn.com/soups2019-sa-6scale1-190807191059/85/A-Self-Report-Measure-of-End-User-Security-Attitudes-SA-6-15-320.jpg)
A Self-Report Measure of End-User Security Attitudes (SA-6)
- 1. A Self-Report Measure of End-User Security Attitudes (SA-6) Cori Faklaris, Laura Dabbish and Jason I. Hong Human-Computer Interaction Institute Usenix Symposium on Usable Privacy and Security (SOUPS 2019), Aug. 12, 2019, Santa Clara, CA, USA
- 2. Key takeaways 1. SA-6 is a lightweight tool to quantify and compare people’s attitudes toward using recommended security tools and practices. 2. SA-6 may help to improve predictive modeling of who will adopt such behaviors. 2Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 3. SA-6 is a lightweight tool to quantify and compare security attitudes 3Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion ▪ Generally, I diligently follow a routine about security practices. ▪ I always pay attention to experts’ advice about the steps I need to take to keep my online data and accounts safe. ▪ I am extremely knowledgeable about all the steps needed to keep my online data and accounts safe. ▪ I am extremely motivated to take all the steps needed to keep my online data and accounts safe. ▪ I often am interested in articles about security threats. ▪ I seek out opportunities to learn about security measures that are relevant to me. On a scale of 1=Strongly Disagree to 5=Strongly Agree, rate your level of agreement with the following:
- 4. 4Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion SA-6 may help to improve predictive modeling of security adoption Attitude toward security behavior Security behavior intention Security behavior SA-6 SeBIS Recalled actions Better predictive modeling = better targeting of interventions
- 5. ▪ Much usability research employs in-depth interviews and observations. ▪ But this is not always feasible or desirable. 5Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Our field needs reliable and validated psychometric scales https://giphy.com/gifs/heyarnold-hey-arnold-nicksplat-xT1R9EbolF7trQnIyI
- 6. Our field needs reliable and validated psychometric scales ▪ For large-scale, longitudinal or time-sensitive research, we need an online survey form that can be given with other scales or questionnaires. 6Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 7. ▪ Knowing users’ attitudes, intentions and behaviors helps us craft security tools that are: ▫ Useful ▫ Easy to use ▫ Satisfying to users 7 https://www.interaction-design.org/literature/topics/usability Our field needs reliable and validated psychometric scales Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 8. Our field needs reliable and validated psychometric scales ▪ An attitude scale helps answer research questions such as: ▫ How attentive to security advice is a certain user group likely to be? ▫ Does a new tool help or hurt a user’s attitude toward security compliance? 8Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 9. Current state of the art is SeBIS (Egelman & Peer 2015) ▪ 16-item self-report inventory in four areas: ▫ Password generation ▫ Proactive awareness ▫ Software updates ▫ Device securement But it has limitations: ▪ Specific to behavior intentions, not to attitudes. ▪ Tech-specific wording may become outdated. The Security Behavior Intentions Scale (SeBIS) isn’t enough 9Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 10. ▪ Theory of Reasoned Action ▫ Technology Acceptance Model ▫ Diffusion of Innovation Theory ▪ Elaboration Likelihood Model ▪ Self-Determination Theory ▪ Protection Motivation Theory An additional scale is needed to conduct theory-motivated research 10Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Behavior Intention Attitude Fishbein & Azjen 1967, 2010; Davis et al. 1989; Rogers 2010; Petty & Cacioppo 1980; Ryan & Deci 2000; Rogers 1975
- 11. Best practice: Generate candidate items from prior work (Das et al. 2017) 11 Awareness Motivation Knowledge Security Sensitivity to engage in expert-recommended security practices Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Attitude
- 12. ▪ A security breach, if one occurs, is not likely to cause significant harm to my online identity or accounts. ▪ Generally, I am aware of existing security threats. ▪ Generally, I am willing to spend money to use security measures that counteract the threats that are relevant to me. ▪ Generally, I care about security and privacy threats. ▪ Generally, I diligently follow a routine about security practices. ▪ Generally, I know how to figure out if an email was sent by a scam artist. ▪ Generally, I know how to use security measures to counteract the threats that are relevant to me. ▪ Generally, I know which security threats are relevant to me. Best practice: Test many different item variations for SA-6 (60+ to start) 12Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 13. ▪ SeBIS scale, 16 items ▪ Internet Know-How, 9 items ▪ Technical Know-How, 9 items ▪ Internet Users Information Privacy Concerns scale, 10 items ▪ Frequency of falling victim to a security breach, 2 items ▪ Amount heard or seen about security breaches, 1 item ▪ Barratt Impulsiveness Scale, 30 items ▪ Privacy Concerns Scale, 16 items ▪ Ten-Item Personality Inventory, 10 items ▪ General Self-Efficacy scale, 11 items ▪ Social Self-Efficacy scale, 5 items ▪ Confidence in Using Computers, 12 items Best practice: Collect measures theorized to relate with SA-6 13Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 14. 14 Best practice: Collect measures theorized to relate with SA-6 Test convergent validity ▪ RQ1a: Is SA-6 positively correlated with SeBIS? ▪ RQ1b: Do other measures thought to relate with security attitude correlate with SA-6? Test discriminant validity ▪ RQ2a: Does SA-6 vary with respect to background social factors (e.g. age, gender)? ▪ RQ2b: Does SA-6 vary with past experiences of security breaches? Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 15. Samples not significantly different by age [overall X^2(4, N=475)=11.42, p = n.s.] or gender [X^2(1, N = 475) =2.95, p = n.s.] Amazon Mechanical Turk sample 15 Best practice: Use a large, diverse sample for finalizing scale items Meets recommended ratio (5:1 to 10:1) of responses to scale items N = 475 University-run study pool sample Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 16. Best practice: Repeat study in a representative sample to validate scale 16 N = 209 Qualtrics-filled panel with age, gender & income tailored to U.S. population Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 17. 17 Best practice: Iterative analyses to zero in on the items for the scale Factor tests ▪ Exploratory Factor Analysis to check item correlations (SPSS) ▪ Reliability Analysis (alpha) to confirm internal consistency Model tests ▪ Confirmatory Factor Analysis to check goodness of fit (MPlus) ▪ Run several CFA models to make sure we specified the best model Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 18. SA-6 scale items (SPSS Principal Components Analysis) Factor loading I seek out opportunities to learn about security measures that are relevant to me. 0.81 I am extremely motivated to take all the steps needed to keep my online data and accounts safe. 0.78 Generally, I diligently follow a routine about security practices. 0.77 I often am interested in articles about security threats. 0.72 I always pay attention to experts' advice about the steps I need to take to keep my online data and accounts safe. 0.71 I am extremely knowledgeable about all the steps needed to keep my online data and accounts safe. 0.71 SA-6 demonstrates desired consistency + fit for a psychometric scale 18 ɑ=.84 CFI=.91 SRMR =.05
- 19. SA-6 scale items (SPSS Principal Components Analysis) Factor loading I seek out opportunities to learn about security measures that are relevant to me. 0.81 I am extremely motivated to take all the steps needed to keep my online data and accounts safe. 0.78 Generally, I diligently follow a routine about security practices. 0.77 I often am interested in articles about security threats. 0.72 I always pay attention to experts' advice about the steps I need to take to keep my online data and accounts safe. 0.71 I am extremely knowledgeable about all the steps needed to keep my online data and accounts safe. 0.71 SA-6 = attentiveness to and engagement with cybersecurity measures 19
- 20. 20 Best practice: Statistical testing of SA-6 as a valid attitude measure Factor tests ▪ Exploratory Factor Analysis to check item correlations (SPSS) ▪ Reliability Analysis (alpha) to confirm internal consistency Model tests ▪ Confirmatory Factor Analysis to check goodness of fit (MPlus) ▪ Run several CFA models to make sure we specified the best model Validity tests ▪ Test relationships + differences with other variables (SPSS) ▪ Also tested for ability to predict participants’ recalled security actions in past week Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 21. 21 Best practice: Test for expected associations with SA-6 Attitude toward security behavior Security behavior intention SA-6 SeBIS r=.540, p<.01 Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Faklaris et al. 2019 Egelman & Peer 2015 ▪ RQ1a: Is SA-6 positively correlated with SeBIS? ▪ Yes.
- 22. 22 Best practice: Test for expected associations with SA-6 ▪ RQ1a: Is SA-6 positively correlated with SeBIS? ▪ Yes. Attitude toward security behavior Security behavior intention SA-6 SeBIS R2 =.280, p<.001 Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Faklaris et al. 2019 Egelman & Peer 2015
- 23. 23 Best practice: Test for expected associations with SA-6 - With the Internet Users’ Informational Privacy Concerns (IUIPC) scale - With the Privacy Concerns Scale (PCS) r=.390, p<.01 r=.382, p<.01 Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Malhotra et al. 2004 Buchanan et al. 2007 ▪ RQ1b: Do other measures thought to relate with security attitude correlate with SA-6? ▪ Yes.
- 24. 24 Best practice: Test for expected associations with SA-6 - With the Barratt Impulsiveness Scale - With the General Self-Efficacy scale - With the Social Self-Efficacy scale r=.180, p<.01 r=.208, p<.01 r=.363, p<.01 Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Stanford et al. 2009 (update) Zimmerman et al. 2000 Zimmerman et al. 2000 ▪ RQ1b: Do other measures thought to relate with security attitude correlate with SA-6? ▪ Yes.
- 25. 25 Best practice: Test for expected associations with SA-6 ▪ RQ1b: Do other measures thought to relate with security attitude correlate with SA-6? ▪ Yes. - With the Kang Internet Know-How scale - w/Confidence in using computers - w/Web-oriented digital literacy r=.542, p<.01 r=.280, p<.05 r=.503, p<.05 Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Kang et al. 2015 Fogarty et al. 2001 (adapted) Hargittai 2005
- 26. 26 Best practice: Test for expected differences in SA-6 by subgroup ▪ RQ2a: Does SA-6 vary with background factors? Yes. Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion SA-6 Mean (SD) t(df), p Age group 18-39 3.40 (.81) 40 + 3.69 (.76) t(207)= -2.172, p<.05 Gender Male 3.77 (.71) Female 3.53 (.81) t(198.38)= 2.19, p<.05
- 27. 27 Best practice: Test for expected differences in SA-6 by subgroup Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion SA-6 Mean (SD) t(df), p College attendance No college 3.42 (.79) Attended college 3.73 (.76) t(207)=-2.76, p<.01 Income level Below $25K 3.30 (.71) Above $25K 3.73 (.77) t(207)=-3.42, p<.005 ▪ RQ2a: Does SA-6 vary with background factors? Yes.
- 28. ▪ RQ2b: Does SA-6 vary with past breach experiences? Yes. SA-6 Mean (SD) t(df), p Low High Themselves falling victim to a security breach 3.56 (.78) 4.13 (.58) t(41.46) = -4.54, p<.001 Close friends or relatives falling victim 3.57 (.76) 4.10 (.74) t(207)= -3.40, p<.005 Heard about security breaches in the past year 3.35 (.80) 3.77 (.74) t(207)=-3.77, p<.001 28 Best practice: Test for expected differences in SA-6 by subgroup Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 29. Test support for predictive validity ▪ RQ3: Does a person’s SA-6 score positively associate with a measure of self-reported security behaviors within the past week? ▪ Collected 10 items based on SeBIS, 5-level agreement scale (RSec) 29 Best practice: Collect measures theorized to relate with SA-6 Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Ex: “In the past week, I have verified at least once that my antivirus software is up to date.”
- 30. 30 Best practice: Test for SA-6’s influence on outcome variables Attitude toward security behavior Security behavior SA-6 RSec r=.398, p<.001 Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Faklaris et al. 2019 ▪ RQ3: Does SA-6 positively associate with a measure of self-reported security behaviors within the past week (RSec)? ▪ Yes. Faklaris et al. 2019
- 31. 31 Best practice: Test for SA-6’s influence on outcome variables Attitude toward security behavior Security behavior intention Security behavior SA-6 SeBIS RSec Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Faklaris et al. 2019 Faklaris et al. 2019 Egelman & Peer 2015 R2 =.280, p<.001
- 32. 32 Best practice: Test for SA-6’s influence on outcome variables Attitude toward security behavior Security behavior intention Security behavior SA-6 SeBIS RSec R2 =.235, p<.001 R2 =.280, p<.001 Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Faklaris et al. 2019 Faklaris et al. 2019 Egelman & Peer 2015
- 33. 33 Best practice: Test for SA-6’s influence on outcome variables Attitude toward security behavior Security behavior intention Security behavior SA-6 SeBIS RSec R2 =.158, p<.001 Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion Faklaris et al. 2019 Faklaris et al. 2019 Egelman & Peer 2015 R2 =.235, p<.001 R2 =.280, p<.001
- 34. 34Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion SA-6 can improve predictive modeling + targeting of interventions Attitude toward security behavior Security behavior intention Security behavior SA-6 SeBIS RSec Low SA-6 → boost awareness/motivation; High SA-6 → boost skill/ability Faklaris et al. 2019 Faklaris et al. 2019 Egelman & Peer 2015 R2 =.158, p<.001 R2 =.235, p<.001 R2 =.280, p<.001
- 35. SA-6 can be helpful in your own usable security research ▪ Easily administer SA-6 via online survey form with other scales or questionnaires. ▪ Answer research questions such as ▫ How attentive to security advice is a certain user group likely to be? ▫ Does a new tool help or hurt a user’s attitude toward security compliance? 35Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion https://socialcybersecurity.org/sa6.html
- 36. SA-6 can be helpful in your own usable security research ▪ Test hypotheses & models motivated by: ▫ Theory of Reasoned Action, ▫ Elaboration Likelihood Model, ▫ Self-Determination Theory, ▫ Protection Motivation Theory, ▫ Other theories and frameworks. 36Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion https://socialcybersecurity.org/sa6.html
- 37. Take the Security Attitude quiz at SocialCybersecurity.org/sa6quiz 37Introduction | Study Motivation | Scale Development | Scale Validation | Conclusion
- 38. Get the SA-6 scale & follow our work: ○ Twitter: @heycori | Email: heycori @cmu.edu ○ https://socialcybersecurity.org/sa6.html 38 Key takeaways 1. SA-6 is a lightweight tool to quantify and compare people’s attitudes toward using recommended security tools and practices. 2. SA-6 may help to improve predictive modeling of who will adopt such behaviors. Thank you to