Ideals and Reality: Adopting Secure Technologies and Developing Secure Habits to Prevent Message Disclosure (thesis)

Abstract:

Development of security technologies tends to ignore difficulties with deployment in the real world. One research approach for improving adoption of secure practices and technologies is improving the
usability of security technologies; however, this belies the underlying need to understand people's practices and the non-technical factors influencing adoption.

In this thesis, I examine the problems users face when adopting secure practices and technologies in the real world, with a focus on preventing message disclosure. I first examine individual's
adoption of secure practices with respect to the management of passwords for online authentication with a survey of undergraduates. Next, I consider group adoption of a security technology,
namely encrypted e-mail for group discussions. I consider the latter issue from two perspectives.
The first perspective investigates user experiences with an existing technology via interviews with
employees at an activist group who were highly motivated to protect the secret information of their
employer. The second perspective investigates a redesign of secured communication of encrypted
e-mail for group discussion with a web application.

Often the issues faced by users are not purely issues of increasing or decreasing the level of
security theoretically attainable. Adoption is attenuated by convenience (in the case of password
reuse) and stigmatization of secure practices (in the case of social meaning attached to usage of
encrypted e-mail). People's models of security attacks could be more sophisticated than previously
thought, for example, many survey participants understood that randomness in the construction of
a password increased resistance to guessing attacks. At the activist group, people understood that
encryption could protect messages against eavesdropping and seemed ready to use the technology
for organizational secrets.

The challenge for researchers in the development of secure technologies is how to encourage
security adoption by novel users while pragmatically increasing the level of security achieved in
the real world. I present the EMBLEM (Encrypted Message Board with Lists for E-Mail) system
as an example of how one could accommodate the needs of a specific group of users to encourage
use in borderline cases, where the need for increased security is not obvious or the population of
users is lightly connected together. I presented this system to two groups of people, one group
with no experience with encrypted e-mail and one group with extensive security knowledge. While
the technology itself seemed usable for novices, one concern was that using the technology was an unnecessary step. In contrast, those fastidiously practicing security seemed more dubious of
adopting a system that increased usability or supported heterogeneous groups but provided less
assurances of end-to-end protections. Finding a balance between these groups of users remains a
challenging problem.

I frame the findings of this dissertation with an analogy to sociologist Howard Becker's work on
deviant careers. Adopting secure practices can be a departure from accepted normalized practice.
Understanding the factors influencing adoption of deviant practices, particularly the vital role of
social networks in creating a desirability to adopt deviant practices, can illuminate the rational
behind adoption and non-adoption of technically secure, but socially stigmatized practices. I
further argue that more work encouraging desirability to adopt secure practices, and more generally
work understanding real world deployment issues of security technologies, is a necessary future for progress in the field.