strawberryJAMM's Security and User Experience WebLog

The delicate balancing act between intuitive user experience and secure software systems


Fear and Loathing in Las Seguridades (Security)

  • Comments 1
  • Likes

  Fear.  Anger.  Distrust.

  These will motiviate users to change their behaviour when it comes to securing their computers

  At least that's the way Frank Hayes sees it in his article "Fear, Anger, Distrust".

  Hayes discusses two surveys that came out last week: The Pew Internet & American Life Project on spyware and related problems, and a Ponemon Institute survey (reported on by columnist Larry Ponemon) of 400 people who had had personal data leaked to the world.  While neither one of these surveys intended to be about what makes users change what they do, Hayes' gives us the numbers to show us how fear, anger and distrusted had changed the behaviour of the study's participants.

  Unfortunately, Hayes gently reminds us, relying on these particular motivators to change users' habits isn't the best idea:


So users will change -- if they get afraid, angry or distrustful. That might be useful in getting them to stop doing risky, insecure things. But only if you make sure they're not afraid, angry or distrustful in your direction.

So threatening them with punishment for breaking security rules won't work. Neither will trying to force them to obey or lying to them. No wonder IT's standard techniques for getting users to behave always fail. They're exactly the wrong approach.


  This, of course, begs the question:  "What is exactly the right approach?"  That's a tough one and even Hayes avoids answering it.  He does, however, offer a few additional insights "beyond fear, anger and distrust" gleaned from these two studies and then wraps up with the following:


[N]ow that you know the strongest motivators of change for users, you want their fear, anger and distrust aimed squarely at security threats -- where they belong.


  Read the article for the full meal deal.


  So, just to be a bit silly, here's a "recipe" for the "right approach":

  • Start with what users like and toss in what users do
  • Pour in what users expect and what users need.
  • Mix well and sit in front of a usability study
  • Skim off any fear, anger and distrust
  • Bake iteratively over a release cycle and serve to millions.


  Any thoughts on "the right approach"?  Please leave a comment!


PS: For the curious, "Las Seguridades" = "The Securities". ;-)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment