IEEE Technology and Society Magazine - Spring 2013 - 77

make the risk more easily accessible and thus available to the
end user. This might discourage
users from sharing information on
Facebook. Information sharing on
Facebook is further impinged by
availability. In general Facebook,
or any site that wants the user to
share their information, advertises
the benefits of information sharing. Thus, even though the users
may be aware of the risks, they
only pay attention to the benefits
as those are more salient. Further,
risk communication may cause the
user to reflect on why they chose
to share the information and thus
make it appear more beneficial that
it truly is, i.e., belief perseverance.
However, this can be alleviated by
asking the users to generate a counter hypothesis and explanation [28].
Thus, end users should be asked to
generate the benefits of sharing less
information or the risks of sharing
more information. This hypothesis
generation and explanation would
make the risks of information sharing more salient.
Affect
The affect heuristic refers to the
general feeling that a person may
have towards a certain action. It differs from the previously described
heuristics in not being cognitive;
rather affect deals with emotions
[27]. For example, a person may
choose to buy one car over another
not based on performance or price,
but purely because they find it more
attractive. Another example is the
difference in increased happiness
or sadness when a person wins or
loses. Consider a choice between
winning $50 or losing $50. Since
the expected value of the gain or
loss is the same, the increase in
happiness with gain should be
equivalent to any increase in sadness with loss. However, the affect
heuristic causes a person to be
more wary of losses than accepting
of gains. Thus, winning $50 is less
joyful than losing the same amount
is painful.

Schwarz noted that people
might attribute current affective
states to an evaluation irrespective of valence [20]. Thus, people
may rate their overall satisfaction
with their lives higher on sunny
days as compared to rainy days.
This effect can be alleviated
by making the source of affect
explicit, e.g., they can be asked
about local weather earlier. In general, good moods may lead to positive evaluation, while bad moods
may lead to negative evaluation.
Affect can impinge availability
and vice versa, e.g., perceived risk
was greater when participants were
presented with risk information for
30 years as compared to one year
[12]. Thus, it may be better to provide aggregate financial loss due
to phishing for several years than
just one.
positive affect impinges cognitive flexibility [9]. In general, better
moods increase a person's ability to
retrieve, store, and process information. Thus, designers of security
risk communication should ensure
that it does not create undue anxiety
or negative affect in the recipient.
This can be critical for older adults
who have lower cognitive plasticity
than younger adults and who also
have lower technical literacy. This
reflects the previous discussion of
loss and gain framing.

Implications
for System Design
The heuristics and biases have
been described in general terms.
Here we make specific suggestions for presentation of security
technologies.
Technologies that prevent
harm should be framed as gain,
while those that detect risk should
be framed as loss. Thus, patching
should be framed as better software, while lack of antivirus software should be framed as slower
systems. Simultaneously, users
should be primed with stereotypes or exemplars, contingent on
whether assimilation or contrast

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

SprING 2013

mitigates risk. Thus, security
risk communication should use
stereotypes when encouraging
patching, not extreme cases or
exemplars. However, when discouraging suspicious downloads
(perhaps an extreme example
of someone downloading what
is in high probability malware)
extreme cases would be more
appropriate.
In terms of assimilation and
contrast, the current communications do not differentiate between
extremely common low-risk action
and rare high-risk action. That
assimilation is the result is not
surprising. All risks are similarly
framed in terms of UI, text, and
simplified imagery. The fact that
implementing contrasting behaviors is difficult (for example, selective script disabling) exacerbates
this problem.
representativeness can be leveraged by grounding risk communication in existing mental models
that have been found to be successful at changing behaviors in
other domains, e.g., health risks.
risk communication should then
begin by showing non-experts that
they have rejected similar risks
offline. Arguably most individuals would not consider providing their SSN and bank account
numbers to a stranger at their
door, they should similarly reject
phishing [39]. Security warnings
could be, like advertising, targeted according to the user's mental model, which can be estimated
from information available on the
client [40].
Leveraging the availability heuristic implies emphasizing the likeliness of an event. Like crossing
the street, individuals online open
web sites every day. Warnings on
every website about possible risk
will decrease availability, as many
potentially risky situations are correlated with no harm. In contrast,
information about aggregate risk
not specific technical information
may be more effective.
|

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - Spring 2013