Emilee J. Rader

Stories as informal lessons about security

Non-expert computer users regularly need to make security-relevant decisions; however, these decisions tend not to be particularly good or sophisticated. Nevertheless, their choices are not random. Where does the information come from that these non-experts base their decisions upon? We argue that much of this information comes from stories they hear from other people. We conducted a survey to ask open- and closed- ended questions about security stories people hear from others. We found that most people have learned lessons from stories about security incidents informally from family and friends. These stories impact the way people think about security, and their subsequent behavior when making security-relevant decisions. In addition, many people retell these stories to others, indicating that a single story has the potential to influence multiple people. Understanding how non-experts learn from stories, and what kinds of stories they learn from, can help us figure out new methods for helping these people make better security decisions.

Understanding User Beliefs About Algorithmic Curation in the Facebook News Feed

People are becoming increasingly reliant on online socio-technical systems that employ algorithmic curation to organize, select and present information. We wanted to understand how individuals make sense of the influence of algorithms, and how awareness of algorithmic curation may impact their interaction with these systems. We investigated user understanding of algorithmic curation in Facebooks News Feed, by analyzing open-ended responses to a survey question about whether respondents believe their News Feeds show them every post their Facebook Friends create. Responses included a wide range of beliefs and causal inferences, with different potential consequences for user behavior in the system. Because user behavior is both input for algorithms and constrained by them, these patterns of belief may have tangible consequences for the system as a whole.

Identifying patterns in informal sources of security information

Computer users have access to computer security information from many different sources, but few people receive explicit computer security training. Despite this lack of formal education, users regularly make many important security decisions, such as “Should I click on this potentially shady link?” or “Should I enter my password into this form?” For these decisions, much knowledge comes from incidental and informal learning. To better understand differences in the security-related information available to users for such learning, we compared three informal sources of computer security information: news articles, web pages containing computer security advice, and stories about the experiences of friends and family. Using a Latent Dirichlet Allocation topic model, we found that security information from peers usually focuses on who conducts attacks, information containing expertise focuses instead on how attacks are conducted, and information from the news focuses on the consequences of attacks. These differences may prevent users from understanding the persistence and frequency of seemingly mundane threats (viruses, phishing), or from associating protective measures with the generalized threats the users are concerned about (hackers). Our findings highlight the potential for sources of informal security education to create patterns in user knowledge that affect their ability to make good security decisions.

The gap between producer intentions and consumer behavior in social media

It can be difficult for social media users to tell who is paying attention to what they post. As producers of content, Facebook users make assumptions about who will be part of their intended audience. However, when the same users role shifts to that of consumer, the criteria for consumption depends on factors outside of the original producers control. This creates a gap between producer intentions and consumer behavior; producing content that is actually consumed by ones intended audience is neither guaranteed nor easily confirmed.

The Imagined Audience and Privacy Concern on Facebook: Differences Between Producers and Consumers

Facebook users share information with others by creating posts and specifying who should be able to see each post. Once a user creates a post, those who see it have the ability to copy and re-share the information. But, if the reader has a different understanding of the information in the post than the creator intended, he or she may use the information in ways that are contrary to the intentions of the original creator. This study examined whether post creators (Producers) and readers (Consumers) who are Facebook Friends had similar levels of privacy concern regarding how others might use the information in specific posts, and how their privacy concern about the post varied by whether the imagined audience consisted of Friends, Friends of Friends, or the general Public. The results showed that both Producers and Consumers had similar levels of privacy concern about a post shared with an imagined audience of Friends versus Friends of Friends. However, Consumers believed posts were more private than the Producers themselves did, and showed more privacy concern. This shows that post Consumers care about Producers’ privacy, perceive that they are co-owners of the information, and engage in boundary management with Producers.