Almost every security measure makes the life of its beneficiary more difficult, and thus those who stand to gain the most are also the most likely to breach security regulations. This subject – the topic of a recent research paper shows that in order to avoid this unfortunate situation, it is better to explain why the security measures are needed.
We found that subjects were significantly more likely to cheat or abandon the task when provided with non-security explanations or a vague security explanation for the delay. However, when subjects were provided more explanation about the threat model and the protection ensured by the delay, they were not more likely to cheat than subjects in the control condition who faced no such delay. Our results thus contribute to the nascent literature on soft paternalistic solutions to security and privacy problems by suggesting that, when security mitigations cannot be made “free” for users, designers may incentivize compliant users’ behavior by intentionally drawing attention to the mitigation itself.
Tags: Cryptography, embedded security, security
