Using reinforcement to strengthen users’ secure behaviors

Users have a strong tendency toward dismissing security dialogs unthinkingly. Prior research has shown that users’ responses to security dialogs become significantly more thoughtful when dialogs are polymorphic, and that further improvements can be obtained when dialogs are also audited and auditors penalize users who give unreasonable responses. We contribute an Operant Conditioning model that fits these observations, and, inspired by the model, propose Security Reinforcing Applications (SRAs). SRAs seek to reward users’ secure behavior, instead of penalizing insecure behavior. User studies show that SRAs improve users’ secure behaviors and that behaviors strengthened in this way do not extinguish after a period of several weeks in which users do not interact with SRAs. Moreover, inspired by Social Learning theory, we propose Vicarious Security Reinforcement (VSR). A user study shows that VSR accelerates SRA benefits.