The challenges of understanding users’ security-related knowledge, behaviour, and motivations

In order to improve current security solutions or devise novel ones, it is important to understand users’ knowledge, behaviour, motivations and challenges in using a security solution. However, achieving this understanding is challenging because of the limitations of current research methodologies. We have been investigating the experiences of users with two practical implementations of the principle of least privilege (PLP) Windows Vista and Windows 7. PLP requires that users be granted the most restrictive set of privileges possible for performing the task at hand; in other words, they should not use accounts with administrator privileges. By following this principle, users will be better protected from malware, security attacks, accidental or intentional modifications to system configurations, and accidental or intentional unauthorized access to confidential data. To obtain an understanding of their knowledge, behaviour, motivations and challenges in following PLP, we had participants complete realistic tasks during a lab study that would raise user account control prompts and then performed a contextual interview to probe their behaviours. We faced numerous challenges during our study, including reflecting the realistic behaviour of participants, understanding their knowledge and challenges managing their user accounts and dealing with security warnings, and generalizing our results to a wider community. We discuss how we addressed these challenges, how well our methodological design decisions worked, and the ongoing challenges.