PhD Candidate
Carnegie Mellon University
Areas of Interest
- Human-Computer Interaction
- Information, Data, Network, and Communication Sciences
- Security
Poster
What breach? Measuring online awareness of security incidents by studying real-world browsing behavior
Abstract
Awareness about security and privacy risks is important for developing good security habits. Learning about real-world security incidents and data breaches can alert people to the ways in which their information is vulnerable online, thus playing a significant role in encouraging safe security behavior. This work examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action, e.g., by trying to learn more about the incident, and 3) what influences the likelihood that they will read about an incident and take some action. We study this by quantitatively examining real-world internet-browsing data from 303 participants.
Our findings present a bleak view of awareness of security incidents. Only 16% of participants visited any web pages related to six widely publicized large-scale security incidents; few read about one even when an incident was likely to have affected them (e.g., the Equifax breach almost universally affected people with Equifax credit reports). We further found that more severe incidents as well as articles that constructively spoke about the incident inspired more action. We conclude with recommendations for specific future research and for enabling useful security incident information to reach more people.
Bio
Sruti Bhagavatula is a 6th-year PhD student researching computer security and privacy at Carnegie Mellon University (CMU) with Dr. Lujo Bauer. She received her MS in Computer Science from CMU and her BS, also in computer science, from the University of Illinois at Chicago. Her most recent work involves empirical measurement studies related to engagement with and actions after with security incidents, how security advice is shared through social networks, and how to improve the spread of security advice through such networks. She is interested in teaching and CS education and hopes to be a teaching-track professor after obtaining her PhD. She has taught classes related to security and privacy and undergraduate classes related to data structures and core CS concepts.
