An Interdisciplinary Approach to Improve Security and Privacy Intervention Design: Motivation Theories, User Experience, and Field Experiments

We live in a society characterized by ubiquitous computing and pervasive digital services. Individuals who are unaware of the security and privacy risks that arise during interactions with digital technologies need to be informed of these risks. Therefore, security and privacy interventions remain necessary—not only to advise individuals of risks but also to empower them to address these risks. Nevertheless, many security and privacy interventions proposed by practitioners are perceived as neither engaging nor practical by their target users. This dissertation adopts an interdisciplinary approach to improve the design of security and privacy interventions. It addresses how autonomous motivation influences individuals' security-related behaviors and how motivation theories can be employed to guide the design of security and privacy interventions.

I address these objectives using a mixed-methods approach, including a systematic literature review, empirical data collection with focus groups, a user study with a qualitative survey, a mixed-design field experiment, and a longitudinal randomized controlled trial.

The first research objective is to examine how autonomous motivation influences individuals' security behaviors. We conducted a systematic literature review of relevant empirical studies in organizational contexts. By systematically analyzing the definitions, measurements, and referred theoretical frameworks, we identified 17 unique autonomous motivators and three types of related security behaviors. We not only developed a refined taxonomy of autonomous motivation related to security behaviors but also charted a path forward for conducting theory-informed research in human-centered security.

The second objective is to explore how motivation theories can be employed to design intervention programs for specific demographic groups. We first conducted two user studies: (a) seven focus groups in a workplace setting, and (b) a qualitative survey in family contexts. With insights from the focus groups and propositions from Self-Determination Theory, we developed group discussion and role-playing trainings for the organizational context. Combining findings from the qualitative survey and propositions from the Expectancy-Value framework, we created a short video intervention program for parents to empower them to support their children in addressing security and privacy concerns in family settings.

The third objective is to evaluate the effectiveness of proposed interventions in real-world settings. Specifically, we conducted a mixed-design experiment for the anti-phishing trainings, incorporating repeated measures across three time points and three in-situ phishing tests. We found that both trainings enhanced employees' anti-phishing self-efficacy and support-seeking intention in within-group analyses. Only the role-playing training significantly improved support-seeking intention when compared to the control group. Participants in both trainings reported more phishing tests and demonstrated heightened vigilance to phishing attacks compared to the control group. To evaluate the short video intervention program, we used a 14-week longitudinal randomized controlled trial. We revealed that short videos enhanced parents’ security awareness and their conversation strategies. Notably, parents who initially exhibited lower levels of these measurements benefited the most from the intervention. Moreover, short videos were effective in enhancing parents’ self-efficacy in protecting their children from online risks.

Overall, this doctoral dissertation contributes to the field of human-centered security and privacy. The refined taxonomy of autonomous motivation facilitates future research to examine and develop human-centered security policies and interventions. The contextualization of the Expectancy-Value framework lays the foundation for future scholars who wish to further examine the framework in the security context. Our findings highlight the value of grounding intervention design in established theories to improve user acceptance and engagement. Further, the interventions proposed in this dissertation can be scaled up and further improved to enhance security and privacy for various demographic groups. The field experiments and proposed measurements in this dissertation are useful for future empirical investigations. Last but not least, this dissertation exemplifies and charts a path for conducting theory-informed research in human-centered security and privacy.