CMU-ISR-21-106
Institute for Software Research
School of Computer Science, Carnegie Mellon University



CMU-ISR-21-106

Measuring and increasing the reach of
security information through online media

Sruti Bhagavatula

September 2021

Ph.D. Thesis
Societal Computing

CMU-ISR-21-106.pdf


Keywords: NA

With the growing number of technologies that have developed over the past several years and the similarly growing number of cyber attacks, people should ideally be aware of how to keep their information and systems safe. In general, awareness of security and privacy best practices is important for developing good security habits. Learning about real-world security incidents and data breaches can also alert people to the ways in which their information is vulnerable online, thus playing a significant role in encouraging safe security behavior online. In addition to awareness, it is important for people to take action to improve the security of their systems, particularly in the wake of a security incident or data breach. While prior work has been able to study problems about security awareness and incidents within a broad scope due to the affordances of self-reported methodologies, such studies largely relied on hypothetical or experimental scenarios.

In this thesis, we take steps towards (1) filling in the gap of a missing empirical understanding of engagement and action with security and privacy events through measurable behaviors, (2) understanding the effectiveness of social media as a platform for increasing the dissemination of security and privacy advice and for encouraging action, and (3) providing specific guidance for how security and privacy information may be shared on social media to encourage engagement and re-distribution.

Through measurements of real-world browsing and password data, we first show that online engagement with content related to large-scale security and privacy incidents is rare and that very few factors may encourage people to try to read more about incidents. We then show, by specifically analyzing password data, that people rarely take action after password breaches, much less action that is constructive, even when the breach definitely affected them. In understanding social media's effectiveness for disseminating security and privacy information, we find that discussions about security and privacy are scarce on Facebook and Twitter and that when these topics are discussed, they are often not discussed constructively. Finally, by analyzing Reddit posts about security and privacy, we identify and shed light on how security and privacy information may be shared on social media such that it garners wider spread and effectiveness.

175 pages

Thesis Committee:
Lujo Bauer (Chair)
Nicolas Christin
Timothy Libert (CMU/Google)
Apu Kapadia (Indiana University Bloomington)
James D. Herbsleb, Director, Institute for Software Research
Martial Hebert, Dean, School of Computer Science


Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by reports@cs.cmu.edu