Accurately modeling human decision-making in security is critical to think about when, why, and how to recommend that users adopt certain secure behaviors. We used behavioral economics experiments to model the rationality of end-user security decision-making in a realistic online experimental system simulating a bank account. We ask participants to make a financially impactful security choice, in the face of transparent risks of account compromise and benefits offered by an optional security behavior (two-factor authentication). We find that more than 50% of our participants made rational (e.g., utility optimal) decisions, and we find that participants are more likely to behave rationally in the face of higher risk. Additionally, we confirm that users are boundedly rational: they make decisions based on some risks and context, but not others, and we can model their behavior well as a function of these factors. Finally, we show that a “one-size-fits-all” emphasis on security can lead to market losses, but that adoption by a subset of users with higher risks or lower costs can lead to market gains.
Elissa Redmiles is a Ph.D. student at the University of Maryland in Computer Science. Her research focuses on using computational and social science methodologies to understand and improve users' privacy and security learning processes, behavior, and perceptions. She is the recipient of an NSF Graduate Research Fellowship, a National Science Defense and Engineering Graduate Fellowship, and a Facebook Fellowship. Prior to pursuing her Ph.D., Elissa held Marketing Management and Software Engineering roles at IBM and was a Data Science for Social Good Fellow at the University of Chicago.