ABSTRACT
The voluntary adoption rate of two-factor authentication (2FA) remains low. This paper investigates whether video-based risk communication messages about Duo 2FA impacts voluntary 2FA adoption rate when delivered by a human speaker versus a cartoon speaker. We conducted an online two-phased survey-based study with 435 university students comprised of those who have not enabled Duo 2FA (non-adopters) on their university account as well as those who had previously enabled Duo 2FA (adopters). Participants in the non-adopters group (139) were assigned to one of the three groups: Threat-R (human speaker video), Threat-A (cartoon speaker video), and Control (no video). We found that 31% of participants enabled Duo 2FA through the human speaker video message compared to 7% with the cartoon speaker video message. However, there was no significant difference between the treatment and control groups (17% of participants enabled Duo 2FA in the Control group). Nevertheless, the treatment group participants showed their intention to activate Duo 2FA on their university account in the future. Those who enabled Duo 2FA rated Duo's usability as good. Moreover, enabling Duo 2FA on university accounts led some participants to enable 2FA on other online accounts. Our findings suggest that risk communication through videos that have a human speaker could increase users' willingness to adopt security features.
Supplemental Material
- Jemal Abawajy. 2014. User preference of cyber security awareness delivery methods. Behaviour & Information Technology 33, 3 (2014), 237--248.Google ScholarDigital Library
- Preston Ackerman. 2014. Impediments to adoption of two-factor authentication by home end-users. SANS Institute InfoSec Reading Room (2014).Google Scholar
- Elham Al Qahtani, Lipsarani Sahoo, and Mohamed Shehab. 2021. The Effectiveness of Video Messaging Campaigns to Use 2FA. In International Conference on Human-Computer Interaction. Springer, 369--390.Google ScholarDigital Library
- Elham Al Qahtani, Mohamed Shehab, and Abrar Aljohani. 2018. The effectiveness of fear appeals in increasing smartphone locking behavior among Saudi Arabians. In Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018). 31--46.Google Scholar
- Yusuf Albayram, Mohammad Maifi Hasan Khan, and Michael Fagan. 2017. A study on designing video tutorials for promoting security features: A case study in the context of two-factor authentication (2fa). International Journal of Human--Computer Interaction 33, 11 (2017), 927--942.Google ScholarCross Ref
- Yusuf Albayram, Mohammad Maifi Hasan Khan, Theodore Jensen, and Nhan Nguyen. 2017. ?... better to use a lock screen than to worry about saving a few seconds of time": Effect of Fear Appeal in the Context of Smartphone Locking Behavior. In Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017). 49--63.Google Scholar
- Maha Althobaiti and Pam Mayhew. 2014. Security and usability of authenticating process of online banking: User experience study. Proceedings - International Carnahan Conference on Security Technology 2014, 1--6. https://doi.org/10.1109/CCST.2014.6986978Google ScholarCross Ref
- Catherine L Anderson and Ritu Agarwal. 2010. Practicing safe computing: a multimedia empirical examination of home computer user security behavioral intentions. MIS quarterly 34, 3 (2010), 613--643.Google Scholar
- Maria Bada, Angela M Sasse, and Jason RC Nurse. 2019. Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv preprint arXiv:1901.02672 (2019).Google Scholar
- Reuben M Baron and David A Kenny. 1986. The moderator--mediator variable distinction in social psychological research: Conceptual, strategic, and statistical considerations. Journal of personality and social psychology 51, 6 (1986), 1173.Google ScholarCross Ref
- Scott R Boss, Dennis F Galletta, Paul Benjamin Lowry, Gregory D Moody, and Peter Polak. 2015. What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS quarterly 39, 4 (2015), 837--864.Google Scholar
- Jessica Colnago, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Cranor, and Nicolas Christin. 2018. "It's not actually that horrible" Exploring Adoption of Two-Factor Authentication at a University. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. 1--11.Google ScholarDigital Library
- Sanchari Das, Andrew Dingman, and L Jean Camp. 2018. Why Johnny doesn't use two factor a two-phase usability study of the FIDO U2F security key. In International Conference on Financial Cryptography and Data Security. Springer, 160--179.Google ScholarDigital Library
- Sanchari Das, Gianpaolo Russo, Andrew Dingman, Jayati Dev, Olivia Kenny, and L. Camp. 2017. A Qualitative Study on Usability and Acceptability of Yubico Security Key. (12 2017).Google Scholar
- Björn B De Koning, Huib K Tabbers, Remy MJP Rikers, and Fred Paas. 2007. Attention cueing as a means to enhance learning from an animation. Applied Cognitive Psychology: The Official Journal of the Society for Applied Research in Memory and Cognition 21, 6 (2007), 731--746.Google ScholarCross Ref
- Duo. 2021. Multi-Factor Authentication from Duo. Retrieved June, 2021 from https://duo.com/product/multi-factor-authentication-mfa.Google Scholar
- Jonathan Dutson, Danny Allen, Dennis Eggett, and Kent Seamons. 2019. Don't Punish all of us: Measuring User Attitudes about Two-Factor Authentication. In 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 119--128.Google ScholarCross Ref
- Cori Faklaris, Laura A. Dabbish, and Jason I. Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA, 61--77.Google Scholar
- Bartlomiej Hanus and Yu "Andy" Wu. 2016. Impact of users' security awareness on desktop security behavior: A protection motivation theory perspective. Information Systems Management 33, 1 (2016), 2--16.Google Scholar
- Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. 2014. Using personal examples to improve risk communication for security & privacy decisions. In Proceedings of the SIGCHI conference on human factors in computing systems. ACM, 2647--2656.Google ScholarDigital Library
- Jurjen Jansen and Paul van Schaik. 2019. The design and evaluation of a theory-based intervention to promote security behaviour against phishing. International Journal of Human-Computer Studies 123 (2019), 40--55.Google ScholarCross Ref
- Yousra Javed and Mohamed Shehab. 2016. Investigating the animation of application permission dialogs: a case study of Facebook. In Data Privacy Management and Security Assurance. Springer, 146--162.Google Scholar
- Jeffrey L Jenkins, Mark Grimes, Jeffrey Gainer Proudfoot, and Paul Benjamin Lowry. 2014. Improving password cybersecurity through inexpensive and minimally invasive means: Detecting and deterring password reuse through keystroke-dynamics monitoring and just-in-time fear appeals. Information Technology for Development 20, 2 (2014), 196--213.Google ScholarDigital Library
- WA Labuschagne, I Burke, Namosha Veerasamy, and MM Eloff. 2011. Design of cyber security awareness game utilizing a social media framework. In 2011 Information Security for South Africa. IEEE, 1--9.Google Scholar
- Benedikt Lebek, Jörg Uffen, Markus Neumann, Bernd Hohler, and Michael H. Breitner. 2014. Information security awareness and behavior: a theory-based literature review. Management Research Review 37, 12 (2014), 1049--1092.Google ScholarCross Ref
- Frank Merrett. 2006. Reflections on the Hawthorne effect. Educational Psychology 26, 1 (2006), 143--146.Google ScholarCross Ref
- Microsoft. 2021. Microsoft Authenticator. Retrieved June, 2021 from https://www.microsoft.com/en-us/account/authenticator.Google Scholar
- Sarah Milne, Sheina Orbell, and Paschal Sheeran. 2002. Combining motivational and volitional interventions to promote exercise participation: Protection motivation theory and implementation intentions. British journal of health psychology 7, 2 (2002), 163--184.Google Scholar
- James Nicholson, Ben Morrison, Matt Dixon, Jack Holt, Lynne Coventry, and Jill McGlasson. 2021. Training and Embedding Cybersecurity Guardians in Older Communities. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 1--15.Google ScholarDigital Library
- Malcolm R Pattinson and Grantley Anderson. 2007. How well are information risks being communicated to your computer end-users? Information Management & Computer Security 15, 5 (2007), 362--371.Google ScholarCross Ref
- Thanasis Petsas, Giorgos Tsirantonakis, Elias Athanasopoulos, and Sotiris Ioannidis. 2015. Two-factor authentication: is the world ready? Quantifying 2FA adoption. In Proceedings of the eighth european workshop on system security. 1--7.Google ScholarDigital Library
- Elissa M Redmiles, Amelia R Malone, and Michelle L Mazurek. 2016. I think they're trying to tell me something: Advice sources and selection for digital security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 272--288.Google ScholarCross Ref
- Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA.Google Scholar
- Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A usability study of five two-factor authentication methods. In Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019). 357--370.Google Scholar
- Joshua Reynolds, Trevor Smith, Ken Reese, Luke Dickinson, Scott Ruoti, and Kent Seamons. 2018. A tale of two studies: The best and worst of yubikey usability. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 872--888.Google ScholarCross Ref
- Ronald W Rogers. 1975. A protection motivation theory of fear appeals and attitude change1. The journal of psychology 91, 1 (1975), 93--114.Google Scholar
- Paschal Sheeran. 2002. Intention-behavior relations: a conceptual and empirical review. European review of social psychology 12, 1 (2002), 1--36.Google Scholar
- Paschal Sheeran and Thomas L Webb. 2016. The intention--behavior gap. Social and personality psychology compass 10, 9 (2016), 503--518.Google Scholar
- Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd symposium on Usable privacy and security. 88--99.Google ScholarDigital Library
- Sukamol Srikwan and Markus Jakobsson. 2008. Using cartoons to teach internet security. Cryptologia 32, 2 (2008), 137--154.Google ScholarDigital Library
- Peter Story, Daniel Smullen, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. 2020. From Intent to Action: Nudging Users Towards Secure Mobile Payments. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). 379--415.Google Scholar
- Christian Stransky, Dominik Wermke, Johanna Schrader, Nicolas Huaman, Yasemin Acar, Anna Lena Fehlhaber, Miranda Wei, Blase Ur, and Sascha Fahl. 2021. On the Limited Impact of Visualizing Encryption: Perceptions of E2E Messaging Security. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). 437--454.Google Scholar
- Rick Wash and Molly M Cooper. 2018. Who provides phishing training? facts, stories, and people like me. In Proceedings of the 2018 chi conference on human factors in computing systems. 1--12.Google ScholarDigital Library
- Thomas L Webb and Paschal Sheeran. 2006. Does changing behavioral intentions engender behavior change? A meta-analysis of the experimental evidence. Psychological bulletin 132, 2 (2006), 249.Google Scholar
- C Douglas Wetzel, Paul H Radtke, Hervey W Stern, Jan Dickieson, and JC McLachlan. 1993. Review of the effectiveness of video media in instruction. Technical Report. NAVY PERSONNEL RESEARCH AND DEVELOPMENT CENTER SAN DIEGO CA.Google Scholar
- Kim Witte. 1996. Fear as motivator, fear as inhibitor: Using the extended parallel process model to explain fear appeal successes and failures. In Handbook of communication and emotion. Elsevier, 423--450.Google Scholar
- Kim Witte and Mike Allen. 2000. A meta-analysis of fear appeals: Implications for effective public health campaigns. Health education & behavior 27, 5 (2000), 591--615.Google Scholar
- Affan Yasin, Lin Liu, Tong Li, Rubia Fatima, and Wang Jianmin. 2019. Improving software security awareness using a serious game. IET Software 13, 2 (2019), 159--169.Google ScholarDigital Library
- Azma Alina Ali Zani, Azah Anir Norman, and Norjihan Abdul Ghani. 2018. A Review of Security Awareness Approach: Ensuring Communal Learning. (2018).Google Scholar
- Leah Zhang-Kennedy, Sonia Chiasson, and Robert Biddle. 2014. Stop clicking on "update later": Persuading users they need up-to-date antivirus protection. In International Conference on Persuasive Technology. Springer, 302--322.Google ScholarDigital Library
- Leah Zhang-Kennedy, Sonia Chiasson, and Robert Biddle. 2016. The role of instructional design in persuasion: A comics approach for improving cybersecurity. International Journal of Human-Computer Interaction 32, 3 (2016), 215--257.Google ScholarCross Ref
Index Terms
- "Why would Someone Hack Me out of Thousands of Students": Video Presenter's Impact on Motivating Users to Adopt 2FA
Recommendations
The Effectiveness of Video Messaging Campaigns to Use 2FA
HCI for Cybersecurity, Privacy and TrustAbstractFor exploring messaging campaigns that motivate users to adopt a new security behavior and affect their security decisions, we designed different informational videos asking users to adopt Duo Two-Factor Authentication (2FA) on their university ...
Determinants of users' intention to adopt wireless technology: An empirical study by integrating TTF with TAM
This paper reported the results of a survey study and provided evidences of empirically testing a model that integrates both technology acceptance model (TAM) and task-technology fit (TTF) model in understanding the determinants of users' intention to ...
Factors affecting university students' intention to adopt e-learning systems: a case study in Jiujiang University
E-learning has many advantages, but many university students have never used e-learning systems. Therefore, it is necessary to study the factors of intention to adopt e-learning systems. In this paper, samples are collected from students of Jiujiang ...
Comments