Economics and Behavior Allan Fong CMSC 818D April 30, 2015 - - PowerPoint PPT Presentation

Economics and Behavior

Allan Fong CMSC 818D April 30, 2015

Decision making Economics Privacy and Security application What can be done

Decision making Economics Privacy and Security application What can be done

WHY DID YOU DO THAT?

Maslow's Hierarchy of Needs

http://commons.wikimedia.org/wiki/File:Maslow%27s_Hierarchy_of_Needs.svg

Intrinsic motivation vs Extrinsic motivation

Intrinsic motivation vs Extrinsic motivation

http://www.conciselearning.com/firstyearexperience.html

Intrinsic motivation vs Extrinsic motivation

http://valorconnection.com/6-tips-on-how-to-build-a-super-secure-password/

Other behavior model/theories

• Hawthorne effect
• Group think
• Anchoring
• Confirmation bias

https://baltimoremanagement.wordpress.com/2011/07/10/the-hawthorne-effect/

Other behavior model/theories

• Hawthorne effect
• Group think
• Anchoring
• Confirmation bias

http://whatisitwellington.com/2012/10/02/groupthink-the-murderer-of-innovation- how-to-recognise-and-avoid-it/

Other behavior model/theories

• Hawthorne effect
• Group think
• Anchoring
• Confirmation bias

http://posterng.netkey.at/esr/viewing/index.php?module=viewing_poster&task=vie wsection&pi=121372&ti=398218&searchkey=

Other behavior model/theories

• Hawthorne effect
• Group think
• Anchoring
• Confirmation bias

http://1.bp.blogspot.com/-Hd4lm-a4rK8/T Farside comics

Asymmetric information Hyperbolic time discount

Wang et al, 2014

Asymmetric information Hyperbolic time discount

http://www.someecards.com/

Intuition Reasoning

Wang et al, 2014

Decision making Economics Privacy and Security application What can be done

Economic model for “rational” decision making

Herley, 2009

Economic models

• Game Theory
• Symmetric vs Asymmetric games
• Zero-sum vs non-zero-sum games

Adopted from: http://en.wikipedia.org/wiki/Game_theory

Stag and the Hare

• Tracking a stag, stag can be shared by all, need everyone to cooperate and hiding
• Waiting for stag (it will come but not sure how long)
• Day passes
• Hares appear…

Adopted from: http://en.wikipedia.org/wiki/Game_theory

http://commons.wikimedia.org/wiki/File:Red_Deer_Stag_-_Flickr.jpg http://www.thehoneybeeandthehare.com/anthology-of-hares/

Aggregate Benefit vs Individual Benefit

Adopted from: http://en.wikipedia.org/wiki/Game_theory

http://commons.wikimedia.org/wiki/File:Red_Deer_Stag_-_Flickr.jpg http://www.thehoneybeeandthehare.com/anthology-of-hares/

Prisoner’s dilemma (symmetric)

Two members of a criminal gang are arrested and imprisoned. Each prisoner is in solitary confinement with no means of speaking to or exchanging messages with the

• ther. The prosecutors do not have currently enough evidence to convict the pair on the

principal charge. Each prisoner is given the opportunity either to: betray the other by testifying that the other committed the crime (for a lesser sentence), or remain silent. Adopted from: http://en.wikipedia.org/wiki/Game_theory

Prisoner’s dilemma (symmetric)

Two members of a criminal gang are arrested and imprisoned. Each prisoner is in solitary confinement with no means of speaking to or exchanging messages with the

• ther. The prosecutors do not have currently enough evidence to convict the pair on the

principal charge. Each prisoner is given the opportunity either to: betray the other by testifying that the other committed the crime (for a lesser sentence), or remain silent. Here is the offer: If A and B each betray the other, each of them serves 2 years in prison If A betrays B but B remains silent, A will be set free and B will serve 3 years in prison (and vice versa) If A and B both remain silent, both of them will only serve 1 year in prison (on the lesser charge) Adopted from: http://en.wikipedia.org/wiki/Game_theory

Prisoner’s dilemma (symmetric)

Two members of a criminal gang are arrested and imprisoned. Each prisoner is in solitary confinement with no means of speaking to or exchanging messages with the

• ther. The prosecutors do not have currently enough evidence to convict the pair on the

principal charge. Each prisoner is given the opportunity either to: betray the other by testifying that the other committed the crime (for a lesser sentence), or remain silent. Here is the offer: If A and B each betray the other, each of them serves 2 years in prison If A betrays B but B remains silent, A will be set free and B will serve 3 years in prison (and vice versa) If A and B both remain silent, both of them will only serve 1 year in prison (on the lesser charge) Adopted from: http://en.wikipedia.org/wiki/Game_theory Cooperate Defect Cooperate 2,2 0,3 Defect 3,0 1,1

Decision making Economics Privacy and Security application What can be done

Total Cost

Herley, 2009

Total Benefit

Total Cost

Herley, 2009

Total Benefit Direct vs Indirect

Total Cost

Herley, 2009

Total Benefit

Length Composition Dictionary membership Don’t Write it Down Don’t Share it with anyone Change it often Don’t reuse passwords Potential? Any? Evidence?? Keyloggers, brute force, etc.

Password Rules

Total Cost

Herley, 2009

Total Benefit

Numeric IP Address-bar typos Incorrect top-level domains Host rather than path Punctuation Right to left domains User benefit vs institution benefits (banks) Close to zero benefit for Users

“Phishing” Rules

Total Cost

Herley, 2009

Total Benefit

Understand SSL and how to check Check for a certificate Almost all cert errors are false positives

Certificate Error Rules

http://www.paintsquare.com/blog/?fuseaction=view&blogID=166

Recommendations

• Better understand of actual harm
• User education of cost on system/population
• Get rid of irrelevant advice
• Prioritize advice

… “rational” rejection of security advice by users

Herley, 2009

Ultimatum game (asymmetric)

You and Lisa are playing a game. An experimenter puts 100 one dollar bills on a table in front of them. Lisa can divide the money between herself and you however she

• chooses. You then decides whether to accept her division, in which case each keeps the

money as Lisa divided it, or to reject the division, in which case neither receives any money. For example, Lisa divides the money into one stack worth 65 dollars and one worth 35

• dollars. She offers the smaller amount to you. If you accepts, you keeps 35 dollars and

Lisa keeps 65 dollars. If you rejects the division, neither you nor Lisa receive anything. What would you do? Adopted from: http://en.wikipedia.org/wiki/Game_theory

Ultimatum game (asymmetric)

Will you accept if accept if…. Adopted from: http://en.wikipedia.org/wiki/Game_theory

Ultimatum game (asymmetric)

Will you accept if accept if…. If you are acting “rationally”, you should accept any division in which Lisa offers you at least one dollar, since doing so leaves you with more money than you would have had

• therwise.

Adopted from: http://en.wikipedia.org/wiki/Game_theory

Ultimatum game (asymmetric)

Will you accept if accept if…. If you are acting “rationally”, you should accept any division in which Lisa offers you at least one dollar, since doing so leaves you with more money than you would have had

• therwise.

Even a division which gives Lisa 100 dollars and you zero it costs you nothing, so you have no purely rational reason to reject it. Adopted from: http://en.wikipedia.org/wiki/Game_theory

Ultimatum game (asymmetric)

Will you accept if accept if…. If you are acting “rationally”, you should accept any division in which Lisa offers you at least one dollar, since doing so leaves you with more money than you would have had

• therwise.

Even a division which gives Lisa 100 dollars and you zero it costs you nothing, so you have no purely rational reason to reject it. If Lisa knows that you will act rationally, and if she acts rationally herself, then she should offer you one dollar and keep 99 for herself. Adopted from: http://en.wikipedia.org/wiki/Game_theory

Ultimatum game (asymmetric)

Will you accept if accept if…. If you are acting “rationally”, you should accept any division in which Lisa offers you at least one dollar, since doing so leaves you with more money than you would have had

• therwise.

Even a division which gives Lisa 100 dollars and you zero it costs you nothing, so you have no purely rational reason to reject it. If Lisa knows that you will act rationally, and if she acts rationally herself, then she should offer you one dollar and keep 99 for herself. In practice, divisions which you regards as unfair are generally rejected. Adopted from: http://en.wikipedia.org/wiki/Game_theory

“rational” or “not rational”

• Driving a car to school if you live 2 blocks

away.

• Spending $4 for coffee at a coffee bar over

$1.50 at CyberCafe.

• Leaving your laptop in your car while

shopping.

• Posting your telephone number on-line.

http://yalt.crcna.org/lost-dogs-and-lost-people/

Decision making Economics Privacy and Security application What can be done

Can you please change?

http://www.dnainfo.com/new-york/20150227/greenwich-village/burglars-target- village-residents-who-leave-doors-unlocked-police-say

Interventions

• Training/Education
• Checklist
• Separation
• Prevention
• Exclusion

Interventions

• Training/Education
• Checklist
• Separation
• Prevention
• Exclusion

Interventions

• Training/Education
• Checklist
• Separation
• Prevention
• Exclusion

Interventions

• Training/Education
• Checklist
• Separation (Time/Space)
• Prevention
• Exclusion

http://www.appszoom.com/android_games/casual/do-not-press-the-red-button_bshsp.html

Interventions

• Training/Education
• Checklist
• Separation (Time/Space)
• Prevention
• Exclusion

http://www.appszoom.com/android_games/casual/do-not-press-the-red-button_bshsp.html

Interventions

• Training/Education
• Checklist
• Separation (Time/Space)
• Prevention
• Exclusion

http://www.appszoom.com/android_games/casual/do-not-press-the-red-button_bshsp.html

Interventions

• Training/Education
• Checklist
• Separation
• Prevention
• Exclusion

https://hslnews.wordpress.com/category/library-hours/

Interventions

• Training/Education
• Checklist
• Separation
• Prevention
• Exclusion

Interventions

• Training/Education
• Checklist
• Separation
• Prevention
• Exclusion

STRONG PASSWORDS?

Nudges…

Acquisti, 2009 Wang et al, 2014

Nudges…

“soft or asymmetric paternalism… [to] enhance individual choice to increase individual or societal welfare”

Acquisti, 2009 Wang et al, 2014

Wang et al, 2014

Audience Nudge Timer Nudge Audience + Timer Nudge

Wang et al, 2014

Method

• Audience+timer nudge
• 28 Facebook users (2013, Craigslist)
• 6-week field trial

– 3 weeks “control period” – Mid-term survey – 3 weeks “treatment period” – Final survey

• Recruitment priming?
• Counterbalancing?

Wang et al, 2014

Metrics/Results

• Metrics

– Hovering over profile pictures – Clicking Post Now – Clicking Edit – Clicking Cancel – Privacy Settings changes – Interaction Over time

• 5 Descriptive groups

Wang et al, 2014

Metrics/Results

• Metrics

– Hovering over profile pictures – Clicking Post Now – Clicking Edit – Clicking Cancel – Privacy Settings changes – Interaction Over time

• 5 Descriptive groups

Positive Attitude Negative Attitude Frequent Interactions “eye opener” Time delay helpful Canceled and edited Technical problems “Didn’t care” Often regrets Limited Interactions Good for someone else “seeing… pictures made me rethink…” “I was impatient” Didn’t care hawthorne Indifferent Not enough exposure Problems posting

Wang et al, 2014

Metrics/Results

• Metrics

– Hovering over profile pictures – Clicking Post Now – Clicking Edit – Clicking Cancel – Privacy Settings changes – Interaction Over time

• 5 Descriptive groups

Positive Attitude Negative Attitude Frequent Interactions “eye opener” Time delay helpful Canceled and edited Technical problems “Didn’t care” Often regrets Limited Interactions Good for someone else “seeing… pictures made me rethink…” “I was impatient” Didn’t care hawthorne Indifferent Not enough exposure Problems posting

Wang et al, 2014

Metrics/Results

• Metrics

– Hovering over profile pictures – Clicking Post Now – Clicking Edit – Clicking Cancel – Privacy Settings changes – Interaction Over time

• 5 Descriptive groups

Positive Attitude Negative Attitude Frequent Interactions “eye opener” Time delay helpful Canceled and edited Technical problems “Didn’t care” Often regrets Limited Interactions Good for someone else “seeing… pictures made me rethink…” “I was impatient” Didn’t care hawthorne Indifferent Not enough exposure Problems posting

Wang et al, 2014

Metrics/Results

• Metrics

– Hovering over profile pictures – Clicking Post Now – Clicking Edit – Clicking Cancel – Privacy Settings changes – Interaction Over time

• 5 Descriptive groups

Positive Attitude Negative Attitude Frequent Interactions “eye opener” Time delay helpful Canceled and edited Technical problems “Didn’t care” Often regrets Limited Interactions Good for someone else “seeing… pictures made me rethink…” “I was impatient” Didn’t care hawthorne Indifferent Not enough exposure Problems posting

Wang et al, 2014

Metrics/Results

• Metrics

– Hovering over profile pictures – Clicking Post Now – Clicking Edit – Clicking Cancel – Privacy Settings changes – Interaction Over time

• 5 Descriptive groups

Positive Attitude Negative Attitude Frequent Interactions “eye opener” Time delay helpful Canceled and edited Technical problems “Didn’t care” Often regrets Limited Interactions Good for someone else “seeing… pictures made me rethink…” “I was impatient” Didn’t care hawthorne Indifferent Not enough exposure Problems posting

Wang et al, 2014

Metrics/Results

• Metrics

– Hovering over profile pictures – Clicking Post Now – Clicking Edit – Clicking Cancel – Privacy Settings changes – Interaction Over time

• 5 Descriptive groups

Positive Attitude Negative Attitude Frequent Interactions “eye opener” Time delay helpful Canceled and edited Technical problems “Didn’t care” Often regrets Limited Interactions Good for someone else “seeing… pictures made me rethink…” “I was impatient” Didn’t care hawthorne Indifferent Not enough exposure Problems posting

Implications

• Intrusiveness of the nudge
• Some users will not like “being watched”
• User control or customization of nudges
• Usable and reliable
• Difficult to evaluate

Wang et al, 2014

Decision making Economics Privacy and Security application What can be done

http://commons.wikimedia.org/wiki/File:Maslow%27s_Hierarchy_of_Needs.svg

Prisoner’s Dilemma

Thank you