"Should I Worry?" A Cross-Cultural Examination of Account Security Incident Response
This work addresses the problem of understanding user behavior during security incidents for developers and researchers, though it is incremental as it builds on prior mental models research.
The study investigated how users respond to real-world account security incidents by conducting qualitative interviews with 67 participants from five countries who experienced suspicious logins on Facebook, finding a common response process and identifying areas for technical improvements to enhance user security.
Digital security technology is able to identify and prevent many threats to users accounts. However, some threats remain that, to provide reliable security, require human intervention: e.g., through users paying attention to warning messages or completing secondary authentication procedures. While prior work has broadly explored people's mental models of digital security threats, we know little about users' precise, in-the-moment response process to in-the-wild threats. In this work, we conduct a series of qualitative interviews (n=67) with users who had recently experienced suspicious login incidents on their real Facebook accounts in order to explore this process of account security incident response. We find a common process across participants from five countries -- with differing online and offline cultures -- allowing us to identify areas for future technical development to best support user security. We provide additional insights on the unique nature of incident-response information seeking, known attacker threat models, and lessons learned from a large, cross-cultural qualitative study of digital security.