Personal responsibility for Internet safety: What O'Reilly is doing
by Andy Oram
As security experts routinely say, the big challenges are more psychological than technical. One of the findings in the article, "Promoting Personal Responsibility for Internet Safety," by LaRose et al., demonstrates this point in regard to fear, the pervasive motivator for installing virus scanners and adopting safe surfing habits. Here's the problem: if people start out indifferent about security, or unconfident that they can do something about it, fear can actually decrease protective actions. The authors' experiment produces a different relationship from the relationships found in the other articles they cite, but they conclude: "without knowing the level of risk perceived by each individual threatening messages have the potential to discourage safe behavior." (Emphasis in original.)
As a solution, the authors recommend building what they call "self-efficacy": the users' belief that they can protect themselves. This requires education and assurances (but not unrealistic assurances). Self-efficacy is not the same as technical skill, but is certainly related. As the article states:
Another point in the article is that education can fall on deaf ears if the learners don't acknowledge personal responsibility for security. Frustratingly enough, the authors found that urging people to take responsibility might actually make things worse. People who possess some interest and skill (measured in ways not made clear in the article) increased their protective behaviors in response to such browbeating, but those who started out indifferent and uneducated reacted quite negatively; their protective behaviors decreased.
Fear is most likely to work if the threat information is coupled with information about how to cope with them, since the coping information raises self-efficacy.
There are several other subtle points in the article (which of course represents only a few studies out of many in the field), but I think that what I've summarized so far backs up the goal of Hackerteen. The purpose of the book, as I've thought of it during the editing process, is threefold:
- To get young people interested in computer and Internet technology, teachin\g them some facts along the way
- To teach users precautions for protecting themselves online
- To promote ethical behavior
Our presentation should fit the psychology of our mission. First, we provide an exciting story, presented with gorgeously colored graphics, to disarm the readers' recalcitrance about facing security problems. Security becomes fun, and therefore something worth getting to know better. If the novel stimulates learning, it will stimulate self-efficacy, and the novel's strong message about personal responsibility can also take hold.
The typical psychology of comic books is all about sublimating fears and worries about adolescent potency--most of all, fears about facing the dark side of one's own strong feelings and power. This psychology comes to the fore in Hackerteen, as the principal character Yago discovers his own power for both good and ill, and has to deal with the consequences of the use of that power. It's a good story with a good message, and one I hope will bring joy as well as empowerment to a new generation.