Ideals and reality: Adopting secure technologies and developing secure habits to prevent message disclosure

Development of security technologies tends to ignore difficulties with deployment in the real world. One research approach for improving adoption of secure practices and technologies is improving the usability of security technologies; however, this belies the underlying need to understand people's practices and the non-technical factors influencing adoption.;In this thesis, I examine the problems users face when adopting secure practices and technologies in the real world, with a focus on preventing message disclosure. I first examine individual's adoption of secure practices with respect to the management of passwords for online authentication with a survey of undergraduates. Next, I consider group adoption of a security technology, namely encrypted e-mail for group discussions. I consider the latter issue from two perspectives. The first perspective investigates user experiences with an existing technology via interviews with employees at an activist group who were highly motivated to protect the secret information of their employer. The second perspective investigates a redesign of secured communication of encrypted e-mail for group discussion with a web application.;Often the issues faced by users are not purely issues of increasing or decreasing the level of security theoretically attainable. Adoption is attenuated by convenience (in the case of password reuse) and stigmatization of secure practices (in the case of social meaning attached to usage of encrypted e-mail). People's models of security attacks could be more sophisticated than previously thought, for example, many survey participants understood that randomness in the construction of a password increased resistance to guessing attacks. At the activist group, people understood that encryption could protect messages against eavesdropping and seemed ready to use the technology for organizational secrets.;The challenge for researchers in the development of secure technologies is how to encourage security adoption by novel users while pragmatically increasing the level of security achieved in the real world. I present the EMBLEM (Encrypted Message Board with Lists for E-Mail) system as an example of how one could accommodate the needs of a specific group of users to encourage use in borderline cases, where the need for increased security is not obvious or the population of users is lightly connected together. I presented this system to two groups of people, one group with no experience with encrypted e-mail and one group with extensive security knowledge. While the technology itself seemed usable for novices, one concern was that using the technology was an unnecessary step. In contrast, those fastidiously practicing security seemed more dubious of adopting a system that increased usability or supported heterogeneous groups but provided less assurances of end-to-end protections. Finding a balance between these groups of users remains a challenging problem.;I frame the findings of this dissertation with an analogy to sociologist Howard Becker's work on deviant careers. Adopting secure practices can be a departure from accepted normalized practice. Understanding the factors influencing adoption of deviant practices, particularly the vital role of social networks in creating a desirability to adopt deviant practices, can illuminate the rational behind adoption and non-adoption of technically secure, but socially stigmatized practices. I further argue that more work encouraging desirability to adopt secure practices, and more generally work understanding real world deployment issues of security technologies, is a necessary future for progress in the field.