For everyday people, security advice is confusing, boring, and ever changing. In response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”.
There are two big problems here. First, how do we effectively communicate relevant security advice to non-experts? And secondly, is that advice even persuasive enough to encourage real behavioural change? What kind of advice should we be conveying, and to whom?
In this talk we cover why everyday people don’t follow security advice. To help us come up with some solutions, we introduce concepts from behavioural design, psychology and medicine. And I put the theory to the test by trialing some unconventional ways of communicating security to the masses.