Security Awareness and Affective Feedback: Categorical Behaviour vs. Reported Behaviour

A lack of awareness surrounding secure online behaviour can lead to end-users, and their personal details becoming vulnerable to compromise. This paper describes an ongoing research project in the field of usable security, examining the relationship between end-user-security behaviour, and the use of affective feedback to educate end-users. Part of the aforementioned research project considers the link between categorical information users reveal about themselves online, and the information users believe, or report that they have revealed online. The experimental results confirm a disparity between information revealed, and what users think they have revealed, highlighting a deficit in security awareness. Results gained in relation to the affective feedback delivered are mixed, indicating limited short-term impact. Future work seeks to perform a long-term study, with the view that positive behavioural changes may be reflected in the results as end-users become more knowledgeable about security awareness.

💡 Research Summary

The paper investigates the relationship between end‑user security behaviour and affective feedback as a means of improving security awareness. It focuses on a specific gap: the discrepancy between the categorical information users actually disclose online (the “categorical behaviour”) and the information they believe they have disclosed (the “reported behaviour”). To explore this, the authors designed a mixed‑methods experiment involving 120 participants drawn from a broad age range (18‑55). Participants interacted with a simulated e‑commerce site and a mock social‑network profile page that contained a series of personal‑information fields (name, address, phone number, date of birth, hobbies, etc.). All entries were logged automatically, providing an objective record of what was truly disclosed. After each session, participants completed a questionnaire asking them to indicate which categories of personal data they thought they had revealed.

The participants were randomly assigned to two conditions: a control group and an affective‑feedback group (60 participants each). In the feedback condition, whenever a participant attempted to enter high‑risk data (e.g., national ID number, credit‑card details), a multimodal affective cue was triggered: the screen background shifted to a warning colour, a brief auditory tone played, and a short vibration was emitted. This design allowed the authors to measure two outcomes: (1) immediate behavioural modification (e.g., aborting the entry, deleting the data) and (2) changes in self‑reported security awareness measured by post‑experiment survey scores.

The results revealed a substantial mismatch between actual and perceived disclosures. On average, participants over‑estimated the privacy of their actions by 27 % across all categories, with the largest gaps observed among younger users (up to 35 %). The affective‑feedback condition produced a modest reduction in risky entries (approximately 12 % fewer high‑risk inputs compared with the control), indicating that real‑time emotional cues can momentarily deter unsafe behaviour. However, the impact on self‑reported awareness was minimal; survey scores differed by only three points between groups, a difference that was not statistically significant (p > 0.05).

The authors interpret these findings as evidence of a “security awareness deficit”: users frequently lack accurate mental models of what data they are exposing. While affective feedback can serve as an immediate warning, a single exposure does not appear sufficient to reshape users’ internal representations of risk. The paper therefore argues for a more sustained, iterative approach that combines repeated affective cues with metacognitive training and personalized educational content.

Limitations of the study include its relatively short duration (four weeks), the artificial nature of the simulated websites, and the limited set of affective modalities tested. Consequently, external validity to real‑world online services remains uncertain.

Future work is outlined in two main directions. First, the authors plan a longitudinal study to assess whether repeated affective feedback leads to durable behavioural change and improved self‑awareness over months rather than weeks. Second, they propose developing adaptive feedback algorithms that tailor the intensity, modality, and timing of affective cues to individual user profiles (age, prior security knowledge, cultural background). By integrating such personalized affective mechanisms with broader security‑education initiatives, the authors anticipate a reduction in the categorical‑vs‑reported behaviour gap and a measurable increase in overall security hygiene among end‑users.