Does security advice discriminate against women?

Security systems are often designed by geeks who assume that the users will also be geeks, and the same goes for the advice that users are given when things start to go wrong. For example, banks reacted to the growth of phishing in 2006 by advising their customers to parse URLs. That’s fine for geeks but most people don’t do that, and in particular most women don’t do that. So in the second edition of my Security Engineering book, I asked (in chapter 2, section 2.3.4, pp 27-28): “Is it unlawful sex discrimination for a bank to expect its customers to detect phishing attacks by parsing URLs?”

Tyler Moore and I then ran the experiment, and Tyler presented the results at the first Workshop on Security and Human Behaviour that June. We recruited 132 volunteers between the ages of 18 and 30 (77 female, 55 male) and tested them to see whether they could spot phishing websites, as well as for systematising quotient (SQ) and empathising quotient (EQ). These measures were developed by Simon Baron-Cohen in his work on Asperger’s; most men have SQ > EQ while for most women EQ > SQ. The ability to parse URLs is correlated with SQ-EQ and independently with gender. A significant minority of women did badly at URL parsing. We didn’t get round to publishing the full paper at the time, but we’ve mentioned the results in various talks and lectures.

We have now uploaded the original paper, How brain type influences online safety. Given the growing interest in gender HCI, we hope that our study might spur people to do research in the gender aspects of security as well. It certainly seems like an open goal!

10 thoughts on “Does security advice discriminate against women?

  1. The whole premise of this study, and the manner in which it was conducted and results reported, seem pretty sexist and somewhat offensive.

  2. Baron-Cohen’s choice of terminology is misleading and propagates sexism. By using terms such as ‘brain types’ Baron-Cohen appeals to the biological argument, that men’s and women’s brains are born differently, while his studies do not prove that. By choosing to adopt Baron-Cohen’s terminology in your paper you are propagating gender bias and feeding sexism. In your study you could do a better job than Baron-Cohen at acknowledging the role of gender bias instead of focusing on ‘brain types’.

  3. I must say I am not totally convinced by Baron-Cohen’s research. His acceptance of Asperger Syndrome (AS) in his early work shows a lack of understanding of the history of autism and confusion about the condition.

    He claims in his Nature review of Edith Sheffer’s book ‘Asperger’s Children: the Origin of Autism in Nazi Vienna’ (1), that “none of us was aware of Hans Asperger’s active support of the Nazi programme”. Papers that were published on any psychiatric or learning difficulty condition by any psychiatrist working in Vienna during WWII should at best be treated as being highly suspect.

    Baron-Cohen contributed to the confusion over AS and autism with his ‘test’ for AS. Fortunately AS had a short life (2), although his wretched little test still haunts autism. (3) His books, ‘The Essential Difference: The Truth about the Male and Female Brain‘(2003) and ‘The Essential Difference: Male and Female Brains and the Truth About Autism’ (2004), have misleading titles. Books that use thin evidence, questionable and false methodologies to advance speculative theories about the complexities of the human brain and/or mind should never claim to be the ‘truth’. (I’m minded of the last paragraph of Wittgenstein’s ‘Philosophical Investigations’ – but let’s not go down that particular rabbit hole.) Nor indeed should they make the prediction that “we can be confident that genes controlling empathising and systemising will be identified.”

    Obviously there are differences between male and female brains and minds, but Baron-Cohen’s work does little to throw any new light upon the issue and any differences between the sexes in your research into phishing cannot be attributed to his theory that S, E and B brain types are ‘hard-wired’. (What happened to the ‘B types’ in your research?) We should not, as Baron-Cohen does, repeat the mistakes of the 19th and early 20th centuries by claiming statistical methods can reliably identify ‘essential’ genetic determinism at the level and precision he claims for his theory. There may be differences between the *some* men and women when it comes to spotting phishing that could perhaps be mitigated by good HCI design. However, I think we should continue to exhaust the social and behavioural explanations for these differences *before* shifting the problem to ‘hard-wiring’.

    (1) https://www.nature.com/articles/d41586-018-05112-1
    (2) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4725185/
    (3) https://www.aspergerstestsite.com/75/autism-spectrum-quotient-aq-test/

  4. My gut feel after doing the work was that we’d probably better leave follow-on work to female colleagues, and these comments simply confirm that. No matter how well intentioned a piece of research in this area, and no matter how relevant the results might be for treating most customers better, there will always be people who complain. As it happens, the statistics we collected showed that there was gender bias independently of SQ-EQ bias, and I take no view on how much of the gender difference is due to nature and how much to nurture. Given that the proportion of women doing computer science degrees ranges from a sixth in the UK to a third in Romania and almost half in India, nurture certainly amounts for a good chunk of whatever difference there is. My argument is simply that if some of the population do think differently, for whatever reason, we should not design systems that put them at a disadvantage.

    A separate issue is the recent religious war among psychologists to eliminate the diagnosis of Aspergers Syndrome (AS) and replace it with high-functioning autism spectrum disorder (HFA). There are two points to make here.

    First, when we did the work in 2007–8, AS was the standard diagnosis and it was unproblematic. When Tyler presented the paper at MIT at the first Workshop on Security and Human Behavior, none of the objections you make were raised. Nobody was bothered back then.

    Second, there’s an issue of neurodiversity rights. Many of us computer scientists are on the spectrum to some extent, and we have kids or grandkids who are too, as well as the kids of friends and neighbours. As your reference [2] points out, this reclassification is not accepted by many in the neurodiversity community and if we continue to describe ourselves as AS rather than HFA, then you’ll just have to live with that, or you’re being rather rude.

    And if there’s some reasonable prospect that Simon’s research might help people live better lives then that’s great. If he can find genes linked to AS then that will be significant both scientifically and politically, just as the Dutch twin study was significant for gay rights. If he doesn’t find such a gene, no doubt you’ll be happy, but if he does, then even if you won’t change your mind, the next generation will…

    1. Firstly let me address some possible confusion. My concern is that your paper stated, ‘[w]e argue that some people are better wired to accurately process the warnings presented to them’ and you immediately went on to say you were following ‘a personality test developed by the psychologist Simon Baron-Cohen’. I therefore assumed that you were accepting Baron-Cohen’s theory the bias is ‘hard-wired’, i.e., heritable. (I may be wrong about this as the word ‘wired’ is occasionally used to suggest a condition resulting from continuous reinforcement and such like.) The heritability of autism spectrum disorders have been poorly studied and are thwart with difficulties. (1) That is not to say the condition is not heritable, but the issue gets increasingly more complex as we move towards the higher functioning end of the spectrum because it becomes easier to speculate and confuse matters by importing social stereotypes, e.g., male systematisation, female empathy, male/female brain types, etc.. (2) As you say in your post that you ‘have no view on how much of the gender difference is due to nature and how much to nurture’, I hope we can agree that the aetiology of any gender bias and indeed HFA/AS is, to say the least, complex and confusing.

      It is some thirty years since I was part of a team that was developing the first community care in the NHS for people with learning difficulties and challenging behaviour. We actively encouraged these people to develop their own individual and group identities, but we did not encourage inappropriate “medicalised” identities. (3) I still fully support groups discovering their own identity but would prefer it not to be overly influenced by medicalisation. AS is an example of a medicalised identity that has its supporters who are of course at liberty to describe themselves as having AS. But equally I and others are at liberty to question why they identify themselves with a man who was engaged the Nazi’s Aktion T4, whose work was derivative, and whose eponymous syndrome has such a complex and confused aetiology and diagnosis.(4)

      As I said previously, I think Asperger’s 1944 paper should have been critically assessed before it became the basis for a ‘syndrome’ in the 1980s (5) and further developed by Baron-Cohen. However, much to his credit, Baron-Cohen no longer uses AS but does accept that there are others who choose to do so. He has also gone to great lengths to support the findings of Edith Sheffer and Herwig Czech. (6), and believes ‘that the value of Czech’s scholarship is that it establishes the necessary evidentiary framework for future discussion.’ I think we can all agree to that. (7)

      You end your post with, [i]f he [Baron-Cohen] doesn’t find such a gene, no doubt you’ll be happy, but if he does, then even if you won’t change your mind, the next generation will…’ Again, I must make it clear that I am not saying that a “condition” that can be described as being HFA/AS is not at least in part heritable. I say ‘in part’ because it is highly unlikely that we would find one gene or even a number of genes that ‘cause’ HFA/AS because it is so large and too ill defined, for, as Baron-Cohen says in his Nature review, autistics are very heterogeneous (this is similar to the age old systems theory problem). Obviously there are genetic difference between men and women, but to say the devil is in the detail would be an understatement. If we can resolve these problems, we may indeed arrive at somewhere like the so-called gay genes position, and if we do I will be cautiously happy (there are the genetic engineering issue to be considered).

      I am not sure what you mean by ‘but if he does [find genes], then even if you won’t change your mind, the next generation will….’ The fact that I (and others like Lesley Rogers) are critical of a methodology and evidence, that we believe seeks genetic explanations and constructs theories for very complex human cognition and behaviour *before* exhausting social and behavioural explanations, does not mean for a moment we are excluding heritability.

      (1) https://pdfs.semanticscholar.org/1ff1/3fd46798a120376a3afbdec4f5ce608c8cfe.pdf
      (2) These issues are increasingly becoming the subject of philosophical discourse. With perfect timing, Riana Betzler is giving paper entitled ‘Follow The Measures: Conceptualization, Measurement, and Interdisciplinarity in the Science of Empathy’, at the Dept. of History and Philosophy of Science, Free School Lane, Cambridge, on the 8th May, 1-2.30pm.
      (3) I have worked intermittently in both mental health and learning difficulties since the1960s and have therefore been able to track medicalisation and its critics. But that is about as much as I can say about it here.
      (4) I should add that both Deborah and I, plus some of our relatives and friends, have taken Baron-Cohen’s ‘test’ and have mostly been diagnosed as having AS. Not possible to go into the details as to why his test produces so many false positives, but, as has been the case for over a century, it has much to do with what and how we define “normal”.
      (5) Lora Wing cautioned that the people she described ‘had problems of adjustment or superimposed psychiatric illnesses’ in her ‘Asperger’s syndrome: a clinical account’, (1981). Again, complex and confused. https://www.ncbi.nlm.nih.gov/pubmed/7208735
      (6) In the editorial of ‘Molecular Autism’, 2018, 9:28, Baron-Cohen, et al, give their support to Czech’s research that appears in the same edition. https://molecularautism.biomedcentral.com/articles/10.1186/s13229-018-0209-5 https://molecularautism.biomedcentral.com/articles/10.1186/s13229-018-0208-6
      (7) I would like to go further and have a discussion on the history and foundations of disciplines like psychology, psychiatry, biology, genetics, statistics and probability, etc.. (With my ‘philosophy of IT’ hat on as well, I would also like those in machine learning and so-called AI to become acquainted with the foundations of statistics and probability.)

  5. Is it surprising that nobody’s done any more real research on how gender HCI may affect security?

    But it doesn’t really make sense to say that if X is affected by variables of type A and of type B, then all of the former should be exhausted before any of the latter are investigated. Many geek couples have kids who’re not just on the spectrum but at the low-functioning or disabled end. Many of us know such families. The idea that we should spend decades studying 69 varieties of social theory before looking at the heredity of autism spectrum conditions is not just dogmatic, but inhumane.

    1. We appear to be going around in circles and going nowhere fast (it may be my fault as I am not nibble at typing on a phone). Again, there is nothing in anything I have said that hinders research into how HCI may affect security. Personality questionnaires can be used that may divide groups on gender lines so long as the researchers are careful about claiming the differences are ‘hard-wired’. Dispositions and abilities in tasks and skills like empathy, software engineering, knitting, cleaning, systemising, cooking, art, mathematics, leadership, etc., may show a gender divide and there may be a case for simplifying these results with classifications ‘like’ SQ and EQ. But as we know most of them probably socially defined /learnt and have little to do with gender defining behavioural genes (there may of course be non-gender defining genes at play here). That does not mean that these differences cannot be studied within the context of HCI research so long as it is realised that today’s gender roles are not necessarily the same as those of the past, are culturally relative, etc.. For example, what we now call software engineering was until the 1960s pretty much a female occupation (a point you acknowledge with your comment about ‘nurture’). We should also be wary in cases of sex-typical behaviour that might at first reasonably appear to have a genetic cause, for we should, as Celia Moore and Lesley Rogers have shown, take a closer look at the phenotype before making assumptions.

      When it comes to autism, none of this or anything I have said previously should result in, as you put it, ‘spend[ing] decades studying 69 varieties of social theory before looking at the heredity of autism spectrum conditions’. I have very little interest in ‘social theory’ in this context as I am only seeking to promote good empirical science. Perhaps you missed it, but I approvingly cited a paper that points out there is a surprising small amount of heritability research into autism and provided a good large population study. I said that the problem of heritability becomes far more complex as we move up the spectrum to HFA/AS because of the issues I outlined.

      Earlier I was also critical of Baron-Cohen’s claim that those working in autism and AS were unaware of Asperger’s links to T4, etc.. I believe psychology researchers should have a greater awareness of the history of their science lest they repeat the mistakes of the past. (For sure I am little bias because my own research covers the early 19th rise of statistics and subsequent development of eugenics to the present day and so-called ‘enhancement’. I have also had first-hand experience of working in the mistakes of the past.)

      None of this should lead to decades of delay in heritability research. By identifying that some dispositions and abilities in tasks and skills are probably socially acquired and learnt behaviour, we also increase the possibility that, so to speak, what remains may be heritable. This might mean some research projects take a little longer, but overall it may indeed increase the rate of research because it may provide greater certainty when identifying areas that may be predominately gene governed. (There is the issue of what we will do if and when we do find numerous behavioural genes. I am not sure it will benefit the majority with learning difficulties and mental health problems. But let us not go there.)

      You are quite at liberty to criticise and reject my approach as being over diligent, or perhaps that it over emphasising the problem of importing bad science from the past, and so on and so forth. But that does make me dogmatic, and the notion that I am inhumane is both ridiculous and more than a bit insulting.

      Anyway, I apologise for any confusion I may have caused. I have said and repeated myself far more than I expected on this bloody keyboard – so I will sign off and take my leave. OAO

  6. As someone who cares about equality, I suggest that the vitriol in some of the comments above is not a productive way to fix the world.

    The authors have done some science and identified two subsets of people that are worse at detecting phishing attacks in today’s browsers. (Table 1, page 5). The SQ score is not ‘wrong’: it is a measurement that happens to correlate well with detecting phish. I’m sure the scientific community would welcome further experiments that use a different personality score. Finding one that correlates better would count as progress.

    Perhaps this isn’t obvious outside of the software field, but when a user fails to use software to achieve a goal, we implicitly attribute that failure to the software. The anti-phish UI of current IE and Firefox appears to work better for some groups than others. Microsoft and Mozilla now know where they have a weakness, and can make sure that their UI testing includes a balance of these groups.

    What we are looking for is progress: when Firefox next work on this UI, they will be able to say things like: ‘Designs A and B both have a 91% anti-phish rate in testing but B doesn’t favor one group over another, therefore we go with B.’

    If that happens, then we’ve made a tiny bit of measurable progress toward a more equal society.

  7. Addressing how narrow preconceptions of the nature of security and privacy risks with associated risk communication can violate the Common Rule principles of beneficence and justice is valuable work. Too many people dismiss the issue or simply claim some ridiculous inherent superiority because they are interacting with a virtual world that is designed specifically for them. The underlying presumption that designing for one type of person fails to align with the needs of another type of person is the opposite of sexist. So, basically, this work by a couple of esteemed white guys addressing if gender matters is intended to address the need to design risk communication in a manner that addresses diversity.

    As an aside, the core problem is that phishing is a hideous technical failure masquerading as a user interaction issue. Requiring that people authenticate to the site but not that the site authenticate to the user in a meaningful comprehensible way is the core issue. Many people complained about this with the first TLS/PKi standard (me, Helen Nissenbaum, Bruce, Martin Abadi, Carl ….) but there was money to be made.

    The fundamental issue of addressing warnings as culturally embedded and therefore not an issue of “stupid users” is important. The narrowness of diversity in the design of systems and warnings means that not only the communications but also the conceptions of the underlying risks themselves can be hazardously wrong.

    Does this work ground the differences in biology or is it agnostic on nature/nuture? If the presentation were not agnostic over the nature/nuture issue I would have provided appropriate feedback at the time. I did not. It reads agnostic to me now, but I am sure any contributions about specific wording could be offered as improvements. Trying to extract measures free from bias and bigotry is difficult. Given how pervasive sexism is and has been in psychology and measures of human perception finding a neutral unbiased measure is not easy.

    Ross please do not take the, “leave the study of ladies to the ladies” because this risks further isolating studies that take culture seriously as critical influences in secure systems design. There is a lack of research, and a need to try to make a difference. To mix my plays: Into the breach .. And damn’d be him that first cries, “Hold, enough!”

    Failing to reference my work in doing so is an issue I can directly address. 🙂 So here it is, addressing how warnings and systems designed by mostly young, male, technically engaged people fails the mostly female, technologically less experienced older adult community; how language influences passwords; and other cultural issues:
    http://www.ljean.com/publications.php#humans

    For me, I recently learned quite a bit about how the cultural constraints on women, and the very real threat of physical violence that enforces these, changes the way men and women interact with WhatsApp. Despite having done some reading and publishing on gender I have much to learn about how women in different cultural, economic, and personal situations manage their security and privacy risks.
    https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3391021

    Also arguing for a more empirical basis for examining how phishing works against whom remains an interest of mine. I would *love* funding for this if you want to work together. Are you going to be at SHB this year or is the current federal government too broken to allow you in?
    http://www.ljean.com/files/HICSS_Epidemiology.pdf

    But guys, seriously, if you think what is happening here is vitriol, I so wish I lived on your Internet…. It must be such a nice place.

Leave a Reply

Your email address will not be published. Required fields are marked *