How "What you think you know about cybersecurity" can help users make more secure decisions

The increasing use of information technology artifacts in daily life makes security a shared responsibility of both users and companies. In recent years, increasing a user's objective (i.e., actual) security knowledge and providing applications with more secure default settings appear among the most ubiquitous tools companies use to broaden their efforts to help users make more secure decisions. Examining both solutions matters because they are widely used, cost effective, and understood by many security practitioners. Additionally, default settings and users' objective knowledge provide anchors for decision-making. However, human errors and insecure default settings are increasing and raising further questions about the efficacy of such efforts. Using the theory of bounded rationality, we investigated the role of objective, subjective (i.e., self-assessed) security knowledge, and default settings security level on the overall decision security. We found that objective security knowledge can lead to secure decisions when paired with high subjective security knowledge. In the absence of the latter, objective security knowledge is unable to lead to better security decisions. Furthermore, subjective security knowledge reduces the extent to which users fully accept default security settings, thereby mitigating bias toward insecure default settings.