SoK (or SoLK?): On the Quantitative Study of Sociodemographic Factors and Computer Security Behaviors
Miranda Wei, Jaron Mink, Yael Eiger, Tadayoshi Kohno, Elissa M. Redmiles, Franziska Roesner
TL;DR
The paper surveys the quantitative literature on sociodemographic factors and computer security behaviors, revealing extensive US/Western focus, prevalent self-report methods, and mixed findings across gender, age, education, and other factors. It advances five guidelines for future work that stress explicit factor selection, thoughtful group inclusion, methodological diversity, cautious interpretation, and researcher positionality. A case study using de-identified Facebook log data and a large, multi-country survey demonstrates how demographics relate to concrete security actions (e.g., 2FA adoption, password strength) while highlighting geographic and platform-time effects. The authors argue for epistemic diversity and social-theory-driven explanations to move from correlation to causation, offering a path toward more equitable and effective security interventions. Overall, the work highlights substantial gaps, calls for broader representation and deeper causal understanding, and provides a concrete framework for future sociodemographic research in security behaviors.
Abstract
Researchers are increasingly exploring how gender, culture, and other sociodemographic factors correlate with user computer security and privacy behaviors. To more holistically understand relationships between these factors and behaviors, we make two contributions. First, we broadly survey existing scholarship on sociodemographics and secure behavior (151 papers) before conducting a focused literature review of 47 papers to synthesize what is currently known and identify open questions for future research. Second, by incorporating contemporary social and critical theories, we establish guidelines for future studies of sociodemographic factors and security behaviors that address how to overcome common pitfalls. We present a case study to demonstrate our guidelines in action, at-scale, that conduct a measurement study of the relationships between sociodemographics and de-identified, aggregated log data of security and privacy behaviors among 16,829 users on Facebook across 16 countries. Through these contributions, we position our work as a systemization of a lack of knowledge (SoLK). Overall, we find contradictory results and vast unknowns about how identity shapes security behavior. Through our guidelines and discussion, we chart new directions to more deeply examine how and why sociodemographic factors affect security behaviors.