使用者資安行為實踐與專家溝通策略：可驗證隨機數產生器研究

Abstract

資安專家因應網路環境中的各種資安威脅，開發相應的安全與隱私保護工具。抽籤系統因其便利性與公平性特性，常被行政單位用作資源分配的工具。然而數位化時代，部分抽籤的流程也移轉到以電腦或是線上進行，若抽籤過程中的隨機數產生方式缺乏透明度，則整個系統可能遭到操控。資安專家感知到此威脅，因此開發可驗證的參與式隨機數產生演算法。為了提升社會大眾感知到的技術安全性，資安專家在隨機數產生器上設計「驗證」功能，讓使用者得以「確認」技術架構確實如其保證般的運作。 然而，資安的工具與驗證功能概念過往在推廣時面臨諸多挑戰，像是資安工具與行為的展現本身是為了避免不幸的事件發生，公眾因為難以快速感知到其效用導致使用意願不高；而可驗證隨機數產生器的概念則因過於新穎，與公眾過往對於抽籤的流程與概念之既有理解與記憶有差異，在初步推廣時首要面臨溝通與說服的挑戰，亦無前例可參考。 引此，本研究探索如何透過溝通策略，鼓勵使用者展現專家建議的資安行為，並以可驗證隨機數產生器的「驗證行為」作為研究案例。本研究共訪談18位受訪者。首先於前導研究中以課程資格抽籤作為抽籤情境，了解公眾對於可驗證隨機數產生器的理解與看法，共訪談六位非資訊背景之受訪者。於正式研究中，研究者以焦點團體工作坊訪談12位密碼學專家，自日常的抽籤情境中詢問可能產生的資安威脅（如：一番賞、轉蛋），並延伸蒐集密碼學專家會採用哪些溝通策略向大眾溝通。 本研究以質性資料編碼，歷經開放編碼、主軸編碼歸結出密碼學專家採用之五大溝通策略：1)強調驗證行為具有影響結果、捍衛權益的效果，藉以賦予公眾心理能動力2)引用或爭取第三方單位的公開認可，藉以增加可信度3)強調驗證行為的相對效益，提升外在動機 4)說明驗證行為之於抽籤機制生態系建立的重要性，培養驗證者的角色認同與探索興趣 5)強調隨機數的資安威脅，運用風險意識提升參與動機。考量密碼學專家與公眾之慣用語言差異與知識差距，本研究以中立的視角分析搜集到的溝通策略，並引入科學溝通之相關理論：建構層次理論（Construal level theory, CLT）、慎思可能模式（Elaboration likelihood model, ELM）與保護動機理論（Protection motivation theory, PMT）評估各項溝通策略之合適性。 經科學溝通理論評估後，研究指出溝通者於制定溝通策略時應考量公眾與議題的能力、動機和心理距離，並據此調整溝通方式。具體而言，專家提出之策略3「強調驗證行為的相對效益，提升外在動機」、策略5「強調隨機數的資安威脅，運用風險意識提升參與動機」因合乎高建構層次的溝通，且以邊緣路徑進行決策溝通，溝通者可優先嘗試用以推廣驗證行為。本研究於文末亦引入公部門之社會住宅抽籤、私部門之電玩產業轉蛋抽籤情境作為策略運用之案例說明，相關成果可應用於推廣可驗證隨機數產生器之使用，更可作為組織在推廣新興安全與隱私保護機制時的溝通策略參考，為未來資安行為溝通研究奠定基礎。

Cybersecurity experts develop corresponding security and privacy protection tools in response to various security threats in the online environment. Due to their convenience and fairness characteristics, lottery systems are often used by administrative units as tools for resource allocation. However, in the digital age, some lottery processes have also transitioned to computer-based or online platforms. If the random number generation method lacks transparency during the lottery process, the entire system may be subject to manipulation. To address this concern, cybersecurity experts develop verifiable participatory randomness generation algorithms. Furthermore, to enhance the public's trust in technical security, these experts design verification functions for random number generators, allowing users to reconfirm that the system operates exactly as guaranteed. Based on this, this research explores how communication strategies can encourage users to adopt security behaviors recommended by experts, using the "verification behavior" of verifiable random number generators as a case study. The study interviewed a total of 18 participants. The pilot study, which used course qualification drawing as the lottery context, first investigated public understanding and perceptions of verifiable random number generators by interviewing six participants without IT backgrounds. In the formal study, researchers conducted focus group workshops with 12 cryptography experts, inquiring about potential security threats in daily lottery scenarios (such as blind box games and gacha systems), and gathering information about communication strategies these cryptography experts would employ to communicate with the public. Using qualitative data coding, through open coding and axial coding, the study identified five major communication strategies employed by cryptography experts: 1) emphasizing that verification behavior has the effect of influencing outcomes and defending rights, thereby empowering the mental agency of public; 2) citing or seeking public endorsement from third-party organizations to increase credibility; 3) emphasizing the relative benefits of verification behavior to enhance external motivation; 4) explaining the importance of verification behavior in establishing the lottery mechanism ecosystem, fostering verifiers' role identity and exploratory interest; 5) emphasizing security threats to randomness generator, utilizing risk awareness to enhance participation motivation. Considering the language differences and knowledge gaps between cryptography experts and the public, this research analyzes the collected communication strategies from a neutral perspective and incorporates relevant theories of scientific communication: Construal Level Theory (CLT), Elaboration Likelihood Model (ELM), and Protection Motivation Theory (PMT) to evaluate the appropriateness of each communication strategy. After evaluation through science communication theories, the research indicates that communicators should consider the public's capability, motivation, and psychological distance from the issue when formulating communication strategies, and adjust their communication methods accordingly. Specifically, Strategy 3 "emphasizing the relative benefits of verification behavior to enhance external motivation" and Strategy 5 "emphasizing security threats to random numbers, utilizing risk awareness to enhance participation motivation" align with high-level construal communication and peripheral route decision-making communication, making them priority strategies for promoting verification behavior. The study concludes by introducing case examples of strategy application in public sector social housing allocation and private sector gaming industry gacha systems. These findings can be applied to promote the use of verifiable random number generators and serve as a reference for organizations' communication strategies when promoting emerging security and privacy protection mechanisms, laying the foundation for future research in cybersecurity behavior communication.