Influencing Mental Models of Security
Over 80 million households in the United States have a home computer and an Internet connection. The vast majority of these are overseen by people who have little computer security knowledge or training, and many users try to avoid making security decisions because they feel they don’t have the knowledge and skills to maintain proper security. Nevertheless, home computer users still make security-related decisions on a regular basis — for example, whether or not to click on a link in an email message — without being aware that is what they are doing. Their decisions are guided by how they think about computer security,their mental models. Interestingly, these models do not have to be technically correct to lead to desirable security behaviors. In other words, sometimes even “wrong” mental models produce good security decisions. This project will explore the implications of that insight. By eliminating the constraint that non-technical users must become more like computer security experts to properly protect themselves, this project will identify and create more effective ways of helping home computer users make good security decisions.
This project will help advance our understanding of how mental models of security are formed and how ideas are incorporated into mental models and transmitted from person to person. What kinds of information are incorporated into home computer users’ mental models? Work will initially be focused on experimentally testing two hypotheses: a) stories about experiences have a larger influence on behavior than behavioral advice, and b) information from friends and colleagues has a stronger influence on mental models, and therefore behavior, than information from security experts. Additionally, the prevalence of particular mental models will be measured and correlated with actual user security behaviors. Through these investigations, this project will characterize the reasons that many home computer users choose not to act securely — a question which is one of the biggest challenges of home computer security. Finally, this project will explore ways of encouraging behaviors that support secure system use by developing a prototype socio-technical system that is capable of influencing their mental models and moving people toward models that lead to greater security.
Home computer security and personal information security are large problems today. Current education campaigns have failed to effect widespread changes in the security behaviors of non-technical users. New technologies are being developed, but will do nothing if users intentionally choose to ignore the technology or to work around it. This project will find better ways of informing people about security issues, altering their understanding of security threats and thereby their security behaviors, which will ultimately create more secure home computers. It will produce research tools, including survey instruments and security behavior measurement software that can be used by other security researchers. It will train a number of students, both graduate and undergraduate, in working on multi-disciplinary, distributed teams. The results from this study will be disseminated broadly to multiple academic communities.
PIs: Rick Wash and Emilee Rader
- Katie Hoban
- Alex Hinck
- Nick Saxton
- Ray Heldt
- Zack Girouard
Mailing list: firstname.lastname@example.org
- Emilee Rader, Rick Wash, and Brandon Brooks. “Stories as Informal Lessons About Security” Proceedings of the Symposium on Usable Privacy and Security (SOUPS). Washington, DC. July 2012. (PDF)
- Rick Wash and Emilee Rader. “Folk Models of Home Computer Security.” Chapter in The Death of the Internet, edited by Markus Jacobsson. Wiley, 2012. ISBN 9781118062418.
- Rick Wash and Emilee Rader. “Influencing Mental Models of Security” Proceedings of the New Security Paradigms Workshop (NSPW). Marshall, CA. September 2011. (PDF)
- Rick Wash. “Folk Models of Home Computer Security” Proceedings of the Symposium on Usable Security and Privacy. 2010. (PDF)
The MSU press release about the grant as a whole was picked up by the Associated Press, which caused it to be mentioned in a number of sources, including the Detroit Free Press, The Republic, Lansing State Journal, the Green Bay Press-Gazette, and WDIV Detroit