BITlab: Behavior Information Technology

404 Wilson Rd. Room 249
Communication Arts & Sciences
Michigan State University
East Lansing, MI 48824

The BITLab is no longer operating. This webpage is for archival purposes only.

Influencing Mental Models of Security

Over 80 million households in the United States have a home computer and an Internet connection. The vast majority of these are overseen by people who have little computer security knowledge or training, and many users try to avoid making security decisions because they feel they don’t have the knowledge and skills to maintain proper security. Nevertheless, home computer users still make security-related decisions on a regular basis — for example, whether or not to click on a link in an email message — without being aware that is what they are doing. Their decisions are guided by how they think about computer security,their mental models. Interestingly, these models do not have to be technically correct to lead to desirable security behaviors. In other words, sometimes even “wrong” mental models produce good security decisions. This project will explore the implications of that insight. By eliminating the constraint that non-technical users must become more like computer security experts to properly protect themselves, this project will identify and create more effective ways of helping home computer users make good security decisions.

This project will help advance our understanding of how mental models of security are formed and how ideas are incorporated into mental models and transmitted from person to person. What kinds of information are incorporated into home computer users’ mental models? Work will initially be focused on experimentally testing two hypotheses: a) stories about experiences have a larger influence on behavior than behavioral advice, and b) information from friends and colleagues has a stronger influence on mental models, and therefore behavior, than information from security experts. Additionally, the prevalence of particular mental models will be measured and correlated with actual user security behaviors. Through these investigations, this project will characterize the reasons that many home computer users choose not to act securely — a question which is one of the biggest challenges of home computer security. Finally, this project will explore ways of encouraging behaviors that support secure system use by developing a prototype socio-technical system that is capable of influencing their mental models and moving people toward models that lead to greater security.

Home computer security and personal information security are large problems today. Current education campaigns have failed to effect widespread changes in the security behaviors of non-technical users. New technologies are being developed, but will do nothing if users intentionally choose to ignore the technology or to work around it. This project will find better ways of informing people about security issues, altering their understanding of security threats and thereby their security behaviors, which will ultimately create more secure home computers. It will produce research tools, including survey instruments and security behavior measurement software that can be used by other security researchers. It will train a number of students, both graduate and undergraduate, in working on multi-disciplinary, distributed teams. The results from this study will be disseminated broadly to multiple academic communities.

Funded by NSF Awards CNS-1116544 and CNS-1115926.

PIs: Rick Wash and Emilee Rader

Mailing list:


Replcation materials for some of our papers are available at the Open Science Framework:


  • Rick Wash and Emilee Rader. “Prioritizing Security Over Usability: Strategies for How People Choose PasswordsJournal of CyberSecurity. To Appear 2021. ( Abstract Data )

  • Rick Wash and Molly Cooper. “Who Provides Phishing Training? Facts, Stories, and People Like MeProceedings of the ACM Conference on Human Factors in Computing (CHI). Montreal, Canada. April 2018. [Honorable Mention Award] ( Abstract, PDF, Data )

  • Rick Wash, Emilee Rader, and Chris Fennell. “Can People Self-Report Security Accurately? Agreement Between Self-Report and Behavioral MeasuresCHI 2017. Denver, CO. May 2017. ( Abstract, PDF, Data )

  • Rick Wash and Emilee Rader. “Human Interdependencies in Security Systems.” CCC Visioning Workshop on Grand Challenges in Sociotechnical Cybersecurity. 2016. ( Link )

  • Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. “Understanding Password Choices: How Frequently Entered Passwords are Re-used Across WebsitesSOUPS 2016. Denver, CO. June 2016. ( Abstract, Link, PDF, Data )

  • Emilee Rader and Rick Wash. “Identifying Patterns in Informal Sources of Security InformationJournal of Cybersecurity. 2015. ( Abstract, Link, PDF )

  • Rick Wash and Emilee Rader. “Too Much Knowledge? Security Beliefs and Protective Behaviors Among US Internet UsersProceedings of the Symposium on Usable Privacy and Security (SOUPS). Ottawa, Canada. July 2015. ( Abstract, PDF, Data )

  • Katie Hoban, Emilee Rader, Rick Wash, and Kami Vaniea. “Computer Security Information in Stories, News Articles, and Education Documents.” Poster in Symposium on Usable Privacy and Security (SOUPS). July 2014. [Distinguished Poster Award] ( PDF, Poster )

  • Rick Wash, Emilee Rader, Kami Vaniea, and Michelle Rizor. “Out of the Loop: How Automated Software Updates Cause Unintended Security ConsequencesProceedings of the Symposium on Usable Privacy and Security (SOUPS). Menlo Park, CA. July 2014. ( Abstract, PDF )

  • Kami Vaniea, Emilee Rader, and Rick Wash. “Mental Models of Software Updates.” International Communication Association. Seattle. May 2014. ( Abstract, PDF )

  • Kami Vaniea, Emilee Rader, and Rick Wash. “Betrayed By Updates: How Negative Experiences Affect Future SecurityProceedings of the ACM Conference on Human Factors in Computing (CHI). Toronto, Canada. April 2014. ( Abstract, PDF, ACM DL, Video )

  • M. Angela Sasse, Charles C. Palmer, Markus Jakobsson, Sunny Consolvo, Rick Wash, L. Jean Camp. “Helping You Protect YouIEEE Security and Privacy. Vol. 12 No. 1 pp. 49-42. January/February 2014. ( Link )

  • Rick Wash. “Folk SecurityIEEE Security and Privacy. Vol. 10 No. 6 pp. 88-90. November/December 2012. ( Abstract, Link )

  • Emilee Rader, Rick Wash, and Brandon Brooks. “Stories as Informal Lessons About SecurityProceedings of the Symposium on Usable Privacy and Security (SOUPS). Washington, DC. July 2012. ( Abstract, PDF, ACM DL, Data )

  • Rick Wash and Emilee Rader. “Folk Models of Home Computer Security.” In The Death of the Internet, Edited by Markus Jacobsson. Wiley. June 2012. ISBN 978-1118062418 ( Link )

  • Rick Wash and Emilee Rader. “Influencing Mental Models of SecurityProceedings of the New Security Paradigms Workshop (NSPW). Marshall, CA. September 2011. ( Abstract, PDF, ACM DL )

  • Rick Wash. “Folk Models of Home Computer SecurityProceedings of the Symposium on Usable Security and Privacy. 2010. ( Abstract, PDF, ACM DL )