Folk Models of Home Computer Security
Published 21 May 2016. Tags: computer-science, security, paper-review.
I recently read Rick Wash’s Folk Models of Home Computer Security, in which he conducts a survey of regular computer users to determine how they believe certain aspects of computer security work. There’s a lot of interesting stuff in there if you’re interested in security research.1
He analyzes a few security concerns and notices that users’ beliefs about security fall into distinct categories or “folk models” that they use to explain the world.
These models should interest us when we design security software, since they’re what motivate our users and guide their actions. He notes that, despite being advised for decades to change their passwords regularly and not to open suspicious emails,
…many home computer users still do not follow this advice… There is a disagreement among security experts as to why this advice isn’t followed. Some experts seem to believe that home users do not understand the security advice, and therefore more education is needed. Others seem to believe that home users are simply incapable of consistently making good security decisions. However, none of these explanations explain which advice does get followed and which advice does not. The folk models… begin to provide an explanation of which expert advice home computer users choose to follow, and which advice to ignore. By better understanding why people choose to ignore certain pieces of advice, we can better craft that advice and technologies to have a greater effect.
Here are some quick summaries of a few folk models:
What are viruses, and why do they exist?
- Viruses are just “bad” things. They cause undefined “problems.” No idea what they do or why they do it. People that believe this usually assume that they’re safe and don’t bother using anti-virus software, etc.
- Viruses are software that’s not working correctly. They make other programs buggy. You won’t get them if you don’t download or “click” things. Users had no idea why anyone would create them.
- Viruses cause mischief. They’re created to be annoying. They download porn, delete important files, and display pirate symbols. You can “catch” viruses by visiting “bad” pages, in the same way that graffiti appears in the “bad” part of town. Some sites are “protected” and can’t give you viruses.
- Viruses are for crime, almost always identity theft. Viruses want to transmit data and remain undetected, so it’s important to run anti-virus software regularly. Viruses don’t harm the computer, so you don’t need backups.
- Multiple models. All these are possible, take all precautions.
What motivates attackers/”hackers”?
- They’re graffiti artists that like to cause mischief. “Youths” with technical skills and no moral restraint. Loners that want to cause harm for no reason. It’s futile to try to stop them.
- Attackers are like burglars, looking for information like credit card data. They use the information themselves and don’t sell it to others. They’re opportunistic, attacking anything they see. People avoid websites so hackers don’t “find” them.
- They’re organized criminals that target “big fish.” Regular people are safe, since they’re not going to be specifically targeted.
- Contractors working for criminals. Like the graffiti artists, but with purpose. They sell information and don’t use it themselves. They target large databases like Amazon, etc, and not regular people.
- Multiple models. Could be mischievous, could be a contractor.
Some entertaining stuff, too, for anyone that’s done technical support for their extended family. ↩