New NSF Grant to Study How People Think About Computer Security
I’ve received a new grant from the US National Science Foundation to study mental models of security.
Over 80 million households in the United States have a home computer and an Internet connection. The vast majority of these are overseen by people who have little computer security knowledge or training, and many users try to avoid making security decisions because they feel they don’t have the knowledge and skills to maintain proper security. Nevertheless, home computer users still make security-related decisions on a regular basis — for example, whether or not to click on a link in an email message — without being aware that is what they are doing. Their decisions are guided by how they think about computer security,their mental models. Interestingly, these models do not have to be technically correct to lead to desirable security behaviors. In other words, sometimes even “wrong” mental models produce good security decisions. This project will explore the implications of that insight. By eliminating the constraint that non-technical users must become more like computer security experts to properly protect themselves, this project will identify and create more effective ways of helping home computer users make good security decisions.
This project will help advance our understanding of how mental models of security are formed and how ideas are incorporated into mental models and transmitted from person to person. What kinds of information are incorporated into home computer users’ mental models? Work will initially be focused on experimentally testing two hypotheses: a) stories about experiences have a larger influence on behavior than behavioral advice, and b) information from friends and colleagues has a stronger influence on mental models, and therefore behavior, than information from security experts. Additionally, the prevalence of particular mental models will be measured and correlated with actual user security behaviors. Through these investigations, this project will characterize the reasons that many home computer users choose not to act securely — a question which is one of the biggest challenges of home computer security. Finally, this project will explore ways of encouraging behaviors that support secure system use by developing a prototype socio-technical system that is capable of influencing their mental models and moving people toward models that lead to greater security.
Home computer security and personal information security are large problems today. Current education campaigns have failed to effect widespread changes in the security behaviors of non-technical users. New technologies are being developed, but will do nothing if users intentionally choose to ignore the technology or to work around it. This project will find better ways of informing people about security issues, altering their understanding of security threats and thereby their security behaviors, which will ultimately create more secure home computers. It will produce research tools, including survey instruments and security behavior measurement software that can be used by other security researchers. It will train a number of students, both graduate and undergraduate, in working on multi-disciplinary, distributed teams. The results from this study will be disseminated broadly to multiple academic communities.