Computers require a certain amount of diligence to protect them from malicious users; the computer security industry is a vibrant and active industry that provides solutions to this problem. However, computers that are present in people’s homes are normally administered not by experts but by their owners, and home computer owners rarely have the skills or expertise to properly maintain the security.
This problem has been exacerbated recently by the rise of a new type of attack: the botnet. An attacker will compromise a large number of vulnerable computers and combine them into one large “botnet” that can be used for many different types of crime: click fraud, denial of service, sending spam, extortion, etc. Since all the attacker cares about is that the computer is connected to the Internet, they have turned to the most vulnerable population: home computers. However, since botnets are used to attack third parties, the fact that this vulnerable population exists is a security risk to the other corporations and individuals who are the true targets of botnets. For this reason, there is renewed interest in trying to find better ways for home computer users to protect their security.
I begin by looking at how home computer users currently make security-relevant decisions on their computer. I conducted a series of semi-structured interviews of home computer users to identify the “mental models” that these users possess, and how these models are used to make decisions. I identified 8 models of security threats: 4 different ways of thinking about “viruses” and other malicious software, and 4 different ways of thinking about “hackers” and other malicious users. Each of the models included a specific way that the threat operated, and this understand would lead users to make different security decisions. For example, one model of hackers is that they are mischievous individuals who are looking for random computers to use as a canvas for their digital graffiti. Another model is that hackers are criminals who only target the computers of big, important, and rich individuals. People who possess the first model feel that they could be a hacking victim at any time, and that it is important to be diligent in protecting their computer. Those who posses the second model would disagree, believing that they aren’t rich or important enough for hackers to bother attacking them. This difference in understanding of the threats leads to dramatically different security decisions.
My long-term goal is to design and develop an information sharing system for home computer users. I believe that by helping users to share valuable information with each other, we can improve the quality of the security decisions that these users make, and consequently raise the overall level of security among home computers. But such a social computing system is non-trivial to design; inducing users to contribute information and ensuring a minimum level of quality are difficult design problems. There are many social and cultural complications that make designing, implementing, and deploying such a system problematic. I hope to address many of these problems in future research, and eventually develop and deploy this system.
Resources
Rick Wash. “Folk Models of Home Computer Security,” Working Paper, October 2009. (PDF)
Rick Wash. ”Motivating Contributions for Home Computer Security.” PhD Dissertation. University of Michigan, 2009. (PDF)