Rick Wash

Recently, malicious computer users have been compromising computers en masse and combining them to form coordinated botnets. The rise of botnets has brought the problem of home computers to the forefront of security.  Home computer users commonly have insecure systems; these users do not have the knowledge, experience, and skills necessary to maintain a secure system.  I take steps toward designing a socio-technical system that will hopefully help home computer users make better security decisions.  Designing such a system requires additional knowledge before a successful system can be developed.

First, more information is needed about the knowledge and skills that home computer users currently possess. I conducted an interview study of home computer users and identified eight distinct mental models of security threats; four are models of “viruses,” and four are models of “hackers.”  The respondents in this study use the models to decide which security precautions should be used and which can be ignored.

Second, to share information, users need an incentive to exert the time and effort required for sharing. I describe two mechanisms that can be used in social computing systems to encourage contribution.   I illustrate the first mechanism, the side effect mechanism, by describing how it is used in a popular social bookmarking website.  I also illustrate a design feature that is important when applying this mechanism: incentive alignment. The second mechanism that I describe is technically simple: set a minimum threshold and exclude users who don’t contribute enough.  I develop a theory of how users are likely to respond to such a mechanism and use that theory to characterize when such a mechanism should be used.

Finally, I bring all of these findings together to suggest some preliminary design features for a socio-technical security system to help home computer users.  While there are many unanswered questions, these design features can serve as a starting point for future work in the area.

Download: PDF

Home computer systems are frequently insecure because they are administered by untrained, unskilled users.  The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and use the resulting network to attack third parties.  Despite a large security industry that provides software and advice, home computer users remain vulnerable.  I investigate how home computer users make security-relevant decisions about their computers.  I identify eight `folk models’ of security threats that are used by home computer users to decide what security software to use, and which security advice to follow: four different conceptualizations of `viruses’ and other malware, and four different conceptualizations of `hackers’ that break into computers.  I illustrate how these models are used to justify ignoring some security advice.  Finally, I describe one reason why botnets are so difficult to eliminate: they have been cleverly designed to take advantage of gaps in these models so that many home computer users do not take steps to protect against them.

Rick Wash.  ”Folk Models of Home Computer Security.” Symposium on Usable Privacy and Security (SOUPS) 2010.

Download: PDF

By Rick Wash and Jeff MacKie-Mason

Hackers have learned to leverage the enormous number of poorly protected home computers by turning them into a large distributed system (known as a botnet), making home computers an important frontier for security research. They present special problems: owners are unsophisticated, and usage profiles are varied making onesize-fits-all firewall policies ineffective. We propose a social firewall that collects security decisions and both user and usage characteristics, and provides users with personalized information to assist with allow/deny recommendations. To succeed, a social firewall must deal with at least three user behavior issues: why contribute private information? why make effort to provide quality information? and, how to prevent manipulation by adversaries? We sketch an incentive-centered design approach to each problem. We provide an economic model and some analytic results for a solution to the fundamental problem: why contribute? We show that an excludable public goods mechanism can achieve a better outcome than a system without social motivators.

Rick Wash and Jeff MacKie-Mason. “A Social Mechanism for Home Computer Security,” Presented at the Workshop on Information Systems and Economics (WISE), December 2008.

Download: PDF

By Rick Wash

Users of home computer systems are becoming increasingly aware of the need for computer and information security systems. The market for security software for home users is growing rapidly, and includes anti-virus software, anti-spyware software, personal rewall software, personal intrusion detection / prevention systems, computer login / password / fingerprint systems, and intrusion recovery software. This software often requires security-relevant decisions be made by the home users, though most home users have little of the technical training and knowledge needed to make those decisions.

Though home computer users have little technical training, they do have some idea of the security threats they face and the potential countermeasures; indeed, the market for home security software is quite active. I conducted a series of 23 semi-interviews to better understand how home computer users think about security threats and security software. While home computer users did not have the complex, sophisticated mental models of computer security experts, they did have a couple of simple models that helped them make security-related decisions. These models led to a number of good security choices, but also led to a number of vulnerabilities that have been exploited by modern botnets. By understanding these mental models, home computer security technologies can be designed to address the vulnerabilities left by these models, and to take advantage of the knowledge that home users actually do possess.

Rick Wash. “Mental Models of Home Computer Security,” Extended Abstract at SOUPS (Symposium on Usable Privacy and Security) 2008 Poster Session. May 2008.

Download: PDF

By Rick Wash and Jeff MacKie-Mason

Humans are “smart components” in a system, but cannot be directly programmed to perform; rather, their autonomy must be respected as a design constraint and incentives provided to induce desired behavior. Sometimes these incentives are properly aligned, and the humans don’t represent a vulnerability. But often, a misalignment of incentives causes a weakness in the system that can be exploited by clever attackers. Incentive-centered design tools help us understand these problems, and provide design principles to alleviate them. We describe incentive-centered design and some tools it provides. We provide a number of examples of security problems for which Incentive Centered Design might be helpful. We elaborate with a general screening model that offers strong design principles for a class of security problems.

Rick Wash and Jeffrey K. MacKie-Mason. “Security When People Matter: Structuring Incentives for User Behavior.” Proceedings of the International Conference on Electronic Commerce, August 2007.

Download: PDF

By Rick Wash

Home computer users frequently lack the skills necessary to ensure proper security. Hackers exploit this to control large networks of computers (‘botnets’) that are used for spam, extortion, and fraud. I integrate ideas from psychology and economics to design software that provides incentives that induce better security choices by home computer users.

Rick Wash, “Incentive Design for Home Computer Security.“ Extended Abstract at the ACM SIGCHI Conference on Computer-Human Interaction 2007 Doctoral Consortium. January 2007.

Download: PDF