Recently, malicious computer users have been compromising computers en masse and combining them to form coordinated botnets. The rise of botnets has brought the problem of home computers to the forefront of security. Home computer users commonly have insecure systems; these users do not have the knowledge, experience, and skills necessary to maintain a secure system. I take steps toward designing a socio-technical system that will hopefully help home computer users make better security decisions. Designing such a system requires additional knowledge before a successful system can be developed.
First, more information is needed about the knowledge and skills that home computer users currently possess. I conducted an interview study of home computer users and identified eight distinct mental models of security threats; four are models of “viruses,” and four are models of “hackers.” The respondents in this study use the models to decide which security precautions should be used and which can be ignored.
Second, to share information, users need an incentive to exert the time and effort required for sharing. I describe two mechanisms that can be used in social computing systems to encourage contribution. I illustrate the first mechanism, the side effect mechanism, by describing how it is used in a popular social bookmarking website. I also illustrate a design feature that is important when applying this mechanism: incentive alignment. The second mechanism that I describe is technically simple: set a minimum threshold and exclude users who don’t contribute enough. I develop a theory of how users are likely to respond to such a mechanism and use that theory to characterize when such a mechanism should be used.
Finally, I bring all of these findings together to suggest some preliminary design features for a socio-technical security system to help home computer users. While there are many unanswered questions, these design features can serve as a starting point for future work in the area.
Download: PDF
Recently, malicioucomputer users have been compromising computers en masse and combining them to form coordinated botnets. The rise of botnets has brought the problem of home computers to the forefront of security. Home computer users commonly have insecure systems; these users do not have the knowledge, experience, and skills necessary to maintain a secure system. I take steps toward designing a socio-technical system that will hopefully help home computer users make better security decisions. Designing such a system requires additional knowledge before a successful system can be developed.
First, more information is needed about the knowledge and skills that home computer users currently possess. I conducted an interview study of home computer users and identified eight distinct mental models of security threats; four are models of “viruses,” and four are models of “hackers.” The respondents in this study use the models to decide which security precautions should be used and which can be ignored.
Second, to share information, users need an incentive to exert the time and effort required for sharing. I describe two mechanisms that can be used in social computing systems to encourage contribution. I illustrate the first mechanism, the side effect mechanism, by describing how it is used in a popular social bookmarking website. I also illustrate a design feature that is important when applying this mechanism: incentive alignment. The second mechanism that I describe is technically simple: set a minimum threshold and exclude users who don’t contribute enough. I develop a theory of how users are likely to respond to such a mechanism and use that theory to characterize when such a mechanism should be used.
Finally, I bring all of these findings together to suggest some preliminary design features for a socio-technical security system to help home computer users. While there are many unanswered questions, these design features can serve as a starting point for future work in the are
By Rick Wash and Jeff MacKie-Mason
Social computing systems collect, aggregate, and share user-contributed content, and therefore depend on contributions from users to function properly. However, humans are intelligent beings and cannot be programmed to behave; system designers must provide incentives to encourage users to contribute. We explore the behavioral consequences of one simple incentive mechanism: require users to contribute a minimum amount of information before they are granted access to the system. Users with a high marginal cost of contribution will stop using the system, but users with a moderate marginal cost will increase their contribution, frequently leading to greater benefits for everyone still using the system. Additionally, if contributions are collaborative and build upon each other, then existing contributors are likely to slightly decrease their contributions, leading to a more ’equal’ distribution of contributions. We show that this mechanism often leads to increased contributions, and provide concrete design advice for using this mechanism in social computing systems.
Rick Wash and Jeff MacKie-Mason. “Using a Minimum Threshold to Motivate Contributions to Social Computing,” Working Paper, June 2009.
Download: PDF
By Rick Wash and Jeff MacKie-Mason
Hackers have learned to leverage the enormous number of poorly protected home computers by turning them into a large distributed system (known as a botnet), making home computers an important frontier for security research. They present special problems: owners are unsophisticated, and usage profiles are varied making onesize-fits-all firewall policies ineffective. We propose a social firewall that collects security decisions and both user and usage characteristics, and provides users with personalized information to assist with allow/deny recommendations. To succeed, a social firewall must deal with at least three user behavior issues: why contribute private information? why make effort to provide quality information? and, how to prevent manipulation by adversaries? We sketch an incentive-centered design approach to each problem. We provide an economic model and some analytic results for a solution to the fundamental problem: why contribute? We show that an excludable public goods mechanism can achieve a better outcome than a system without social motivators.
Rick Wash and Jeff MacKie-Mason. “A Social Mechanism for Home Computer Security,” Presented at the Workshop on Information Systems and Economics (WISE), December 2008.
Download: PDF
