PDF 2 - MSU - Michigan State University

MENTAL MODELS
OF SECURITY
Rick Wash
Assistant Professor
Communication Arts and Sciences
Michigan State University
[email protected]
PROBLEM:
Better technology doesn’t help if
users choose not to use it
Discretionary Security
Install Anti-virus?
Disable automatic updates?
Choose an ‘easy’ password?
Give everyone write permission?
Click on links in email?
How do non-experts make security choices?
How do non-experts learn about security?
How can we help non-experts make
better choices?
How do non-experts make security choices?
Folk Models of Security
How do non-experts learn about security?
How can we help non-experts make
better choices?
How do non-experts make security choices?
Folk Models of Security
How do non-experts learn about security?
Stories from Other People
How can we help non-experts make
better choices?
How do non-experts make security choices?
Folk Models of Security
How do non-experts learn about security?
Stories from Other People
How can we help non-experts make
better choices?
Better models? Better technology?
How do people think about security?
How do people make security decisions?
Credit: flickr.com/photos/jason_coleman
VALVE
VALVE
FEEDBACK
INTERVIEW STUDY
INTERVIEW STUDY
Round 1: 23 home users
Round 2: 10 home users
Snowball Sample
THREATS
Viruses
Hackers
VIRUS MODELS
VIRUS MODELS
Viruses are Generically Bad
Viruses are Buggy Software
Viruses Cause Mischief
Viruses Support Crime
VIRUS MODELS
Viruses are Generically Bad
VIRUS MODELS
Viruses are Generically Bad
General notion of bad things happening
‘Catch’ viruses like a cold
Unspecified creator, purpose
VIRUS MODELS
Viruses are Buggy Software
VIRUS MODELS
Viruses are Buggy Software
Same problems as bugs in software, but worse
Must be manually downloaded and run
Created by `bad’ people
VIRUS MODELS
Viruses Cause Mischief
VIRUS MODELS
Viruses Cause Mischief
Created by mischievous teenagers with technical skills
Cause annoying problems
Caught by visiting shady websites
or opening shady emails
VIRUS MODELS
Viruses Support Crime
VIRUS MODELS
Viruses Support Crime
Created by criminals to
gather identity information
No direct harm to computers
Spread automatically, installed by hackers
Support Crime
Mischief
Buggy Software
Viruses are bad
VIRUS
MODELS
Use anti-virus software
Regular anti-virus scans
Care in visiting websites
Care in downloads
Don't do
Ok, not necessary
Definitely
HACKER MODELS
HACKER MODELS
Hackers do Digital Graffiti
Hackers are Burglars
Hackers Target Big Fish
Hackers are Contractors to Criminals
HACKER MODELS
Hackers do Digital Graffiti
HACKER MODELS
Hackers do Digital Graffiti
Young technical geeks trying to impress friends
Causes mischief
Anyone can be a target; it doesn’t matter
HACKER MODELS
Hackers are Burglars
HACKER MODELS
Hackers are Burglars
Some criminal “breaks into” your computer
Looking for personal / financial information
Targets are chosen opportunistically
HACKER MODELS
Hackers Target Big Fish
HACKER MODELS
Hackers Target Big Fish
Similar to burglar model
Criminals target rich or important people
Likely to be professional,
part of organized crime
HACKER MODELS
Hackers are Contractors to Criminals
HACKER MODELS
Hackers are Contractors to Criminals
Young technical geek
Looking for ID theft info for resale
Targets big databases
Contractor
Big Fish
Burglar
Graffiti
HACKER
MODELS
Use security software
Keep patches up-to-date
Make regular backups
Don't do
Ok, not necessary
Definitely
“Technical experts will evaluate folk theory
from this perspective [correctness] -- not by
asking whether it fulfills the needs of the
folk. But it is the latter criterion[...] on
which sound public policy must be based.”
- Willett Kempton, 1986
FOLK MODELS
• Home
Computer Users make decisions based on
the threats they perceive they face
• These
threats, even if incorrect, can induce good
behaviors from users
VIRUS
MODELS
HACKER
MODELS
VIRUS
MODELS
•Viruses are Bad
•Viruses are Buggy
Software
•Viruses Create
Mischief
•Viruses Suppport
Crime
HACKER
MODELS
VIRUS
MODELS
HACKER
MODELS
•Viruses are Bad
•Digital Graffiti
•Viruses are Buggy
•Opportunistic
Software
Burglars
•Viruses Create
•Hackers Target Big
Mischief
Fish
•Viruses Suppport
•Contractors to
Crime
Criminals
How do non-experts make security choices?
Folk Models of Security
How do non-experts learn about security?
Stories from Other People
How can we help non-experts make
better choices?
Better models? Better technology?
How do non-experts learn about security?
Stories from Other People
Security Education?
Interacting with Technology?
News?
Stories from their Friends?
SURVEY
Undergraduates in intro comm/telecom classes
301 Responses (41%)
Tell us a story you heard about security
SECURITY STORIES
#377: My friend decided he wanted to watch some inappropriate
videos and went to a shady site. He did not have a firewall or any
sort of anti virus so his computer got infected. His computer slowly
got worse and worse until he couldn't handle it and took it to his
parents. His parents did not know what to do and before they could
figure it out, the computer died.
#3: It appears that Facebook has gotten yet another virus and
people are posting weird things onto their friends walls without them
knowing. So if you get a notification about someone posting on your
wall be careful and not directly click on it or else your Facebook
might get hacked or a virus.
STORIES
are about security incidents
PC Effects
Spam
Break-ins
Theft
Phishing
STORIES
are heard informally from family and friends
70% heard in informal settings (home, friend's house)
55% told face-to-face
64% told by family or friends
71% more than a month old
STORIES
are lessons about everyday people
facing moderately serious threats
55% about family and friends
51% auto-biographical
72% contain a lesson
95% believe the story is true
STORIES
convey important security lessons
The Internet is a dangerous place
Beware of specific threats (shady email, shady webpages)
Keep person information private
CHANGING THINKING
AND BEHAVIOR
94% report changing how they
think about security
52% report changing behavior
CHANGING THINKING
AND BEHAVIOR
Lessons are important
Over doubles the odds of influencing behavior
Significantly larger increase in change in thinking
CHANGING THINKING
AND BEHAVIOR
People perceived as knowledgable
change behavior
40% increase in odds of changing behavior
Very small effect on change in thinking
CHANGING THINKING
AND BEHAVIOR
Stop, Start, and Pay Attention
Completely stop doing risky behaviors
Start using more security technologies
Pay attention to useful information
#412: Don't click on sketchy links; #3: Don't click on weird links.
STOP
#44: Making sure my computer did not remember any of my
passwords.
#428: Make sure you choose a well-trusted antivirus program to
protect your computer from spyware and virus threats.
#448: Started scanning torrent contents before opening. Also
reading torrent comments.
#121: To not be stupid and recognize when a virus is attempting to
harm your computer.
#356: Reading more carefully the subject line in emails.
START
PAY
ATTENTION
STORIES ARE RETOLD
45% of respondents retold the story
90% retell within a week
Casual (87%), Face-to-face (89%), to family and friends (97%)
FOUR IMPLICATIONS
• People’s
choices about security are interconnected
• Influential
sources
stories come from familiar, trusted
seem to convey the complexity of security, but
not what to do about it
• Stories
seem to help with reactive security, but not
with proactive security
• Stories
•