PDF 2 - MSU - Michigan State University
Transcription
PDF 2 - MSU - Michigan State University
MENTAL MODELS OF SECURITY Rick Wash Assistant Professor Communication Arts and Sciences Michigan State University [email protected] PROBLEM: Better technology doesn’t help if users choose not to use it Discretionary Security Install Anti-virus? Disable automatic updates? Choose an ‘easy’ password? Give everyone write permission? Click on links in email? How do non-experts make security choices? How do non-experts learn about security? How can we help non-experts make better choices? How do non-experts make security choices? Folk Models of Security How do non-experts learn about security? How can we help non-experts make better choices? How do non-experts make security choices? Folk Models of Security How do non-experts learn about security? Stories from Other People How can we help non-experts make better choices? How do non-experts make security choices? Folk Models of Security How do non-experts learn about security? Stories from Other People How can we help non-experts make better choices? Better models? Better technology? How do people think about security? How do people make security decisions? Credit: flickr.com/photos/jason_coleman VALVE VALVE FEEDBACK INTERVIEW STUDY INTERVIEW STUDY Round 1: 23 home users Round 2: 10 home users Snowball Sample THREATS Viruses Hackers VIRUS MODELS VIRUS MODELS Viruses are Generically Bad Viruses are Buggy Software Viruses Cause Mischief Viruses Support Crime VIRUS MODELS Viruses are Generically Bad VIRUS MODELS Viruses are Generically Bad General notion of bad things happening ‘Catch’ viruses like a cold Unspecified creator, purpose VIRUS MODELS Viruses are Buggy Software VIRUS MODELS Viruses are Buggy Software Same problems as bugs in software, but worse Must be manually downloaded and run Created by `bad’ people VIRUS MODELS Viruses Cause Mischief VIRUS MODELS Viruses Cause Mischief Created by mischievous teenagers with technical skills Cause annoying problems Caught by visiting shady websites or opening shady emails VIRUS MODELS Viruses Support Crime VIRUS MODELS Viruses Support Crime Created by criminals to gather identity information No direct harm to computers Spread automatically, installed by hackers Support Crime Mischief Buggy Software Viruses are bad VIRUS MODELS Use anti-virus software Regular anti-virus scans Care in visiting websites Care in downloads Don't do Ok, not necessary Definitely HACKER MODELS HACKER MODELS Hackers do Digital Graffiti Hackers are Burglars Hackers Target Big Fish Hackers are Contractors to Criminals HACKER MODELS Hackers do Digital Graffiti HACKER MODELS Hackers do Digital Graffiti Young technical geeks trying to impress friends Causes mischief Anyone can be a target; it doesn’t matter HACKER MODELS Hackers are Burglars HACKER MODELS Hackers are Burglars Some criminal “breaks into” your computer Looking for personal / financial information Targets are chosen opportunistically HACKER MODELS Hackers Target Big Fish HACKER MODELS Hackers Target Big Fish Similar to burglar model Criminals target rich or important people Likely to be professional, part of organized crime HACKER MODELS Hackers are Contractors to Criminals HACKER MODELS Hackers are Contractors to Criminals Young technical geek Looking for ID theft info for resale Targets big databases Contractor Big Fish Burglar Graffiti HACKER MODELS Use security software Keep patches up-to-date Make regular backups Don't do Ok, not necessary Definitely “Technical experts will evaluate folk theory from this perspective [correctness] -- not by asking whether it fulfills the needs of the folk. But it is the latter criterion[...] on which sound public policy must be based.” - Willett Kempton, 1986 FOLK MODELS • Home Computer Users make decisions based on the threats they perceive they face • These threats, even if incorrect, can induce good behaviors from users VIRUS MODELS HACKER MODELS VIRUS MODELS •Viruses are Bad •Viruses are Buggy Software •Viruses Create Mischief •Viruses Suppport Crime HACKER MODELS VIRUS MODELS HACKER MODELS •Viruses are Bad •Digital Graffiti •Viruses are Buggy •Opportunistic Software Burglars •Viruses Create •Hackers Target Big Mischief Fish •Viruses Suppport •Contractors to Crime Criminals How do non-experts make security choices? Folk Models of Security How do non-experts learn about security? Stories from Other People How can we help non-experts make better choices? Better models? Better technology? How do non-experts learn about security? Stories from Other People Security Education? Interacting with Technology? News? Stories from their Friends? SURVEY Undergraduates in intro comm/telecom classes 301 Responses (41%) Tell us a story you heard about security SECURITY STORIES #377: My friend decided he wanted to watch some inappropriate videos and went to a shady site. He did not have a firewall or any sort of anti virus so his computer got infected. His computer slowly got worse and worse until he couldn't handle it and took it to his parents. His parents did not know what to do and before they could figure it out, the computer died. #3: It appears that Facebook has gotten yet another virus and people are posting weird things onto their friends walls without them knowing. So if you get a notification about someone posting on your wall be careful and not directly click on it or else your Facebook might get hacked or a virus. STORIES are about security incidents PC Effects Spam Break-ins Theft Phishing STORIES are heard informally from family and friends 70% heard in informal settings (home, friend's house) 55% told face-to-face 64% told by family or friends 71% more than a month old STORIES are lessons about everyday people facing moderately serious threats 55% about family and friends 51% auto-biographical 72% contain a lesson 95% believe the story is true STORIES convey important security lessons The Internet is a dangerous place Beware of specific threats (shady email, shady webpages) Keep person information private CHANGING THINKING AND BEHAVIOR 94% report changing how they think about security 52% report changing behavior CHANGING THINKING AND BEHAVIOR Lessons are important Over doubles the odds of influencing behavior Significantly larger increase in change in thinking CHANGING THINKING AND BEHAVIOR People perceived as knowledgable change behavior 40% increase in odds of changing behavior Very small effect on change in thinking CHANGING THINKING AND BEHAVIOR Stop, Start, and Pay Attention Completely stop doing risky behaviors Start using more security technologies Pay attention to useful information #412: Don't click on sketchy links; #3: Don't click on weird links. STOP #44: Making sure my computer did not remember any of my passwords. #428: Make sure you choose a well-trusted antivirus program to protect your computer from spyware and virus threats. #448: Started scanning torrent contents before opening. Also reading torrent comments. #121: To not be stupid and recognize when a virus is attempting to harm your computer. #356: Reading more carefully the subject line in emails. START PAY ATTENTION STORIES ARE RETOLD 45% of respondents retold the story 90% retell within a week Casual (87%), Face-to-face (89%), to family and friends (97%) FOUR IMPLICATIONS • People’s choices about security are interconnected • Influential sources stories come from familiar, trusted seem to convey the complexity of security, but not what to do about it • Stories seem to help with reactive security, but not with proactive security • Stories •