I recently had the privilege of reading “Folk Models of Home Computer Security,” a great paper by Rick Wash, an assistant professor at Michigan State. Here’s his abstract:

Home computer systems are frequently insecure because they are administered by untrained, unskilled users.  The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and use the resulting network to attack third parties.  Despite a large security industry that provides software and advice, home computer users remain vulnerable.  I investigate how home computer users make security-relevant decisions about their computers.  I identify eight `folk models’ of security threats that are used by home computer users to decide what security software to use, and which security advice to follow: four different conceptualizations of `viruses’ and other malware, and four different conceptualizations of `hackers’ that break into computers.  I illustrate how these models are used to justify ignoring some security advice.  Finally, I describe one reason why botnets are so difficult to eliminate: they have been cleverly designed to take advantage of gaps in these models so that many home computer users do not take steps to protect against them.

The brilliance of the paper is its insight into how people actually make decisions about their PCs. Report after report has highlighted what people do (or fail to do), but not why they do it. Wash points out that his sample was small, so his findings may not represent the whole population. Still, it’s reasonable to assume that many users have similar mental models as the individuals Wash interviewed.

I do wish that he hadn’t steered away, at times explicitly, from a natural conclusion: that helping people understand the reality of cybercrime might change their models and thus their behavior. That said, his own conclusion that those of us that want to change users’ behavior have to meet users where they are, not where we wish they would be, is well taken.

Hat tip to Bruce Schneier for his mention of this paper.

According to a report by the United Nations, the number of Internet users globally exceeded two billion a few months ago. It is clear to me, as someone who works with badware, that the bulk of those 2 billion users are ill prepared to navigate the online world safely and securely. That’s really no surprise, when you think about it. We humans are genetically programmed to survive in the physical world, or at least that of our ancestors. We instinctively flee from stronger predators, become uneasy if someone looks “shifty,” and pull our hands away from a flame when it starts to burn.

As Bruce Schneier has written about extensively, our hard-wired tendencies do not always help us make the best decisions in assessing risk generally, or online in particular. They are, after all, mostly designed to keep us safe from immediate harm in the physical world.

Beyond this genetic programming, we all learn how to navigate the world as we grow up. Parenting, teaching, media, social cues and our own experience help guide us in our learning.

Navigating safely online is simultaneously less complex and more complex than doing so in the “real” world. The distinction is an artificial one, in one sense, as the Internet is integral to the daily fabric of many of our lives. Still, there’s nothing in our genetic programming or in the experience of most people alive today that has prepared them for protecting their computers, deciding where to click, or choosing which software to install.

So, what can we do—where “we” might include the technology industry, government, educators, parents, society—to help equip over two billion Internet users to make safer, more secure choices? What can (or must) change in how we educate, how we design user interfaces, how we signal danger, how we govern—to compensate for the instinctual cues and shared cultural experience that we lack in cyberspace?

I think a lot about these questions. I started this blog in part to give me a place to share thoughts, conversations, further questions, relevant resources, and hopefully an occasional answer. I hope others interested in this subject will engage, as well, whether through their own blogs, comments here, Twitter, or other avenues.