How people think about PC security

I recently had the privilege of reading “Folk Models of Home Computer Security,” a great paper by Rick Wash, an assistant professor at Michigan State. Here’s his abstract:

Home computer systems are frequently insecure because they are administered by untrained, unskilled users.  The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and use the resulting network to attack third parties.  Despite a large security industry that provides software and advice, home computer users remain vulnerable.  I investigate how home computer users make security-relevant decisions about their computers.  I identify eight `folk models’ of security threats that are used by home computer users to decide what security software to use, and which security advice to follow: four different conceptualizations of `viruses’ and other malware, and four different conceptualizations of `hackers’ that break into computers.  I illustrate how these models are used to justify ignoring some security advice.  Finally, I describe one reason why botnets are so difficult to eliminate: they have been cleverly designed to take advantage of gaps in these models so that many home computer users do not take steps to protect against them.

The brilliance of the paper is its insight into how people actually make decisions about their PCs. Report after report has highlighted what people do (or fail to do), but not why they do it. Wash points out that his sample was small, so his findings may not represent the whole population. Still, it’s reasonable to assume that many users have similar mental models as the individuals Wash interviewed.

I do wish that he hadn’t steered away, at times explicitly, from a natural conclusion: that helping people understand the reality of cybercrime might change their models and thus their behavior. That said, his own conclusion that those of us that want to change users’ behavior have to meet users where they are, not where we wish they would be, is well taken.

Hat tip to Bruce Schneier for his mention of this paper.