Mental models of privacy and security
TL;DR: The strongest conclusion is that mental models can be used to improve risk communication and the best model may be the medical model.
Abstract: The mental models approach could significantly improve risk communication in the case of computer security. The particular mental models that will be discussed here are: physical, medical, criminal, warfare, and market models. Our strongest conclusion is that mental models can be used to improve risk communication. The second, untested, conclusion is that the best model may be the medical model.
Citations
More filters
05 Sep 2012
TL;DR: A new model for privacy is introduced, namely privacy as expectations, which involves using crowdsourcing to capture users' expectations of what sensitive resources mobile apps use and a new privacy summary interface that prioritizes and highlights places where mobile apps break people's expectations.
Abstract: Smartphone security research has produced many useful tools to analyze the privacy-related behaviors of mobile apps. However, these automated tools cannot assess people's perceptions of whether a given action is legitimate, or how that action makes them feel with respect to privacy. For example, automated tools might detect that a blackjack game and a map app both use one's location information, but people would likely view the map's use of that data as more legitimate than the game. Our work introduces a new model for privacy, namely privacy as expectations. We report on the results of using crowdsourcing to capture users' expectations of what sensitive resources mobile apps use. We also report on a new privacy summary interface that prioritizes and highlights places where mobile apps break people's expectations. We conclude with a discussion of implications for employing crowdsourcing as a privacy evaluation technique.
491 citations
Cites background from "Mental models of privacy and securi..."
...For example, Camp [9] discussed five different high-level metaphors for how people think about computer security....
[...]
TL;DR: A study of the statistical intuitions of experienced research psychologists revealed a lingering belief in what might be called the "law of small numbers," according to which even small samples are highly representative of the populations from which they are drawn.
Abstract: Misconceptions of chance are not limited to naive subjects. A study of the statistical intuitions of experienced research psychologists revealed a lingering belief in what might be called the "law of small numbers," according to which even small samples are highly representative of the populations from which they are drawn. The responses of these investigators reflected the expectation that a valid hypothesis about a population will be represented by a statistically significant result in a sample—with little regard for its size. As a consequence the researchers put too much faith in the results of small samples and grossly overestimated the replicability of such results. In the actual conduct of research, this bias leads to the selection of samples of inadequate size and to overinterpretation of findings.
389 citations
14 Jul 2010
TL;DR: Eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which expert security advice to follow are identified: four conceptualizations of 'viruses' and other malware, and four conceptualization of 'hackers' that break into computers.
Abstract: Home computer systems are insecure because they are administered by untrained users. The rise of botnets has amplified this problem; attackers compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I identify eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which expert security advice to follow: four conceptualizations of 'viruses' and other malware, and four conceptualizations of 'hackers' that break into computers. I illustrate how these models are used to justify ignoring expert security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they cleverly take advantage of gaps in these models so that many home computer users do not take steps to protect against them.
319 citations
Cites methods from "Mental models of privacy and securi..."
...Camp [6] proposed using mental models as a framework for communicating complex security risks to the general populace....
[...]
Proceedings Article•
01 Jan 2015TL;DR: A study which aims to identify which practices people do that they consider most important at protecting their security online, and shows a discrepancy between the security practices that experts and non-experts report taking.
Abstract: The state of advice given to people today on how to stay safe online has plenty of room for improvement. Too many things are asked of them, which may be unrealistic, time consuming, or not really worth the effort. To improve the security advice, our community must find out what practices people use and what recommendations, if messaged well, are likely to bring the highest benefit while being realistic to ask of people. In this paper, we present the results of a study which aims to identify which practices people do that they consider most important at protecting their security online. We compare self-reported security practices of non-experts to those of security experts (i.e., participants who reported having five or more years of experience working in computer security). We report on the results of two online surveys—one with 231 security experts and one with 294 MTurk participants—on what the practices and attitudes of each group are. Our findings show a discrepancy between the security practices that experts and non-experts report taking. For instance, while experts most frequently report installing software updates, using two-factor authentication and using a password manager to stay safe online, non-experts report using antivirus software, visiting only known websites, and changing passwords frequently.
223 citations
Cites background from "Mental models of privacy and securi..."
...Camp [9] describes a number of common user mental models about security that might be leveraged to better explain security advice to users....
[...]
01 Mar 2011
TL;DR: A mental model interview study is described to gain insight into how advanced and novice computer users perceive and respond to computer warnings, so developers can leverage the approaches of advanced users to design more effective warnings for novice users.
Abstract: Computer security warnings are intended to protect users and their computers. However, research suggests that these warnings might be largely ineffective because they're frequently ignored. The authors describe a mental model interview study designed to gain insight into how advanced and novice computer users perceive and respond to computer warnings. Developers can leverage the approaches of advanced users to design more effective warnings for novice users.
198 citations
Cites methods from "Mental models of privacy and securi..."
...We believe novice participants used an availability heuristic, assuming that viruses must be involved in any computer security context.(3,6)...
[...]
References
More filters
Book•
01 Jan 1974TL;DR: The authors described three heuristics that are employed in making judgements under uncertainty: representativeness, availability of instances or scenarios, and adjustment from an anchor, which is usually employed in numerical prediction when a relevant value is available.
Abstract: This article described three heuristics that are employed in making judgements under uncertainty: (i) representativeness, which is usually employed when people are asked to judge the probability that an object or event A belongs to class or process B; (ii) availability of instances or scenarios, which is often employed when people are asked to assess the frequency of a class or the plausibility of a particular development; and (iii) adjustment from an anchor, which is usually employed in numerical prediction when a relevant value is available. These heuristics are highly economical and usually effective, but they lead to systematic and predictable errors. A better understanding of these heuristics and of the biases to which they lead could improve judgements and decisions in situations of uncertainty.
31,082 citations
TL;DR: The psychological principles that govern the perception of decision problems and the evaluation of probabilities and outcomes produce predictable shifts of preference when the same problem is framed in different ways.
Abstract: The psychological principles that govern the perception of decision problems and the evaluation of probabilities and outcomes produce predictable shifts of preference when the same problem is framed in different ways. Reversals of preference are demonstrated in choices regarding monetary outcomes, both hypothetical and real, and in questions pertaining to the loss of human lives. The effects of frames on preferences are compared to the effects of perspectives on perceptual appearance. The dependence of preferences on the formulation of decision problems is a significant concern for the theory of rational choice.
15,513 citations
"Mental models of privacy and securi..." refers background in this paper
...(Note the references that follow are drawn from those that resulted in the 2002 Bank of Sweden Prize in Economic Sciences for the authors of [ 32 ].)...
[...]
...Associating virtual risks with more tactile risks—wild animals, disease, crime and war— can increase sensitivity to and awareness of risks [ 32 ]....
[...]
...Anchoring not only refl ects grounding of a risk but also response to a risk in three ways: irretrievability, imagination, and insuffi cient adjustment [ 32 ]....
[...]
Book•
01 Jun 1972TL;DR: The aim of the book is to advance the understanding of how humans think by putting forth a theory of human problem solving, along with a body of empirical evidence that permits assessment of the theory.
Abstract: : The aim of the book is to advance the understanding of how humans think. It seeks to do so by putting forth a theory of human problem solving, along with a body of empirical evidence that permits assessment of the theory. (Author)
10,770 citations
Posted Content•
TL;DR: The thirty-five chapters in this book describe various judgmental heuristics and the biases they produce, not only in laboratory experiments but in important social, medical, and political situations as well.
Abstract: The thirty-five chapters in this book describe various judgmental heuristics and the biases they produce, not only in laboratory experiments but in important social, medical, and political situations as well. Individual chapters discuss the representativeness and availability heuristics, problems in judging covariation and control, overconfidence, multistage inference, social perception, medical diagnosis, risk perception, and methods for correcting and improving judgments under uncertainty. About half of the chapters are edited versions of classic articles; the remaining chapters are newly written for this book. Most review multiple studies or entire subareas of research and application rather than describing single experimental studies. This book will be useful to a wide range of students and researchers, as well as to decision makers seeking to gain insight into their judgments and to improve them.
2,954 citations
TL;DR: This paper reported that people regard a sample randomly drawn from a population as highly representative, i.e., similar to the population in all essential characteristics, and that the prevalence of the belief and its unfortunate consequences for psychological research are illustrated by the responses of 84 professional psychologists to a questionnaire concerning research decisions.
Abstract: Reports that people have erroneous intuitions about the laws of chance. In particular, they regard a sample randomly drawn from a population as highly representative, I.e., similar to the population in all essential characteristics. The prevalence of the belief and its unfortunate consequences for psychological research are illustrated by the responses of 84 professional psychologists to a questionnaire concerning research decisions. (PsycINFO Database Record (c) 2012 APA, all rights reserved) Language: en
2,747 citations
"Mental models of privacy and securi..." refers background in this paper
...In every version of this experiment individuals expect small samples to be more representative than larger samples [ 31 ]....
[...]