Organization Interfaces—collaborative computing General Terms

Home computer systems are insecure because they are administered by untrained users. The rise of botnets has amplified this problem; attackers compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I identify eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which expert security advice to follow: four conceptualizations of 'viruses' and other malware, and four conceptualizations of 'hackers' that break into computers. I illustrate how these models are used to justify ignoring expert security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they cleverly take advantage of gaps in these models so that many home computer users do not take steps to protect against them.

[1]  Willett Kempton,et al.  Two Theories of Home Heat Control , 1986, Cogn. Sci..

[2]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[3]  Tushar Ranka Taxonomy of Botnet Threats , 2006 .

[4]  Mary Beth Rosson,et al.  Looking for trouble: understanding end-user security management , 2007, CHIMIT '07.

[5]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[6]  Douglas L. Medin,et al.  Folkbiology of freshwater fish , 2006, Cognition.

[7]  Anton J. Kuzel,et al.  Sampling in qualitative inquiry. , 1992 .

[8]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[9]  N. Leech,et al.  Validity and Qualitative Research: An Oxymoron? , 2007 .

[10]  Daniel M. Downs,et al.  Internet Security: Who is leaving the 'Virtual Door' open and why? , 2009, First Monday.

[11]  D. Gentner,et al.  Cultural models in language and thought: How people construct mental models , 1987 .

[12]  Stuart K. Card,et al.  The cost structure of sensemaking , 1993, INTERCHI.

[13]  R. D'Andrade The Development of Cognitive Anthropology , 1995 .

[14]  L. Jean Camp,et al.  Mental models of privacy and security , 2009, IEEE Technology and Society Magazine.

[15]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[16]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[17]  Philip N. Johnson-Laird,et al.  Mental Models in Cognitive Science , 1980, Cogn. Sci..

[18]  L. J. Camp Pricing Security , 2000 .

[19]  Mark W. Newman,et al.  The Work to Make a Home Network Work , 2005, ECSCW.

[20]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[21]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[22]  L. Jean Camp,et al.  Mental Models of Computer Security Risks , 2007, WEIS.