Mental Models of Computer Security Risks

Improved computer security requires improvements in risk communication to naive end users. Efficacy of risk communication depends not only on the nature of the risk, but also on the alignment between the conceptual model embedded in the risk communication and the recipients’ perception of the risk. The difference between these communicated and perceived mental models could lead to ineffective risk communication. The experiment described in this paper shows that for a variety of security risks self-identified security experts and non-experts have different mental models. We illustrate that this outcome is sensitive to the definition of “expertise”. We also show that the models implicit in the literature do not correspond to experts or non-expert mental models. We propose that risk communication should be designed based on the non-expert’s mental models with regard to each security risk and discuss how this can be done.

[1]  Ben Laurie,et al.  \Proof-of-Work" Proves Not to Work , 2004 .

[2]  Steve R. White,et al.  Computers and epidemiology , 1993, IEEE Spectrum.

[3]  Donald A. Norman,et al.  Some observations on mental models , 1987 .

[4]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[5]  M. Siegrist,et al.  The Role of the Affect and Availability Heuristics in Risk Communication , 2006, Risk analysis : an official publication of the Society for Risk Analysis.

[6]  Carsten F. Rønnfeldt Three Generations of Environment and Security Research , 1997 .

[7]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[8]  Larry L. Constantine,et al.  Software for Use - A Practical Guide to the Models and Methods of Usage-Centered Design , 1999 .

[9]  William Hudson,et al.  Playing your cards right: getting the most from card sorting for navigation design , 2005, INTR.

[10]  Dmitri Nizovtsev,et al.  Economic Analysis of Incentives to Disclose Software Vulnerabilities , 2005, WEIS.

[11]  Robert W. Zmud,et al.  A Synthesis of Research on Requirements Analysis and Knowledge Acquisition Techniques , 1992, MIS Q..

[12]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[13]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[14]  Baruch Fischhoff,et al.  Characterizing Mental Models of Hazardous Processes: A Methodology and an Application to Radon , 1992 .

[15]  H. Jungermann,et al.  Mental models in risk assessment: informing people about drugs. , 1988, Risk analysis : an official publication of the Society for Risk Analysis.

[16]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[17]  B. Johnson Risk Communication: A Mental Models Approach , 2002 .

[18]  B. Fischhoff,et al.  Risk Communication: A Mental Models Approach , 2001 .

[19]  Chaim Fershtman,et al.  Internet Security, Vulnerability Disclosure and Software Provision , 2005, WEIS.

[20]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[21]  Kathleen M. Carley,et al.  2 Mental Models of Data Privacy and Security Extracted from Interviews with Indians , 2005 .

[22]  H. V. Jagadish,et al.  Information warfare and security , 1998, SGMD.

[23]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..