The Psychology of Security for the Home Computer User

The home computer user is often said to be the weakest link in computer security. They do not always follow security advice, and they take actions, as in phishing, that compromise themselves. In general, we do not understand why users do not always behave safely, which would seem to be in their best interest. This paper reviews the literature of surveys and studies of factors that influence security decisions for home computer users. We organize the review in four sections: understanding of threats, perceptions of risky behavior, efforts to avoid security breaches and attitudes to security interventions. We find that these studies reveal a lot of reasons why current security measures may not match the needs or abilities of home computer users and suggest future work needed to inform how security is delivered to this user group.

[1]  J. Morse Qualitative data analysis (2nd ed): Mathew B. Miles and A. Michael Huberman. Thousand Oaks, CA: Sage Publications, 1994. Price: $65.00 hardback, $32.00 paperback. 238 pp , 1996 .

[2]  Malcolm Robert Pattinson,et al.  How well are information risks being communicated to your computer end-users? , 2007, Inf. Manag. Comput. Secur..

[3]  Farzaneh Asgharpour,et al.  Experimental Evaluations of Expert and Non-expert Computer Users’ Mental Models of Security Risks , 2008 .

[4]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[5]  Patryk Szewczyk,et al.  Assessing the Online Security Awareness of Australian Internet Users , 2009 .

[6]  Kathleen M. Carley,et al.  2 Mental Models of Data Privacy and Security Extracted from Interviews with Indians , 2005 .

[7]  Lauren I. Labrecque,et al.  Toward an Understanding of the Online Consumer's Risky Behavior and Protection Practices , 2009 .

[8]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[9]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[10]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[11]  Helen Nissenbaum,et al.  Users' conceptions of risks and harms on the web: a comparative study , 2002, CHI Extended Abstracts.

[12]  Bernhard Debatin,et al.  Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences , 2009, J. Comput. Mediat. Commun..

[13]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[14]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[15]  Lujo Bauer,et al.  Access Control for Home Data Sharing: Attitudes, Needs and Practices , 2010, CHI.

[16]  L. Jean Camp,et al.  Mental models of privacy and security , 2009, IEEE Technology and Society Magazine.

[17]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[18]  Mohammad Rahim,et al.  A Socio-Behavioral Study of Home Computer Users' Intention to Practice Security , 2005, PACIS.

[19]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[20]  Elizabeth Sillence,et al.  It won't happen to me: Promoting secure behaviour among internet users , 2010, Comput. Hum. Behav..

[21]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[22]  Donald A. Norman,et al.  THE WAY I SEE ITWhen security gets in the way , 2009, INTR.

[23]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[24]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[25]  J. Phelps,et al.  Privacy Concerns and Consumer Willingness to Provide Personal Information , 2000 .

[26]  Mark W. Newman,et al.  The Work to Make a Home Network Work , 2005, ECSCW.

[27]  Krešimir Šolić,et al.  Security Perception of a Portable PC User (The Difference Between Medical Doctors and Engineers): A Pilot Study , 2009 .

[28]  Kregg Aytes,et al.  Computer Security and Risky Computing Practices: A Rational Choice Perspective , 2004, J. Organ. End User Comput..

[29]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[30]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[31]  Deirdre K. Mulligan,et al.  Stopping spyware at the gate: a user study of privacy, notice and spyware , 2005, SOUPS '05.

[32]  Hsi‐Peng Lu,et al.  An empirical study of the effect of perceived risk upon intention to use online applications , 2005, Inf. Manag. Comput. Security.

[33]  Steven Furnell,et al.  Assessing the security perceptions of personal Internet users , 2007, Comput. Secur..

[34]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[35]  Mary Ellen Zurko User-centered security: stepping up to the grand challenge , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[36]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[37]  K. Seers Qualitative data analysis , 2011, Evidence Based Nursing.

[38]  Wm. Arthur Conklin,et al.  Computer security behaviors of home pc users: a diffusion of innovation approach , 2006 .

[39]  Kregg Aytes,et al.  A Research Model for Investigating Human Behavior Related to Computer Security , 2003, AMCIS.

[40]  James Newsome,et al.  Challenges in Access Right Assignment for Secure Home Networks , 2010, HotSec.

[41]  I. Ajzen The theory of planned behavior , 1991 .