In computer security, risk communication refers to informing computer users about the likelihood and magnitude of a threat. Efficacy of risk communication depends not only on the nature of the risk, but also on the alignment between the conceptual model embedded in the risk communication and the user's mental model of the risk. The gap between the mental models of security experts and non-experts could lead to ineffective risk communication. Our research shows that for a variety of the security risks self-identified security experts and non-experts have different mental models. We propose that the design of the risk communication methods should be based on the non-expert mental models.
[1]
B. Fischhoff,et al.
Risk Communication: A Mental Models Approach
,
2001
.
[2]
Carsten F. Rønnfeldt.
Three Generations of Environment and Security Research
,
1997
.
[3]
Robert W. Zmud,et al.
A Synthesis of Research on Requirements Analysis and Knowledge Acquisition Techniques
,
1992,
MIS Q..
[4]
H. Jungermann,et al.
Mental models in risk assessment: informing people about drugs.
,
1988,
Risk analysis : an official publication of the Society for Risk Analysis.
[5]
William Hudson,et al.
Playing your cards right: getting the most from card sorting for navigation design
,
2005,
INTR.