The Psychology of Security for the Home Computer User

Presented By: Jeremiah O’Connor

Psychology of Security

User Psychology is extremely important in the field of Security

Very important to understand psychology of not only predator (attacker), but also the prey (user)

Home users must protect themselves in 2012

Many different types of users: How to teach? How to Learn?

What are their motivations?

How can we all move forward together?

...but WHY ME???

Identifying the ProblemMost of population using computers unaware of risks,

too busy, or simply don’t care

People hold misconception that “computers are complicated”, let alone trying to configure security settings

Establishing effective home computer security takes time, effort, and $$$

Some studies suggest that many users have incomplete and partially incorrect mental models of security threats, risks and consequences of actions. Even when users have some idea of what they should do, they are often unwilling to incur the costs (cognitive, opportunity and financial) to do so.

How do you define Home User?Old, young, profession, purpose?

Multiple users for one home machine

Common Victim Profiles:

Home-User MotivationsDifferent demographic, different uses:

High professionals: lawyers, doctors, IT people, celebrities, job/reputation

Student population wide range of uses

Different demographic, different uses: P2P has $*#&@ed up everything:

“One study indicated that undergraduates consider P2P software to be indispensable, which is probably not the case with older adults.”

“For example, studies such as show that users are willing to incur higher risk of negative consequences when they really want the service (e.g., Facebook, P2P software). Users are more willing to divulge more personal information when they perceive a positive gain from that information exchange”

Poor mental models: “I don’t earn over $40,000 a year so there is no reason for someone to attack my computer .

People think that people with more income are more of a target

“I don’t think anyone would attack my home computer, there is nothing important on it,”

0Series 2 Series 1

Poor Mental ModelsMental Models based upon media adaptations

Punk kids (script kiddies, cat burglers)Many Unaware of Career-Criminals with excellent hacking skills

“I don’t earn over $40,000 a year so there is no reason for someone to attack my computer . “

People think that people with more income are more of a target

“I don’t think anyone would attack my home computer, there is nothing important on it,”

+

Folk/Mental Models Concepts:

“Stupid User Approach”Very limited decision-making for user, establish good default security program

“Education approach” – users have choices, offer security training classes (through work/ community/ product classes)

“Mental Models”a person views the world, formed by their experiences and environment

What is their mental model of computer security?

Understand Mental Models:Put yourself in their shoes? How do you make subject interesting and important for them

Educational concepts: how do you make students want to learn? How do you make it easy for them to learn?

Study Education and Psychological techniques

Answers lie in the numbers- statistical research

Why Should We Care?

Home computer users by far the weakest link in Computer Security

Poor mental models go both ways:SecPro: “I don’t have time or patience for these people.”

It’s your (Security Professional’s) head on the chopping block

Whether break-in happens through work machine or home machine. It’s still your job on the line.

Constantly teaching others will make you better at your job…GUARANTEED!

coolPoints++;

Security TeachingEffective “Educational” Approach to Teaching:

“People use metaphors or mental models to think about complex processes. “

Way virus’ effect computers, and way virus’ effect body strikingly similar

Vaccines == Anti-Virus

Anti-Biotics == patches

Healthy lifestyle == firewall

As Computers get “smarter”, inevitably users will take better care off them

Have to have some sort of gain- emotional??Just like a family member, pet, get sick

Ex. Tomagotchi, Siri, RoboDog, Roomba

“Stupid-User” Solution: Focus on Automate Anti-Virus Software

Attention,

We are bringing to your notice that our customer service will be damaging down some email users in our database, due to the high number of different emails that has been violated by our email policy, terms and conditions

Provide us with the below info :

Username:Password:

Birth date:

Account owner that refuses to maintain his or her account after 3-4 working days of this notification will lose account permanently from our site.

an email supposedly from Cox, Internet provider, but with a “Reply-to” address of …@qatar.io.

A little bit can go a long way…

Solutions == Opportunity“Stupid User Approach”

Opportunity for more security software developmentprotections should be automated and straightforward to understand; safer behavior has been identified in users with automated software updates and habits of safe behavior

“Education approach” – users have choices, offer security training classes (through work/ community/ product classes)

Mental Models: how a person views the world, formed by their experiences and environment

What is their mental model of computer security?

Understand Mental Models:Put yourself in their shoes? How do you make subject interesting and important for them

Educational concepts: how do you make students want to learn? How do you make it easy for them to learn?

Study Education and Psychological techniques

Answers lie in the numbers- statistical research

My ViewsPaint an extremely vivid picture of what can happen if user does not exercise security on their machines

Worst-Case Scenario

LieIt’s for their own good

Go with the flow, do not try to come to any conclusionsPatience, positive attitude, continuous reinforcement no matter what the mental model best approach

Education is important && Enthusiasm is infectious!!“Educational Approach”- psychological theory of Constructivism

Instill desire to learn about computer security, so they want to learn

When user is more aware, they feel more responsibility

Realize people have emotional attachment to machines

Security software should be straightforward, and extremely easy to use

Bibliography:Wash, Rader, Influencing Mental Models of Security: A Research Agenda

Adele E. Howe, Indrajit Ray, Mark Roberts, Malgorzata Urbanska, Zinta Byrne, The Psychology of Security for the Home Computer User