The Psychology of Security for the Home Computer User Presented By: Jeremiah O’Connor.
-
Upload
alexandra-lerner -
Category
Documents
-
view
214 -
download
1
Transcript of The Psychology of Security for the Home Computer User Presented By: Jeremiah O’Connor.
The Psychology of Security for the Home Computer User
Presented By: Jeremiah O’Connor
Psychology of Security
User Psychology is extremely important in the field of Security
Very important to understand psychology of not only predator (attacker), but also the prey (user)
Home users must protect themselves in 2012
Many different types of users: How to teach? How to Learn?
What are their motivations?
How can we all move forward together?
...but WHY ME???
Identifying the ProblemMost of population using computers unaware of risks,
too busy, or simply don’t care
People hold misconception that “computers are complicated”, let alone trying to configure security settings
Establishing effective home computer security takes time, effort, and $$$
Some studies suggest that many users have incomplete and partially incorrect mental models of security threats, risks and consequences of actions. Even when users have some idea of what they should do, they are often unwilling to incur the costs (cognitive, opportunity and financial) to do so.
How do you define Home User?Old, young, profession, purpose?
Multiple users for one home machine
Common Victim Profiles:
Home-User MotivationsDifferent demographic, different uses:
High professionals: lawyers, doctors, IT people, celebrities, job/reputation
Student population wide range of uses
Different demographic, different uses: P2P has $*#&@ed up everything:
“One study indicated that undergraduates consider P2P software to be indispensable, which is probably not the case with older adults.”
“For example, studies such as show that users are willing to incur higher risk of negative consequences when they really want the service (e.g., Facebook, P2P software). Users are more willing to divulge more personal information when they perceive a positive gain from that information exchange”
Poor mental models: “I don’t earn over $40,000 a year so there is no reason for someone to attack my computer .
People think that people with more income are more of a target
“I don’t think anyone would attack my home computer, there is nothing important on it,”
0Series 2 Series 1
Poor Mental ModelsMental Models based upon media adaptations
Punk kids (script kiddies, cat burglers)Many Unaware of Career-Criminals with excellent hacking skills
“I don’t earn over $40,000 a year so there is no reason for someone to attack my computer . “
People think that people with more income are more of a target
“I don’t think anyone would attack my home computer, there is nothing important on it,”
+
Folk/Mental Models Concepts:
“Stupid User Approach”Very limited decision-making for user, establish good default security program
“Education approach” – users have choices, offer security training classes (through work/ community/ product classes)
“Mental Models”a person views the world, formed by their experiences and environment
What is their mental model of computer security?
Understand Mental Models:Put yourself in their shoes? How do you make subject interesting and important for them
Educational concepts: how do you make students want to learn? How do you make it easy for them to learn?
Study Education and Psychological techniques
Answers lie in the numbers- statistical research
Why Should We Care?
Home computer users by far the weakest link in Computer Security
Poor mental models go both ways:SecPro: “I don’t have time or patience for these people.”
It’s your (Security Professional’s) head on the chopping block
Whether break-in happens through work machine or home machine. It’s still your job on the line.
Constantly teaching others will make you better at your job…GUARANTEED!
coolPoints++;
Security TeachingEffective “Educational” Approach to Teaching:
“People use metaphors or mental models to think about complex processes. “
Way virus’ effect computers, and way virus’ effect body strikingly similar
Vaccines == Anti-Virus
Anti-Biotics == patches
Healthy lifestyle == firewall
As Computers get “smarter”, inevitably users will take better care off them
Have to have some sort of gain- emotional??Just like a family member, pet, get sick
Ex. Tomagotchi, Siri, RoboDog, Roomba
“Stupid-User” Solution: Focus on Automate Anti-Virus Software
Attention,
We are bringing to your notice that our customer service will be damaging down some email users in our database, due to the high number of different emails that has been violated by our email policy, terms and conditions
Provide us with the below info :
Username:Password:
Birth date:
Account owner that refuses to maintain his or her account after 3-4 working days of this notification will lose account permanently from our site.
an email supposedly from Cox, Internet provider, but with a “Reply-to” address of …@qatar.io.
A little bit can go a long way…
Solutions == Opportunity“Stupid User Approach”
Opportunity for more security software developmentprotections should be automated and straightforward to understand; safer behavior has been identified in users with automated software updates and habits of safe behavior
“Education approach” – users have choices, offer security training classes (through work/ community/ product classes)
Mental Models: how a person views the world, formed by their experiences and environment
What is their mental model of computer security?
Understand Mental Models:Put yourself in their shoes? How do you make subject interesting and important for them
Educational concepts: how do you make students want to learn? How do you make it easy for them to learn?
Study Education and Psychological techniques
Answers lie in the numbers- statistical research
My ViewsPaint an extremely vivid picture of what can happen if user does not exercise security on their machines
Worst-Case Scenario
LieIt’s for their own good
Go with the flow, do not try to come to any conclusionsPatience, positive attitude, continuous reinforcement no matter what the mental model best approach
Education is important && Enthusiasm is infectious!!“Educational Approach”- psychological theory of Constructivism
Instill desire to learn about computer security, so they want to learn
When user is more aware, they feel more responsibility
Realize people have emotional attachment to machines
Security software should be straightforward, and extremely easy to use
Bibliography:Wash, Rader, Influencing Mental Models of Security: A Research Agenda
Adele E. Howe, Indrajit Ray, Mark Roberts, Malgorzata Urbanska, Zinta Byrne, The Psychology of Security for the Home Computer User