The Psychology of Security for the Home Computer User Presented By: Jeremiah O’Connor Psychology of Security User Psychology is extremely important in the field of Security Very important to understand psychology of not only predator (attacker), but also the prey (user) Home users must protect themselves in 2012 Many different types of users: How to teach? How to Learn? What are their motivations? How can we all move forward together? ...but WHY ME??? Identifying the Problem Most of population using computers unaware of risks, too busy, or simply don’t care People hold misconception that “computers are complicated”, let alone trying to configure security settings Establishing effective home computer security takes time, effort, and $$$ Some studies suggest that many users have incomplete and partially incorrect mental models of security threats, risks and consequences of actions. Even when users have some idea of what they should do, they are often unwilling to incur the costs (cognitive, opportunity and financial) to do so. How do you define Home User? Old, young, profession, purpose? Multiple users for one home machine Common Victim Profiles: Home-User Motivations Different demographic, different uses: High professionals: lawyers, doctors, IT people, celebrities, job/reputation Student population wide range of uses Different demographic, different uses: P2P has $*#&@ed up everything: “One study indicated that undergraduates consider P2P software to be indispensable, which is probably not the case with older adults.” “For example, studies such as show that users are willing to incur higher risk of negative consequences when they really want the service (e.g., Facebook, P2P software). Users are more willing to divulge more personal information when they perceive a positive gain from that information exchange” Poor mental models: “I don’t earn over $40,000 a year so there is no reason for someone to attack my computer . People think that people with more income are more of a target “I don’t think anyone would attack my home computer, there is nothing important on it,” 50 0 Poor Mental Models Mental Models based upon media adaptations Punk kids (script kiddies, cat burglers) Many Unaware of Career-Criminals with excellent hacking skills “I don’t earn over $40,000 a year so there is no reason for someone to attack my computer . “ People think that people with more income are more of a target “I don’t think anyone would attack my home computer, there is nothing important on it,” + Folk/Mental Models Concepts: “Stupid User Approach” Very limited decision-making for user, establish good default security program “Education approach” – users have choices, offer security training classes (through work/ community/ product classes) “Mental Models”a person views the world, formed by their experiences and environment What is their mental model of computer security? Understand Mental Models: Put yourself in their shoes? How do you make subject interesting and important for them Educational concepts: how do you make students want to learn? How do you make it easy for them to learn? Study Education and Psychological techniques Answers lie in the numbers- statistical research Why Should We Care? Home computer users by far the weakest link in Computer Security Poor mental models go both ways: SecPro: “I don’t have time or patience for these people.” It’s your (Security Professional’s) head on the chopping block Whether break-in happens through work machine or home machine. It’s still your job on the line. Constantly teaching others will make you better at your job…GUARANTEED! coolPoints++; Security Teaching Effective “Educational” Approach to Teaching: “People use metaphors or mental models to think about complex processes. “ Way virus’ effect computers, and way virus’ effect body strikingly similar Vaccines == Anti-Virus Anti-Biotics == patches Healthy lifestyle == firewall As Computers get “smarter”, inevitably users will take better care off them Have to have some sort of gain- emotional?? Just like a family member, pet, get sick Ex. Tomagotchi, Siri, RoboDog, Roomba “Stupid-User” Solution: Focus on Automate Anti-Virus Software A little bit can go a long way… Attention, We are bringing to your notice that our customer service will be damaging down some email users in our database, due to the high number of different emails that has been violated by our email policy, terms and conditions Provide us with the below info : Username:Password: Birth date: Account owner that refuses to maintain his or her account after 3-4 working days of this notification will lose account permanently from our site. an email supposedly from Cox, Internet provider, but with a “Reply-to” address of …@qatar.io. Solutions == Opportunity “Stupid User Approach” Opportunity for more security software development protections should be automated and straightforward to understand; safer behavior has been identified in users with automated software updates and habits of safe behavior “Education approach” – users have choices, offer security training classes (through work/ community/ product classes) Mental Models: how a person views the world, formed by their experiences and environment What is their mental model of computer security? Understand Mental Models: Put yourself in their shoes? How do you make subject interesting and important for them Educational concepts: how do you make students want to learn? How do you make it easy for them to learn? Study Education and Psychological techniques Answers lie in the numbers- statistical research My Views Paint an extremely vivid picture of what can happen if user does not exercise security on their machines Worst-Case Scenario Lie It’s for their own good Go with the flow, do not try to come to any conclusions Patience, positive attitude, continuous reinforcement no matter what the mental model best approach Education is important && Enthusiasm is infectious!! “Educational Approach”- psychological theory of Constructivism Instill desire to learn about computer security, so they want to learn When user is more aware, they feel more responsibility Realize people have emotional attachment to machines Security software should be straightforward, and extremely easy to use Bibliography: Wash, Rader, Influencing Mental Models of Security: A Research Agenda Adele E. Howe, Indrajit Ray, Mark Roberts, Malgorzata Urbanska, Zinta Byrne, The Psychology of Security for the Home Computer User