The Psychology of Security for the Home Computer User

advertisement
The Psychology of Security
for the Home Computer
User
Presented By: Jeremiah O’Connor
Psychology of Security
User Psychology is extremely important in the field
of Security
Very important to understand psychology of not only
predator (attacker), but also the prey (user)
Home users must protect themselves in 2012
Many different types of users:
How to teach? How to Learn?
What are their motivations?
How can we all move forward together?
...but WHY ME???
Identifying the Problem
Most of population using computers unaware of risks, too
busy, or simply don’t care
People hold misconception that “computers are
complicated”, let alone trying to configure security settings
Establishing effective home computer security takes time,
effort, and $$$
Some studies suggest that many users have incomplete and
partially incorrect mental models of security threats, risks and
consequences of actions. Even when users have some idea of
what they should do, they are often unwilling to incur the costs
(cognitive, opportunity and financial) to do so.
How do you define Home User?
Old, young, profession, purpose?
Multiple users for one home machine
Common Victim Profiles:
Home-User Motivations
Different demographic, different uses:
High professionals: lawyers, doctors, IT people,
celebrities, job/reputation
Student population wide range of uses
Different demographic, different uses:
P2P has $*#&@ed up everything:
“One study indicated that undergraduates consider
P2P software to be indispensable, which is probably
not the case with older adults.”
“For example, studies such as show that users
are willing to incur higher risk of negative
consequences when they really want the service
(e.g., Facebook, P2P software). Users are more
willing to divulge more personal information
when they perceive a positive gain from that
information exchange”
Poor mental models:
“I don’t earn over $40,000 a year so there is no
reason for someone to attack my computer .
People think that people with more income are more
of a target
“I don’t think anyone would attack my home
computer, there is nothing important on it,”
50
0
Poor Mental Models
Mental Models based upon media adaptations
Punk kids (script kiddies, cat burglers)
Many Unaware of Career-Criminals with excellent hacking
skills
“I don’t earn over $40,000 a year so there is no reason for
someone to attack my computer . “
People think that people with more income are more of a
target
“I don’t think anyone would attack my home computer,
there is nothing important on it,”
+
Folk/Mental Models
Concepts:
“Stupid User Approach”
Very limited decision-making for user, establish good default security
program
“Education approach” – users have choices, offer security training
classes (through work/ community/ product classes)
“Mental Models”a person views the world, formed by their
experiences and environment
What is their mental model of computer security?
Understand Mental Models:
Put yourself in their shoes? How do you make subject interesting and
important for them
Educational concepts: how do you make students want to learn? How
do you make it easy for them to learn?
Study Education and Psychological techniques
Answers lie in the numbers- statistical research
Why Should We Care?
Home computer users by
far the weakest link in
Computer Security
Poor mental models go
both ways:
SecPro: “I don’t have time or
patience for these people.”
It’s your (Security Professional’s) head
on the chopping block
Whether break-in happens through
work machine or home machine.
It’s still your job on the line.
Constantly teaching others will make
you better at your job…GUARANTEED!
coolPoints++;
Security Teaching
Effective “Educational” Approach to Teaching:
“People use metaphors or mental models to think about complex
processes. “
Way virus’ effect computers, and way virus’ effect body strikingly
similar
Vaccines == Anti-Virus
Anti-Biotics == patches
Healthy lifestyle == firewall
As Computers get “smarter”, inevitably users will take better care off
them
Have to have some sort of gain- emotional??
Just like a family member, pet, get sick
Ex. Tomagotchi, Siri, RoboDog, Roomba
“Stupid-User” Solution:
Focus on Automate Anti-Virus Software
A little bit can go a long way…
Attention,
We are bringing to your notice that our
customer service will be damaging down
some email users in our database, due to
the high number of different emails that
has been violated by our email policy,
terms and conditions
Provide us with the below info :
Username:Password:
Birth date:
Account owner that refuses to maintain his
or her account after 3-4 working days of
this notification will lose account
permanently from our site.
an email supposedly from Cox, Internet
provider, but with a “Reply-to” address of
…@qatar.io.
Solutions == Opportunity
“Stupid User Approach”
Opportunity for more security software development
protections should be automated and straightforward to understand;
safer behavior has been identified in users with automated software
updates and habits of safe behavior
“Education approach” – users have choices, offer security training
classes (through work/ community/ product classes)
Mental Models: how a person views the world, formed by their
experiences and environment
What is their mental model of computer security?
Understand Mental Models:
Put yourself in their shoes? How do you make subject interesting
and important for them
Educational concepts: how do you make students want to learn?
How do you make it easy for them to learn?
Study Education and Psychological techniques
Answers lie in the numbers- statistical research
My Views
Paint an extremely vivid picture of what can happen if user
does not exercise security on their machines
Worst-Case Scenario
Lie
It’s for their own good
Go with the flow, do not try to come to any conclusions
Patience, positive attitude, continuous reinforcement no matter
what the mental model best approach
Education is important && Enthusiasm is infectious!!
“Educational Approach”- psychological theory of
Constructivism
Instill desire to learn about computer security, so they want to
learn
When user is more aware, they feel more responsibility
Realize people have emotional attachment to machines
Security software should be straightforward, and extremely
easy to use
Bibliography:
Wash, Rader, Influencing Mental Models of Security:
A Research Agenda
Adele E. Howe, Indrajit Ray, Mark Roberts,
Malgorzata Urbanska, Zinta Byrne, The Psychology of
Security for the Home Computer User
Download