skip to main content
10.1145/1837110.1837125acmotherconferencesArticle/Chapter ViewAbstractPublication PagessoupsConference Proceedingsconference-collections
research-article

Folk models of home computer security

Published: 14 July 2010 Publication History

Abstract

Home computer systems are insecure because they are administered by untrained users. The rise of botnets has amplified this problem; attackers compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I identify eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which expert security advice to follow: four conceptualizations of 'viruses' and other malware, and four conceptualizations of 'hackers' that break into computers. I illustrate how these models are used to justify ignoring expert security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they cleverly take advantage of gaps in these models so that many home computer users do not take steps to protect against them.

References

[1]
A. Adams and M. A. Sasse. Users are not the enemy. Communications of the ACM, 42(12):40--46, December 1999.
[2]
R. Anderson. Why cryptosystems fail. In CCS '93: Proceedings of the 1st ACM conference on Computer and communications security, pages 215--227. ACM Press, 1993.
[3]
F. Asgharpour, D. Liu, and L. J. Camp. Mental models of computer security risks. In Workshop on the Economics of Information Security (WEIS), 2007.
[4]
P. Bacher, T. Holz, M. Kotter, and G. Wicherski. Know your enemy: Tracking botnets. from the Honeynet Project, March 2005.
[5]
P. Barford and V. Yegneswaran. An inside look at botnets. In Special Workshop on Malware Detection, Advances in Information Security. Springer-Verlag, 2006.
[6]
J. L. Camp. Mental models of privacy and security. Available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=922735, August 2006.
[7]
L. J. Camp and C. Wolfram. Pricing security. In Proceedings of the Information Survivability Workshop, 2000.
[8]
A. Collins and D. Gentner. How people construct mental models. In D. Holland and N. Quinn, editors, Cultural Models in Language and Thought. Cambridge University Press, 1987.
[9]
R. Contu and M. Cheung. Market share: Security market, worldwide 2008. Gartner Report: http://www.gartner.com/it/page.jsp?id=1031712, June 2009.
[10]
L. F. Cranor. A framework for reasoning about the human in the loop. In Usability, Psychology, and Security Workshop. USENIX, 2008.
[11]
R. D'Andrade. The Development of Cognitive Anthropology. Cambridge University Press, 2005.
[12]
P. Dourish, R. Grinter, J. D. de la Flor, and M. Joseph. Security in the wild: User strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8(6):391--401, November 2004.
[13]
D. M. Downs, I. Ademaj, and A. M. Schuck. Internet security: Who is leaving the 'virtual door' open and why? First Monday, 14(1--5), January 2009.
[14]
R. E. Grinter, W. K. Edwards, M. W. Newman, and N. Ducheneaut. The work to make a home network work. In Proceedings of the 9th European Conference on Computer Supported Cooperative Work (ECSCW '05), pages 469--488, September 2005.
[15]
J. Gross and M. B. Rosson. Looking for trouble: Understanding end user security management. In Symposium on Computer Human Interaction for the Management of Information Technology (CHIMIT), 2007.
[16]
C. Herley. So long, and no thanks for all the externalities: The rational rejection of security advice by users. In Proceedings of the New Security Paradigms Workshop (NSPW), September 2009.
[17]
P. Johnson-Laird, V. Girotto, and P. Legrenzi. Mental models: a gentle guide for outsiders. Available at http://www.si.umich.edu/ICOS/gentleintro.html, 1998.
[18]
P. N. Johnson-Laird. Mental models in cognitive science. Cognitive Science: A Multidisciplinary Journal, 4(1):71--115, 1980.
[19]
W. Kempton. Two theories of home heat control. Cognitive Science: A Multidisciplinary Journal, 10(1):75--90, 1986.
[20]
A. J. Kuzel. Sampling in qualitative inquiry. In B. Crabtree and W. L. Miller, editors, Doing Qualitative Research, chapter 2, pages 31--44. Sage Publications, Inc., 1992.
[21]
J. Markoff. Attack of the zombie computers is a growing threat, experts say. New York Times, January 7 2007.
[22]
D. Medin, N. Ross, S. Atran, D. Cox, J. Coley, J. Proffitt, and S. Blok. Folkbiology of freshwater fish. Cognition, 99(3):237--273, April 2006.
[23]
M. B. Miles and M. Huberman. Qualitative Data Analysis: An Expanded Sourcebook. Sage Publications, Inc., 2nd edition edition, 1994. MilesHuberman 1994.
[24]
A. J. Onwuegbuzie and N. L. Leech. Validity and qualitative research: An oxymoron? Quality and Quantity, 41:233--249, 2007.
[25]
D. Russell, S. Card, P. Pirolli, and M. Stefik. The cost structure of sensemaking. In Proceedings of the INTERACT '93 and CHI '93 conference on Human factors in computing system, 1993.
[26]
Trend Micro. Taxonomy of botnet threats. Whitepaper, November 2006.

Cited By

View all
  • (2024)"Did they F***ing consent to that?"Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698904(55-72)Online publication date: 14-Aug-2024
  • (2024)Usability Study of Security Features in Programmable Logic ControllersProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688471(200-219)Online publication date: 30-Sep-2024
  • (2024)Ordinary Users Do Not Understand Digital SignaturesProceedings of the 13th Nordic Conference on Human-Computer Interaction10.1145/3679318.3685402(1-15)Online publication date: 13-Oct-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security
July 2010
236 pages
ISBN:9781450302647
DOI:10.1145/1837110

Sponsors

  • Carnegie Mellon University: Carnegie Mellon University

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 July 2010

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. folk models
  2. home security
  3. mental models

Qualifiers

  • Research-article

Funding Sources

Conference

SOUPS '10
Sponsor:
  • Carnegie Mellon University
SOUPS '10: Symposium on Usable Privacy and Security
July 14 - 16, 2010
Washington, Redmond, USA

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)277
  • Downloads (Last 6 weeks)36
Reflects downloads up to 12 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)"Did they F***ing consent to that?"Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698904(55-72)Online publication date: 14-Aug-2024
  • (2024)Usability Study of Security Features in Programmable Logic ControllersProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688471(200-219)Online publication date: 30-Sep-2024
  • (2024)Ordinary Users Do Not Understand Digital SignaturesProceedings of the 13th Nordic Conference on Human-Computer Interaction10.1145/3679318.3685402(1-15)Online publication date: 13-Oct-2024
  • (2024)A First Look into Fake Profiles on Social Media through the Lens of Victim's ExperiencesCompanion Publication of the 2024 Conference on Computer-Supported Cooperative Work and Social Computing10.1145/3678884.3681889(444-450)Online publication date: 11-Nov-2024
  • (2024)Hacker, Their Actions, and Fear Appeal: A First Look Through the Lens of ChildrenCompanion Publication of the 2024 Conference on Computer-Supported Cooperative Work and Social Computing10.1145/3678884.3681888(437-443)Online publication date: 11-Nov-2024
  • (2024)Decoding the Privacy Policies of Assistive TechnologiesProceedings of the 21st International Web for All Conference10.1145/3677846.3677850(87-95)Online publication date: 13-May-2024
  • (2024)Folk Models of Loot Boxes in Video GamesProceedings of the ACM on Human-Computer Interaction10.1145/36770728:CHI PLAY(1-23)Online publication date: 15-Oct-2024
  • (2024)“We’re Not That Gullible!” Revealing Dark Pattern Mental Models of 11-12-Year-Old Scottish ChildrenACM Transactions on Computer-Human Interaction10.1145/366034231:3(1-41)Online publication date: 23-Apr-2024
  • (2024)"Modern problems require modern solutions": Community-Developed Techniques for Online Exam Proctoring EvasionProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3691638(2681-2695)Online publication date: 2-Dec-2024
  • (2024)Equitable Access to Cybersecurity Education: A Case Study of Underserved Middle School StudentsProceedings of the 2024 on Innovation and Technology in Computer Science Education V. 110.1145/3649217.3653581(625-632)Online publication date: 3-Jul-2024
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media