ABSTRACT
Home computer systems are insecure because they are administered by untrained users. The rise of botnets has amplified this problem; attackers compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I identify eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which expert security advice to follow: four conceptualizations of 'viruses' and other malware, and four conceptualizations of 'hackers' that break into computers. I illustrate how these models are used to justify ignoring expert security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they cleverly take advantage of gaps in these models so that many home computer users do not take steps to protect against them.
- A. Adams and M. A. Sasse. Users are not the enemy. Communications of the ACM, 42(12):40--46, December 1999. Google ScholarDigital Library
- R. Anderson. Why cryptosystems fail. In CCS '93: Proceedings of the 1st ACM conference on Computer and communications security, pages 215--227. ACM Press, 1993. Google ScholarDigital Library
- F. Asgharpour, D. Liu, and L. J. Camp. Mental models of computer security risks. In Workshop on the Economics of Information Security (WEIS), 2007.Google Scholar
- P. Bacher, T. Holz, M. Kotter, and G. Wicherski. Know your enemy: Tracking botnets. from the Honeynet Project, March 2005.Google Scholar
- P. Barford and V. Yegneswaran. An inside look at botnets. In Special Workshop on Malware Detection, Advances in Information Security. Springer-Verlag, 2006.Google Scholar
- J. L. Camp. Mental models of privacy and security. Available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=922735, August 2006.Google Scholar
- L. J. Camp and C. Wolfram. Pricing security. In Proceedings of the Information Survivability Workshop, 2000.Google Scholar
- A. Collins and D. Gentner. How people construct mental models. In D. Holland and N. Quinn, editors, Cultural Models in Language and Thought. Cambridge University Press, 1987.Google ScholarCross Ref
- R. Contu and M. Cheung. Market share: Security market, worldwide 2008. Gartner Report: http://www.gartner.com/it/page.jsp?id=1031712, June 2009.Google Scholar
- L. F. Cranor. A framework for reasoning about the human in the loop. In Usability, Psychology, and Security Workshop. USENIX, 2008. Google ScholarDigital Library
- R. D'Andrade. The Development of Cognitive Anthropology. Cambridge University Press, 2005.Google Scholar
- P. Dourish, R. Grinter, J. D. de la Flor, and M. Joseph. Security in the wild: User strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8(6):391--401, November 2004. Google ScholarCross Ref
- D. M. Downs, I. Ademaj, and A. M. Schuck. Internet security: Who is leaving the 'virtual door' open and why? First Monday, 14(1--5), January 2009.Google Scholar
- R. E. Grinter, W. K. Edwards, M. W. Newman, and N. Ducheneaut. The work to make a home network work. In Proceedings of the 9th European Conference on Computer Supported Cooperative Work (ECSCW '05), pages 469--488, September 2005. Google ScholarDigital Library
- J. Gross and M. B. Rosson. Looking for trouble: Understanding end user security management. In Symposium on Computer Human Interaction for the Management of Information Technology (CHIMIT), 2007. Google ScholarDigital Library
- C. Herley. So long, and no thanks for all the externalities: The rational rejection of security advice by users. In Proceedings of the New Security Paradigms Workshop (NSPW), September 2009. Google ScholarDigital Library
- P. Johnson-Laird, V. Girotto, and P. Legrenzi. Mental models: a gentle guide for outsiders. Available at http://www.si.umich.edu/ICOS/gentleintro.html, 1998.Google Scholar
- P. N. Johnson-Laird. Mental models in cognitive science. Cognitive Science: A Multidisciplinary Journal, 4(1):71--115, 1980.Google ScholarCross Ref
- W. Kempton. Two theories of home heat control. Cognitive Science: A Multidisciplinary Journal, 10(1):75--90, 1986.Google ScholarCross Ref
- A. J. Kuzel. Sampling in qualitative inquiry. In B. Crabtree and W. L. Miller, editors, Doing Qualitative Research, chapter 2, pages 31--44. Sage Publications, Inc., 1992.Google Scholar
- J. Markoff. Attack of the zombie computers is a growing threat, experts say. New York Times, January 7 2007.Google Scholar
- D. Medin, N. Ross, S. Atran, D. Cox, J. Coley, J. Proffitt, and S. Blok. Folkbiology of freshwater fish. Cognition, 99(3):237--273, April 2006.Google ScholarCross Ref
- M. B. Miles and M. Huberman. Qualitative Data Analysis: An Expanded Sourcebook. Sage Publications, Inc., 2nd edition edition, 1994. MilesHuberman 1994.Google Scholar
- A. J. Onwuegbuzie and N. L. Leech. Validity and qualitative research: An oxymoron? Quality and Quantity, 41:233--249, 2007.Google ScholarCross Ref
- D. Russell, S. Card, P. Pirolli, and M. Stefik. The cost structure of sensemaking. In Proceedings of the INTERACT '93 and CHI '93 conference on Human factors in computing system, 1993. Google ScholarDigital Library
- Trend Micro. Taxonomy of botnet threats. Whitepaper, November 2006.Google Scholar
Index Terms
- Folk models of home computer security
Recommendations
Influencing mental models of security: a research agenda
NSPW '11: Proceedings of the 2011 New Security Paradigms WorkshopOver 80 million households in the United States have a home computer and an Internet connection. The vast majority of these are administered by people who have little computer security knowledge or training, and many users try to avoid making security ...
Security begins at home: everyday security behaviour and lessons for cybersecurity research
PLoP '19: Proceedings of the 26th Conference on Pattern Languages of ProgramsAn important challenge in cybersecurity is that many users have only weak understanding of the threats involved, and the defences against them. This means that, even when defences are available, user behaviour sometimes allows successful attacks. In the ...
Adversarial Localization against Wireless Cameras
HotMobile '18: Proceedings of the 19th International Workshop on Mobile Computing Systems & ApplicationsThis paper identifies and empirically evaluates the effectiveness of adversarial localization attacks against wireless IoT devices, e.g., wireless security cameras in the home. We use experiments in home and office settings to show that attackers can ...
Comments