Investigating Mental Models of Risk Among Security-Expert Users

Thumbnail Image

Files

Wolf_umbc_0434D_12384.pdf (764.3 KB)

Links to Files

Permanent Link

http://hdl.handle.net/11603/24201

Collections

UMBC Theses and Dissertations
UMBC Graduate School
UMBC Information Systems Department
UMBC Student Collection

Author/Creator

Author/Creator ORCID

Date

2020-01-01

Type of Work

dissertations
Text
application:pdf

Department

Information Systems

Program

Human Centered Computing

Citation of Original Publication

Rights

Access limited to the UMBC community. Item may possibly be obtained via Interlibrary Loan through a local library, pending author/copyright holder's permission.
This item may be protected under Title 17 of the U.S. Copyright Law. It is made available by UMBC for non-commercial research and education. For permission to publish or reproduce, please see http://aok.lib.umbc.edu/specoll/repro.php or contact Special Collections at speccoll(at)umbc.edu

Subjects

Cybersecurity
Mental model
Security

Abstract

Usable security research endeavors to make interaction with technology more intuitive and trustworthy. Studying this area is critical given the increasing amount of sensitive data we trust to networked devices and services, and our general propensity to discard online safeguards we find burdensome. A valuable facet of this research is qualitative study of users' mental models. This approach gathers description and observation of user behavior, and creates an interpretive picture of how users understand their technology. Users' experiences with their mobile devices shape these beliefs, and that constructed understanding in turn may profoundly influence users' technological choices and expectations. Security-expert users are a particularly interesting cohort because experience may sensitize them to risk and guide their technology choices in unique or prescient ways. With these issues in mind, three qualitative inquiries have been made to better understand how advanced mental models of network security may influence user behavior. First, we investigated experts' (n=20) understanding of mobile security and how their concerns shaped everyday use of those platforms. They experienced typical usability problems and situational impairments with their mobile devices, but also described caution towards data sharing. The avoidance was based on factors including the sensitivity of the data to be shared and variable distrust of underlying network connections and technology platforms. We then secondly compared the outlook and behavior of a similar cohort (n=38) of both experts and non-experts when considering adoption of biometric authentication on their mobile devices. Experts were found to more readily accept fingerprint unlocking as an improved mode of authentication than non-experts. However, experts resisted its use for sensitive transactions, and their enthusiasm did not transfer to facial recognition. Our third study examined perceptions of experts, in two rounds (n=8, and n=19), serving security consultant roles (CISOs) for small businesses. CISOs tended to view government-authored security guidance as harder to use but more authoritative than commercial sources, and saw small businesses as highly vulnerable to online threats. This work concludes by comparing the observations and implications drawn from these studies to examples of security guidance. Guidance of this type was described as a key reference and basis for advisement by CISOs to non-expert small business owners. Based on the deductive comparison, a preliminary set of guidelines for presenting models of online risk are offered. These guidelines indicate ways to make security guidance more effective, based on experts' perspectives that should be broadly applicable and useful as awareness of online threats becomes more prevalent.