Home-computer users at risk due to use of 'folk model' security

May 24, 2011

(PhysOrg.com) -- Most home computers are vulnerable to hacker attacks because the users either mistakenly think they have enough security in place or they don’t believe they have enough valuable information that would be of interest to a hacker.

That’s the point of a paper published this month by Michigan State University’s Rick Wash, who says that most home-computer users rely on what are known as “folk models.” Those are beliefs about what hackers or viruses are that people use to make decisions about security – to keep their information safe.

Unfortunately, they don’t often work the way they should.

“Home security is hard because people are untrained in security,” said Wash, an assistant professor in the Department of Telecommunication, Information Studies and Media. “But it isn’t because people are idiots. Rather they try their best to make sense of what’s going on and frequently make choices that leave them vulnerable.”

In his paper, published in the proceedings of the Symposium on Usable Privacy and Security, Wash identified eight folk models of security threats that are used by home to decide what security software to use and which advice to follow.

These models range from the vague and generic – “viruses are bad” – to the more specific – “hackers are burglars who break into computers for criminal purposes.”

Adding to the problem, Wash said, is that people who rely on folk models for computer security don’t necessarily follow security advice from credible experts. This is because they either don’t understand the advice or because they believe the security advice isn’t relevant to them.

Knowing what people believe or discount can help the experts help the users.

“The folk models we describe begin to provide an explanation of which expert advice home computer users choose to follow and which advice to ignore,” Wash said. “By better understanding why people choose to ignore certain pieces of advice, we can better craft that advice and technologies to have a greater effect.”

It’s also important, he said, that security experts do a better job of explaining the threats that home computer users face.

“Without an understanding of threats, home-computer users intentionally choose to ignore advice that they don’t believe will help them,” Wash said. “ education efforts should focus not only on recommending what actions to take, but also emphasize why those actions are necessary.”

Explore further: Social Security spent $300M on 'IT boondoggle'

add to favorites email to friend print save as pdf

Related Stories

Understanding the social side of cyber-security issues

May 04, 2011

When Engin Kirda started focusing on cyber-security research 10 years ago, those primarily responsible for launching Internet attacks were teenagers out for kicks, he said. But the scope of threats existing ...

Modern society made up of all types

Nov 04, 2010

Modern society has an intense interest in classifying people into ‘types’, according to a University of Melbourne Cultural Historian, leading to potentially catastrophic life-changing outcomes for those typed – ...

Safe 'sandbox' for the internet of the future

May 13, 2011

To better protect new Internet applications against hacker attacks and other types of manipulation, Siemens is taking part in the EU’s WebSand research project. In cooperation with partner organizations ...

Recommended for you

UK: Former reporter sentenced for phone hacking

2 hours ago

(AP)—A former British tabloid reporter was given a 10-month suspended prison sentence Thursday for his role in the long-running phone hacking scandal that shook Rupert Murdoch's media empire.

Evaluating system security by analyzing spam volume

3 hours ago

The Center for Research on Electronic Commerce (CREC) at The University of Texas at Austin is working to protect consumer data by using a company's spam volume to evaluate its security vulnerability through the SpamRankings.net ...

Surveillance a part of everyday life

4 hours ago

Details of casual conversations and a comprehensive store of 'deleted' information were just some of what Victoria University of Wellington students found during a project to uncover what records companies ...

European Central Bank hit by data theft

4 hours ago

(AP)—The European Central Bank said Thursday that email addresses and other contact information have been stolen from a database that serves its public website, though it stressed that no internal systems or market-sensitive ...

Twitter admits to diversity problem in workforce

7 hours ago

(AP)—Twitter acknowledged Wednesday that it has been hiring too many white and Asian men to fill high-paying technology jobs, just like several other major companies in Silicon Valley.

Social Security spent $300M on 'IT boondoggle'

18 hours ago

(AP)—Six years ago the Social Security Administration embarked on an aggressive plan to replace outdated computer systems overwhelmed by a growing flood of disability claims.

User comments : 7

Adjust slider to filter visible comments by rank

Display comments: newest first

stookified
not rated yet May 24, 2011
So.... what exactly was the point of this article?
Squirrel
not rated yet May 25, 2011
Stookified good point.

A list of Wash's papers can be found here http://www.rickwash.com/pubs/

A pdf of the work discussed above is here
http://www.rickwa...inal.pdf
Na_Reth
4 / 5 (1) May 25, 2011
get linux.
barakn
not rated yet May 25, 2011
get linux.

From the paper, "Everyone who had a Mac seemed to believe that Macs are `immune' to virus and hacking problems." You seem to suffer from a similar delusion.
calvinr
not rated yet Jun 21, 2011
All the experts offering advice are trying to sell a product! I tend to ignore such people. I read the reviews and make a decision based on flash-bang-clutter removal then look at what's left. Above all, I avoid Best Buy.
J-n
5 / 5 (1) Jun 21, 2011
While Linux might become the target of a large, successful attack, as of yet it has not been.

Often people will say that Linux is Like Mac because they have small user bases. While the numbers of users of Linux is lower, Linux targets are much more sought after (Most servers are Linux, not Windows or Mac). The gain of being able to compromise a Linux Box is greater than that of Mac.

The Difference between Linux, Mac and Windows is how Security driven they are. There are several Distributions of Linux that focus on security, also the way that Linux is built, maintained and the way the users interact with it, all work to preclude the ability for it to become comprimised.

Windows security is difficult because of all the Extras windows activates, and places in their system "Just in case" you want to use them. These are all vectors for attack.

Mac Security is Difficult because of the "Black Box" Nature of Apple. It is difficult to secure a Mac system, because you have to trust apple.
J-n
5 / 5 (1) Jun 21, 2011
Linux security is much stronger because of the ease of application of security (Most linux distributions start out pretty secure, and it is a simple matter to make them fort knox secure). It is also much eaiser to have a secure linux system because of the way that Linux handles programs, updates, passwords, etc.

So, while, yes a linux distribution may some day become the target of an actual Virus, or other piece of malware, the likely hood of someone compliling the software to run it (in the process putting in their admin password several times, being warned about bad software etc) then after compiling the software for their system, giving it the permission to act as admin, then run the software as admin... It's kinda low.

Certainly not like the vectors for Windows or Mac when going to a website or viewing an e-mail could infect you.