People make decision following mental models that they have of how a system works. Security is not different from other fields. Experts or technically well-informed people may have mental models that are reasonably accurate, i.e. the mental model fits reasonably with the real world behavior. For normal users, the problem is different. Wash Rick identified several mental models used by normal users when handling security in a paper entitled “Folk Model of Home Computer Security”. For instance, he extracted four mental models describing what viruses are:
- Viruses are bad; people using this mental model have little knowledge about virus and thus believed they were not concerned. They thought to be immune.
- Viruses are buggy software; viruses are normal software that are badly written. Their bugs may crash the computer or create strange behavior. People understood that they needed to download and install such viruses. Thus, their protection solution was only to install trusted software.
- Viruses cause mischief; viruses are pieces of software that are intentionally annoying. They disrupt the normal behavior of the computer. People do not understand the genesis of virus. They understand that the infection comes from clicking on applications or visiting bad sites. Their suggested protection is to be careful.
- Viruses support crime; the end goal of viruses is identity theft or sifting personal and banking information. As such, people believe that viruses are stealthy and do not impair the behavior of the computer. Their suggested protection is the regular use of anti-virus software.
Wash extracted four mental models used to understand hackers.
- Hackers are digital graffiti artists; hackers are skilled individuals that enter in computers just for mischief and show off. They are often young geeks with poor morality. This is the Hollywood image of hackers. The victims are random.
- Hackers are burglars; Hackers act with computers as burglars act with physical properties. The goal is financial gain. The victims are chosen opportunistically.
- Hackers are criminals targeting big fish; these hackers are similar to previous ones but their victims are either organizations or rich people.
- Hackers are contractors who support criminals; these hackers are similar to the graffiti hackers but they are henchmen of criminal organizations. Their victims are mostly large organizations.
When applying these mental models, it is obvious that some best practices will never be used by end users, regardless of their pertinence. Most of them do not understand these practices or feel they are not concerned by these practices. For instance, users who believe that virus are bad or buggy software cannot understand the interest to install an anti-virus. Users assimilating hackers to contractors believe that hackers will never attack their home computers. Better understanding the mental model of users highlights where awareness is needed to adjust user’s mental model to the reality. It helps also to design efficient secure solutions that may seem to fit the mental model although they fight in the real model.