Influencing mental models of security: a research agenda

Over 80 million households in the United States have a home computer and an Internet connection. The vast majority of these are administered by people who have little computer security knowledge or training, and many users try to avoid making security decisions because they feel they don’t have the knowledge and skills to maintain proper security. Nevertheless, home computer users still make security-related decisions on a regular basis — for example, whether or not to click on a shady link in an email message — without even knowing that’s what they are doing. Their decisions are guided by how they think about computer security, or their “mental models,” which do not have to be technically correct to lead to desirable security behaviors [44]. In other words, sometimes even “wrong” mental models produce good security decisions. By eliminating the constraint that nontechnical users must become more like computer security experts to properly protect themselves, we believe that we can create more effective ways of helping home computer users make good security decisions. To that end, we propose a research agenda that will help us learn how to shape the mental models of regular non-technical computer users.