Mental Models of Computer Security Risks

Improved computer security requires improvements in risk communication to naive end users. Efficacy of risk communication depends not only on the nature of the risk, but also on the alignment between the conceptual model embedded in the risk communication and the recipients’ perception of the risk. The difference between these communicated and perceived mental models could lead to ineffective risk communication. The experiment described in this paper shows that for a variety of security risks self-identified security experts and non-experts have different mental models. We illustrate that this outcome is sensitive to the definition of “expertise”. We also show that the models implicit in the literature do not correspond to experts or non-expert mental models. We propose that risk communication should be designed based on the non-expert’s mental models with regard to each security risk and discuss how this can be done.