Experimental Evaluations of Expert and Non-expert Computer Users’ Mental Models of Security Risks

1 2 There is a critical need in computer security to communicate risks and thereby enable informed decisions by naive users. Yet computer security has not been engaged with the scholarship of risk communication. While the existence of malicious actors may appear at first to distinguish computer risk from environmental or medical risk, the impersonal un-targeted nature of the exploitation of computing resources and the technical complexity of the risks are similarities. This work is a first experimental step in evaluating the informal, implicit, and unexamined use of mental models in computer security. The experiments described in this paper have three results. First, the experiments show that for a wide range of security risks self-identified security experts and non-experts have quite distinct mental models. Second, a stronger definition of expertise increases the distance between the mental models of non-experts and experts. Finally, the implicit and informal use of models through metaphors in the computer security community has not resulted in metaphors that match the mental models of naive users, and more surprisingly , of self-identified experts. We close with a description of our research agenda targeted at developing a better understanding of the mental models of naive users. Reference as Farzeneh Asgapour, Debin Liu and L. Jean Camp, Risk Communication in Computer Security using Mental Models, WEIS 2007, (Pittsburgh, PA) 5-6 June 2007. This work was produced in part with support from the Institute for Information Infrastructure Protection research program. The I3P is managed by Dartmouth College, and supported under Award number 2003-TK-TX-0003 from the U.S. DHS, Science and Technology Directorate. This material is based upon work supported by the National Science Foundation under award number 0705676. Opinions, findings, conclusions, recommendations or points of view in this document are those of the author(s) and do not necessarily represent the official position of the U.S. Department of Homeland Security, National Science Foundation, the Science and Technology Directorate, the I3P, the NSF, Indiana University, or Dartmouth College.