People tend to believe they are less vulnerable

to risks than others. People also believe they are less

likely to be harmed by consumer products compared to

others. It stands to reason that any computer user

has the preset belief that they are at less risk of a

computer vulnerability than others.

 

interaction. Fundamentally, it is about how people think of risk that guides their behavior. There are basic principles of human behavior that govern how users think about security in everyday situations and shed light on why they undermine security by accident.

This article offers a brief introduction to research on risk, uncertainty, and human decision making and how they relate to users making security decisions, and provides a few key concepts and possibilities in how they may be used to improve users’ security behavior.

Non-acceptance of security tools is recognized as a major problem facing the information security world [ 5]. Research in the usability of security mechanisms has exploded over the last decade and an excellent trove of research papers is cataloged by the HCISec Bibliography hosted atwww.gaudior.net/alma/bib-lio.html. Among the studies listed there is a mountain of evidence that mechanisms for encryption, authorization, and authentication can be difficult for people to understand or use [ 1, 9] and that people often fail to recognize security risks or the information provided to cue them [ 3, 4]. Accordingly, researchers have promoted the need for user-centered design throughout the development process and warn that usability testing security systems only at the end of the process does not guarantee a usable or acceptable system [ 7, 11, 12].

However, there is more to this than interaction with technology. Human decision making has been a topic of study in social sciences from economics to psychology for over a century. The net sum of that research suggests that individuals are often less than optimal decision makers when it comes to reasoning

about risk. However, we have predictable and exploitable characteristics in our decision-making process. Understanding these principles and how users come to make decisions about security may suggest places where we can improve the outcome of the decisions.

Users do not think they are at risk. First of all, people tend to believe they are less vulnerable to risks than others. Most people believe they are better than average drivers and that they will live beyond average life expectancy [ 6]. People also believe they are less likely to be harmed by consumer products compared to others. It stands to reason that any computer user has the preset belief that they are at less risk of a computer vulnerability than others. It should come as no surprise that, in 2004, a survey from AOL and the National Cyber Security Alliance reported that roughly 72% of home users did not have a properly configured firewall and that only one-third had antivirus virus signatures updated within the past week. ¹

Even as security measures improve, users will remain at risk. There is evidence that individuals maintain an acceptable degree of risk that is self-levelling, known as risk homeostasis. ² Applied to security, it suggests that as users increase their security measures, they are likely to increase risky behavior. For example, the user who has just installed a personal firewall may be more likely to leave his machine online all the time.

Users aren’t stupid, they’re unmotivated. In social

¹America Online and the National Cyber Security Alliance. AOL/NCSA Online Safety Study, 2004; www.staysafeonline.info/news/safety_study_v04.pdf. ²G. J.S. Wilde. Target Risk 2: A New Psychology of Safety and Health. PDE Publications, Toronto, Ontario, 2001.