People tend to believe they are less vulnerable
to risks than others. People also believe they are less
likely to be harmed by consumer products compared to
others. It stands to reason that any computer user
has the preset belief that they are at less risk of a
computer vulnerability than others.
interaction. Fundamentally, it is about how people
think of risk that guides their behavior. There are
basic principles of human behavior that govern how
users think about security in everyday situations and
shed light on why they undermine security by accident.
This article offers a brief introduction to research
on risk, uncertainty, and human decision making and
how they relate to users making security decisions,
and provides a few key concepts and possibilities in
how they may be used to improve users’ security
behavior.
Non-acceptance of security tools is recognized as a
major problem facing the information security world
[ 5]. Research in the usability of security mechanisms
has exploded over the last decade and an excellent
trove of research papers is cataloged by the HCISec
Bibliography hosted atwww.gaudior.net/alma/bib-lio.html. Among the studies listed there is a mountain
of evidence that mechanisms for encryption, authorization, and authentication can be difficult for people to understand or use [ 1, 9] and that people often
fail to recognize security risks or the information provided to cue them [ 3, 4]. Accordingly, researchers
have promoted the need for user-centered design
throughout the development process and warn that
usability testing security systems only at the end of
the process does not guarantee a usable or acceptable
system [ 7, 11, 12].
However, there is more to this than interaction
with technology. Human decision making has been a
topic of study in social sciences from economics to
psychology for over a century. The net sum of that
research suggests that individuals are often less than
optimal decision makers when it comes to reasoning
about risk. However, we have predictable and
exploitable characteristics in our decision-making
process. Understanding these principles and how
users come to make decisions about security may suggest places where we can improve the outcome of the
decisions.
Users do not think they are at risk. First of all,
people tend to believe they are less vulnerable to risks
than others. Most people believe they are better than
average drivers and that they will live beyond average
life expectancy [ 6]. People also believe they are less
likely to be harmed by consumer products compared
to others. It stands to reason that any computer user
has the preset belief that they are at less risk of a computer vulnerability than others. It should come as no
surprise that, in 2004, a survey from AOL and the
National Cyber Security Alliance reported that
roughly 72% of home users did not have a properly
configured firewall and that only one-third had
antivirus virus signatures updated within the past
week. 1
Even as security measures improve, users will
remain at risk. There is evidence that individuals
maintain an acceptable degree of risk that is self-levelling, known as risk homeostasis. 2 Applied to security, it
suggests that as users increase their security measures,
they are likely to increase risky behavior. For example,
the user who has just installed a personal firewall may
be more likely to leave his machine online all the
time.
Users aren’t stupid, they’re unmotivated. In social
1America Online and the National Cyber Security Alliance. AOL/NCSA Online
Safety Study, 2004; www.staysafeonline.info/news/safety_study_v04.pdf.
2G. J.S. Wilde. Target Risk 2: A New Psychology of Safety and Health. PDE Publications,
Toronto, Ontario, 2001.
