MSU’s Wash Inspires Widespread Change In Computer Security Practices
An MSU researcher has changed the way the tech industry designs computer security into computing systems, motivating end users to make more informed decisions to protect their devices. Associate professor Rick Wash received the SOUPS Impact Award for his paper “Folk Models of Home Computer Security,” after the research was published and put into practice for 10 years.
The SOUPS (Symposium on Usable Privacy and Security) Impact Award is given to a researcher every three years, for a paper that has made a significant impact on both research and practice when it comes to usable security and privacy work. The award was presented to Wash during the annual SOUPS conference, which was held virtually in August.
“Computer security is this thing that none of us want to be doing, but we all have to do,” said Wash. “There’s all these new technologies that are coming in and changing people’s lives. Then there are these unintended side effects. One of the challenges of computers is that we can talk to anyone on the web, but that also means anyone can try to talk to us, and so that presents a challenge.”
With people spending more time on home computers and devices than ever before, his research continues to make a meaningful impact today. It has caught the attention of the tech industry, including companies such as Microsoft and Google.
Developing Folk Models to Understand How Users View Security Threats
Published in 2010, “Folk Models of Home Computer Security” explores why the average computer user often ignores expert security advice, making their devices vulnerable to viruses, hackers and other security attacks.
Wash, who now teaches in MSU’s Department of Media and Information, identified eight ‘folk models,’ or common ways to describe a security threat, that untrained people rely on to make decisions. The average computer user taps into these models to justify whether they follow or ignore security prompts and expert advice.
“Most of the important problems with computer security are not on the technical side, they’re on the people side,” said Wash. “We can relatively solve the tech problems, but the people side is much harder. I was looking for a good way to approach and study how people think about technology and computer security, in order to identify what the problems are and help find better solutions.”
Wash discovered eight folk models that fit into two categories: models about viruses, an umbrella term that includes spyware, adware, and other forms of malware; and models about the attackers, often referred to as ‘hackers.’ The first set of models included bad viruses, buggy software, mischief, and activity that supports crime. The second set of models included graffiti, burglars, big fish, and contractors.
In subsequent projects, research from other universities identified one additional model, the government hacker.
The Balance Between Unlimited Access and Security
While tech companies can, and often do, automate security for home computers, it’s still important to maintain a balance between what the companies control and what the end user controls, Wash explained.
“If companies feel like they can, they’ll just program the needed security into the device,” said Wash. “There’s a lot of situations where they need to leave the choice up to the end user. When that happens, that’s when you need to provide the information about ‘the why’ to help a user make the right decision.”
One simple example occurs when a computer user tries to visit a website that is blocked by internet browsers. Often, this happens due to a ‘certificate validation failure.’ While home computer users recognize that something is wrong, they may not understand what this means. This leaves them with little information on the security risks of using the website, and they may try to visit the website despite the warning.
“Security experts can’t tell ahead of time how important something is to you,” said Wash. “The tech company usually has more information about what is secure and what is not secure than the end user does. The end user has a lot more information about what’s important in their life and what their goals are — what they’re trying to accomplish. It’s usually a balance, but those two pieces of information are in two different places. That’s where you get this tension that’s really hard to resolve.”
Thanks to Wash’s research, security experts have now redesigned the messages they send to alert users of security risks. They communicate more information within the prompts to help the user make an informed choice, without providing so much detail the alert becomes overwhelming.
“If end users are working to accomplish an important goal and being blocked by computer security, then maybe the technology needs to be more flexible,” said Wash.
Recognizing Computer Users as Intelligent Consumers
What surprised Wash the most about his research on folk models is that end users understand a lot more than security experts give them credit for. He said the problem is not that users are not smart enough to understand security threats, as many experts might argue. End users don’t rely on models that are ‘inaccurate,’ so much as they rely on models that are ‘incomplete.’
For example, many research respondents accurately described the type of attack that might come from a teenage computer hacker. However, they did not realize that such an attack could also be criminal in nature — giving the hacker access to not only their individual data, but also the data of large companies where they do business.
“The thing that really resonated with a lot of people, both in the academic community and in the tech industry, as well as a couple places in government, is that people were not just flailing around, ignoring security advice,” said Wash. “They were trying to do something that they thought was good, trying to make what they thought were reasonable decisions based on the kind of knowledge that they had. The knowledge wasn’t necessarily correct, but it was reasonable in their mind for their situation.”
Security experts struggle to provide enough education to end users so that they can effectively protect their home computers. The folk models are important, Wash said, because many people learn about computer security through storytelling. People learn to be more careful about security threats after their friends or family members tell stories about the cyberattacks they have experienced.
While the models can help security experts better understand end users, some of the folk models more accurately capture the reality of a threat than others. If experts can point end users toward the more accurate folk models, they can motivate computer users to become better advocates for their own security at home.
Even as others continue to build upon his research, Wash is forging ahead on his next study. He plans to further explore how knowledge about computer security is passed on with storytelling. He also hopes to find ways to help protect end users against phishing scams, a growing security threat.
“It means a lot to me to have this research recognized,” said Wash. “That’s been my goal all along — not to just have an impact on research, but also to have an impact on practice.”