Folk models of home computer security: what we think our PCs are doing

Rick Wash from Michigan State wrote a great paper, "Folk Models in Home Computer Security," which uses interviews with users of varying levels of sophistication to create a taxonomy of the way that regular people think about the security of their computers. Wash finds that primarily, users' models relate to the pre-botnet era of malicious software, and he goes on to see what happens when those models are applied to modern malware. From the abstract:
Home computer systems are frequently insecure because they are administered by untrained, unskilled users. The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I investigate how home computer users make security-relevant decisions about their computers. I identify eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which security advice to follow: four different conceptualizations of 'viruses' and other malware, and four different conceptualizations of 'hackers' that break into computers. I illustrate how these models are used to justify ignoring some security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they have been cleverly designed to take advantage of gaps in these models so that many home computer users do not take steps to protect against them.
Folk Models of Home Computer Security (PDF) (via Schneier)


  1. This is interesting, but of little practical value in securing end-user computer systems. Those systems CANNOT be secured — not for any sane value of “secure” — as long as they run Windows. Not even Microsoft has managed to do it, and they not only have essentially-unlimited resources, but the source code and more expertise than anyone else.

    This is an unpleasant and inconvenient reality that most security experts will deny, deny, deny — because of course they wish to sell the goods and services that claim to accomplish this, and flatly admitting that it can’t be done would undercut their rationale. But there are (at latest, best estimate) about 200 million systems out there constituting a substantial supporting argument for this position.

    And by the time you’ve finished reading this, there will be more — since the number of such systems has been monotonically increasing for a decade, and since there is no reason whatsoever to suspect that the trend might be reversing.

    This is NOT, by the way, to say that non-Windows systems are secure. Of course they’re not: they have their own issues. But it is to say that anyone who claims to be able to secure a Windows system is either stupid, incompetent, delusional, lying or paid by Microsoft.

  2. I’m afraid I must disagree with one of Rick Wash’s basic premises, “Despite a large security industry that provides software and advice, home computer users remain vulnerable.” IMHO, it is /because/ of that very large, hungry and malware-dependent so-called “security” industry, and many associates, especially all those that depend in servicing home and professional users in “cleaning” their machines and providing “upgrades”, and, of course, Microsoft (+1, rsk), that we are where we are in this respect.
    I am not aware there ever was proved collusion between Microsoft, and say, CompUSA or other such stores, or (your favorite “antivirus” here) that depend for their income on people having their computers infected. Yes, correlation is not causality, but the evidence is there, at least for areductio ad abs: if any of those stores cared to protect their customers, they would strongly suggest and push FLOSS OSs, or at the very least Firefox with filters and Open Office or even MSOffice with macros disabled. In the same line, if Microsoft et al cared about piracy, they would encourage would be pirates to user other software… On this point Bill Gates was clear already. As to possible collusion, it is rather obvious that success in this area (virus-proof OS and other software) would discourage ignorant or store-driven “upgrades” (“my computer is slowing down – I think I need to upgrade”, “yes, ma’am, you should”), and definitively drive several companies out of business. In standard crime-chasing mode, “who benefits” points often to the criminal. Here we know who benefits, and a lot, out of viruses, “legally”.

  3. Fascinating study. I thought these bits were especially interesting:

    Viruses are Buggy Software
    One group of respondents saw computer viruses as an exceptionally bug-ridden form of regular computer software. In many ways, these respondents believe that viruses behave much like most of the other software that home users experience. But to be a virus, it has to be `bad’ in some additional way. Primarily, viruses are `bad’ in that they are poorly written software. They lead to a multitude of bugs and other errors in the computer. They bring out bugs in other pieces of software. They tend to have more bugs, and worse bugs, than most other pieces of software. But all of the effects they cause are the same types of effects you get from buggy software: viruses can cause computers to crash, or to “boot me out” (Erica) of applications that are running; viruses can accidentally delete or “wipe out” in- formation (Christine and Erica); they can erase important system files. In general, the computer just “doesn’t function properly” (Erica) when it has a virus.


    Hackers are Criminals who Target Big Fish
    Another group of respondents had a conceptually similar model. This group also believes that hackers are Internet criminals who are looking for information to conduct identity theft. However, this group has thought more about how these hackers can best accomplish this goal, and have come to some different conclusions. These respondents believe in “massive hacker groups” (Hayley) and other forms of organization and coordination among criminal hackers. Most tellingly, this group believes that hackers only target the “big fish.” Hackers primarily break into computers of important and rich people in order to maximize their gains. Every respondent who holds this model believes that he or she is not likely to be a victim because he or she is not a big enough fish. They believe that hackers are unlikely to ever target them, and therefore they were safe from hacking. Irving believe that “I’m small potatoes and no one is going to bother me.” They often talk about how other people are more likely targets: “Maybe if I had a lot of money” (Floyd) or “like if I were a bank executive” (Erica). For these respondents, protecting against hackers isn’t a high priority

  4. Certainly nothing is bulletproof.

    That having been said, and after running only Windows machines for about twenty years,

    Mac, MacIntosh, Mac, Mac and Mac. Also, Apple Macs, Mac-ish, Mac, Mac, Mac.

    I am an awfully zealous convert. It’s just a different gig. Can you be infected? Sure. But you have to hang yourself. And you have to pretty much run down the plank and hurl yourself off.

  5. @ TEKNA2007,
    … not everyone uses Adobe products.

    It’s a dense read, and an interesting formalized approach. While I’ve had to ecucate users frequently, I’ve not given a lot of thought into how their models messed with their cost/benefit analyses, aside from informing them that “doing it that way doesn’t actually work.”

    So far (~halfway) the most interesting point has been that as users acquire additional information, their security decisions overall improve noticeably, but they also suffer more cognitive dissonance.

  6. This is why Chrome OS might be a good idea.

    I don’t have a clue about the regular usage habits of home PC users, but I imagine it really isn’t much more than browsing, pictures, music and possibly video. Give yourself a full OS and you’re exposing a lot more than you are with a semi-locked-down, function-oriented system.

    I try to understand that everybody should be able to use the Internet, but have trouble suppressing my exasperation at the cluelessness of many users, whether it’s gullibility relating to a scam or not reading (or rather not interpreting) error messages. I may learn to drive one day. There’s no way in hell I’m going to do that unless I know how the engine works, and how it integrates into the whole. I don’t understand how you could comfortably type your credit card number into a machine without applying the same mindset.

  7. I am the chronically uninformed home PC user. I bring my computer to a local guru occasionally when it starts hiccuping, and the rest of the time I don’t worry about security or viruses. My behavior is similar with my car and other things that work through processes that I’m not interested in learning. (Did you learn how microwaves worked before you used one too, #8?)

    My reasoning follows along the lines of the first two comments: it seems like a sisyphean task that I’ll ultimately fail at, and the people who would claim to eliminate risks for me have a vested interest in the maintenance of those very risks. Also, as I’ve already stated, Jim does fixes up my sick computer for a very reasonable price and I like giving him business.

    There’s really a good comparison between cars and computers #8, I don’t know anything about my car either. As far as I’m concerned they’re both magical contraptions that work because a bunch of skilled magicians said the right words over them at midnight while burning savory herbs. I like it that way.

    I think the conclusion that should be reached from this is that people are going to learn about computers much in the same way that many of them learn about cars: piecemeal and as it applies to them. I know more about alternators than almost any other part of a car, because I’ve had alternator problems.

    Perhaps Windows ought to recommend that computers are brought in regularly to be looked over by magicians who know what to look for, it could be cheap, fast and easy, like an oil change.

    I don’t want to spend much of my time being educated about things that I have no interest in. I already feel as if I don’t spend enough time doing things I enjoy and worrying about possibilities I don’t know how to prevent.

  8. and forget about those nasty rootkits out there. get one of those and if you ever realize you have it (hiding under the software level as they do so the av software doresn’t have clue its there) the only way to get rid of it is to reformat.

    but i’ve run windows machines for decades and i’ve found that a box running behind a spi firewall in the router, keeping up with patches, using up to date software and a good free antivirus keeps things nice and clean. i also recommend running the noscript plugin for your browser (chrome and firefox i know can use it). the web just not as fun with java turned off on all sites and turning it on and off manualy just is a pain.

    after you get your computer setup the way you like run a disk image of your os drive and if anything nasty does happen, its a 30 minute fix.

Comments are closed.