Colorado State Computer Science: The Psychology of Security for the Home Computer User

Status
Not open for further replies.

Andrezj

Level 6
Thread author
Nov 21, 2022
248
NOTE: This research paper is 10 years old, but the results are still considered the standard for understanding home user security decision making.

Source:


Many studies suggest that users often do not understand the threats and sometimes are not willing or able to incur the costs to defend against them. At least three studies [24], [50], [32] found that users still want the benefits of potentially unsafe behavior.

[24] R. LaRose, N. Rifon, S. Liu, and D. Lee, “Understanding Online Safety Behavior: A Multivariate Model,” in Proceedings of the 55th Annual Conference of the International Communication Association, New York, NY, USA, 2005.

[32] B. Debatin, J. P. Lovejoy, A.-K. Horm, and B. N. Hughes, “Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences,” Journal of Computer-Mediated Communication, vol. 15, pp. 83–108, 2009.

[50] N. Good et al., “Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware,” in Proceedings of the 1st Symposium On Usable Privacy and Security, Pittsburgh, PA, USA, July 2005.

Hosted by:

 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Generally speaking, this paper is a short review of many studies. Most of them are from the period 2003-2012.
These studies were conducted with very diverse methodologies on very diverse groups of people - there is no way to compare the results between them. So, the results are not statistically meaningful. But, some results are interesting and can be a starting point for the next studies.
It is very disappointing that after many years of home computing, the security of home users is still the "Wild West".
There are many articles about malware, cybersecurity, etc., but almost nothing about how all of this is related to the home environment. :(
 

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
This study may only take the basis of one's opinion, rather than a Case Study or Meta-Analysis on this subject. It's a good starting point. However, the conclusion I'm 50/50 with, habits change, and threats from that time period have grown more sophisticated (could prove part of the conclusion that way too). I think from that time period, the IT layman of 2012 probably wouldn't know much about the threats or what to do if they became infected. In today's climate, there's more education about cybersecurity threats, thus more people have better knowledge. But this isn't the overall conclusion, so other studies would be ideal going forward.

I'm also surprised to see it's only one Psychologist included in this study. More systematic reviews & meta-analyses would be needed, however, this would mean more understanding of today's home user would be needed before we can have a scientific consensus on this answer.

~LDogg
 

Andrezj

Level 6
Thread author
Nov 21, 2022
248
Generally speaking, this paper is a short review of many studies. Most of them are from the period 2003-2012.
in first paragraph, "This paper reviews the literature of surveys and studies of factors that influence security decisions for home computer users."

These studies were conducted with very diverse methodologies on very diverse groups of people - there is no way to compare the results between them. So, the results are not statistically meaningful.
that is exactly how academic research works
review all study findings and then draws conclusions based upon the aggregate of all studies, while citing those sources

It is very disappointing that after many years of home computing, the security of home users is still the "Wild West".
first paragraph, "The home computer user is often said to be the weakest link in computer security. They do not always follow security advice, and they take actions, as in phishing, that compromise themselves. In general, we do not understand why users do not always behave safely, which would seem to be in their best interest."

the above is just as true, if not more so, today than it was during 2003-2012

In today's climate, there's more education about cybersecurity threats, thus more people have better knowledge.
this is not reality at all
studies show millennials and gen z (adults in the workforce) are less knowledgeable and less prepared to cope with cybersecurity
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
that is exactly how academic research works
review all study findings and then draws conclusions based upon the aggregate of all studies, while citing those sources
I know what is a review and how academic research works. :)
It is an interesting review and it shows that the research on the psychological aspects of home users' security is in the very early stage. Most of the studies encompassed only 20-500 participants (small groups). The studies were not yet confirmed by research conducted by independent teams (with a similar methodology). So, the conclusions should be taken with caution. Of course, some conclusions are probably close to the truth even if they are not confirmed yet by science.(y)

You probably agree with me, because you included the accurate citation from the review:
The home computer user is often said to be the weakest link in computer security. They do not always follow security advice, and they take actions, as in phishing, that compromise themselves. In general, we do not understand why users do not always behave safely, which would seem to be in their best interest.
 
Last edited:

Andrezj

Level 6
Thread author
Nov 21, 2022
248
The studies were not yet confirmed by research conducted by independent teams (with a similar methodology).
that is not how it works
the review and the studies it quotes are not subject to a "double-blind statistical analysis"
it is a review of the studies, such studies are not submitted to an academic journal for peer review
and never are source studies required to be peer reviewed or confirmed with parallel studies
the cost to confirm every study findings in the academic world would be astronomical

if every study results had to be confirmed by others, then nothing would get done
the whole point of citing sources is that the reader, if they question anything, then they can inspect at each cited source individually

90% of the work produced in academia is not peer reviewed or undergoes a confirmation study
"this needs a double-blind statistical study with 10,000 participants to be accepted as proven fact"... lol, no, just no

the fact that forums like MalwareTips, with "advanced members" who admit they infected themselves by downloading and infecting their systems because "they wanted it" confirms everything that, at least, the paper authors concluded from the available source materials
 

Bumblebee Uncle

Level 3
Well-known
Mar 15, 2022
108
As an academic, I can confirm that your statement "90% of the work produced in academia is not peer reviewed or undergoes a confirmation study" is blatantly false and misleading.

All good academics publish in reputed conferences and journals which are all peer reviewed. May I suggest to you a short introduction on the subject:
 

Andrezj

Level 6
Thread author
Nov 21, 2022
248
As an academic, I can confirm that your statement "90% of the work produced in academia is not peer reviewed or undergoes a confirmation study" is blatantly false and misleading.

All good academics publish in reputed conferences and journals which are all peer reviewed. May I suggest to you a short introduction on the subject:
that is not evidence of anything
supply evidence that proves me wrong, i'll wait

you might work in academia, but you do not know what you are talking about
the vast majority of academic work product is not submitted to journals, this is particularly true of the social sciences
then, that does not even cover project work done by academicians contracted by private industry (which is routinely done at universities across the globe) whom prohibit publishing of results

if all academic work was submitted for peer review, then peer review journals would be hundreds of pages thick every single month
there would not be enough symposiums to do all the peer-review

"So the bad news is that the vast majority of scientists aren't pulling their weight. In fact, the team estimated that 70 percent dedicated 1 percent or less of their research work-time to peer review last year, while 5 percent dedicated 13 percent or more of it. "
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

@Andrezj,​

We have slightly different understandings of science. You probably know that there were psychological studies conducted the second time by other teams, and in some cases, the results were not confirmed.
Why Florencio and Herley study of Web password use was conducted on half a million users, if 500 users were sufficient? I do not understand why you believe that studies on 20-500 participants can show something scientifically confirmed. The authors of the review do not insist on it. On the contrary, they concluded that "In general, we do not understand why users do not always behave safely".
I understand this statement as a good description of the early stage of this science.
 
Last edited:

Andrezj

Level 6
Thread author
Nov 21, 2022
248

@Andrezj,​

Anyway, I do not understand why you believe that studies on 20-500 participants can show something scientifically confirmed.
i respect your point of view, but i ask that you at least consider this

because the studies are based upon observation of users and their replies "i did or i did not do this because..." and furthermore, the conclusions drawn are well-established in human behavior:

1. do not know
2. do not care
3. do it even though they know it is not in their best interests
4. laziness
5. lack of care
6. negligence
7. dislike the incovenience of security
8. etc

human behavior does not need confirmation; if a human behaves a certain way, then observing it is confirmation that it exists
it is the conclusions drawn from the observational data that can be called into question, but the paper authors - and all the studies on which is cites - do not make any conclusions which are not already common knowledge about users across the world
the authors and the studies cited are not making a single outlandish claim about why users do stuff, in fact based upon your own personal experience of knowing what users do, everything that is stated in that paper is confirmed by your personal experience
they authors are not making wild unproven, unfounded claims such as "god made the users do their unsafe behaviors" or "there are gremlins in the matrix that are at-fault, not the users" that must be proven by peer review or additional studies

the reasons for their behaviors are confirmed by the cited study participants

we know people overeat, take drugs and speed and the reasons why they do these things, you do not need a confirmation study to accept these as fact
 
  • Like
Reactions: Nevi and oldschool

Andrezj

Level 6
Thread author
Nov 21, 2022
248
@Andrezj,

I understand you and I do not insist that my meaning of science is better than yours. Thanks for an interesting thread. (y)
it is important to me that you understand that i was not dismissive or mocking of your posts
i understand what you were saying and it makes perfect sense
in an ideal world, it would be great if everything were checked, then re-verified by others

although i did review some of the cited studies (not every single one), and many are like pew institution polls where the computer user is asked questions and they reply to those questions
if a user states "i did it because i was lazy" or "i did not care, i wanted to do it," then i do not know how much needs to be confirmed unless the poll is flawed or the reasearcher is drawing conclusions substantially outside of the face-value of the user's admission

like a popularity poll where users rate software against a bunch of other software that they have never used, but the software publisher that ranks first in the poll (falsely) concludes "my software placed first and therefore it is the best"

lol

ps - do any of us really need anyone to tell us that computer users are the weakest link in security?
 

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
if every study results had to be confirmed by others, then nothing would get done
the whole point of citing sources is that the reader, if they question anything, then they can inspect at each cited source individually

90% of the work produced in academia is not peer reviewed or undergoes a confirmation study
"this needs a double-blind statistical study with 10,000 participants to be accepted as proven fact"... lol, no, just no

the fact that forums like MalwareTips, with "advanced members" who admit they infected themselves by downloading and infecting their systems because "they wanted it" confirms everything that, at least, the paper authors concluded from the available source materials
Such a logically fallacious argument and a massive misrepresentation of Andy Ful's argument. Majority if not all work in academia is subject to some sort of peer review if you publish research. Science isn't truth, it's about testing a hypothesis to see if it works and forming a consensus around this when more studies back each other up. Now back on topic, it's surely hard for an inexperienced academic to get into a good journal, but they'll get published somewhere and have their research subjected to peer review.

Of course, every study results need to be peer-reviewed, we cannot have rogue academics displaying pseudoscience based on something they believe in and the paper is completely flawed. Look at Dr. Aseem Malhotra, he's a staunch advocate against mRNA vaccination, but his own biases cloud his judgment, he's even "peer-reviewed" his own paper, which he's on the same editorial board that he published his "review" paper at and tries to pass it off as legit. That is why results & studies themselves need to be subjected to proper peer review and not posted in predatory journals.

If academic research is not peer-reviewed, how is the author ever going to know the mistakes that could be within the study and whether it's flawed or not? We all suffer from cognitive dissonance, and the process of peer review mitigates a lot of things.

The strongest form of any empirical scientific evidence is meta-analysis or a systematic review.

The last bit of your quote seems like confirmation bias to me.

~LDogg
 

Andrezj

Level 6
Thread author
Nov 21, 2022
248
Majority if not all work in academia is subject to some sort of peer review if you publish research.
this is correct, but the paper is a literature review, not research - you would know that had you bothered to read even the first few paragraphs
and it is not as if any of the authors or the sources of data reviewed made any claim whatsoever that needed to be established by peer review
one cannot peer review polls where the poll taker explicitly and honestly states the reason why they did something... lol
andy states clearly what he thinks "if all the cited sources are not confirmed by peer review, then their conclusions are dubious"
that is not how it works, it never has and it never will

the paper itself was peer reviewed during its creation by other academics and the review was further peer reviewed during the IEEE symposium during which it was presented
it was also published in the highly respected IEEE journal - and that in itself constitutes peer review
there is no requirement for any researcher to confirm every bit of others' work that they rely upon, to say otherwise is so ridiculous, if academics had to do that then nothing would get done

you have absolutely no idea what you are talking about
there is absolutely no requirement whatsoever that ANY research be confirmed by peer review, it is a voluntary process and the vast majority of academic work-product is not submitted for peer review - academic, private, government
researchers that are subject to a publish requirement per their terms of employment are the only ones required to submit their work for peer review
much research is not even subject to peer review, for example research done in the humanities and in areas of the social sciences
there are some 20,000,000 researchers in the world, and only about 1.8 million participate in the peer review process
 

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
this is correct, but the paper is a literature review, not research - you would know that had you bothered to read even the first few paragraphs
and it is not as if any of the authors or the sources of data reviewed made any claim whatsoever that needed to be established by peer review
one cannot peer review polls where the poll taker explicitly and honestly states the reason why they did something... lol
andy states clearly what he thinks "if all the cited sources are not confirmed by peer review, then their conclusions are dubious"
that is not how it works, it never has and it never will

the paper itself was peer reviewed during its creation by other academics and the review was further peer reviewed during the IEEE symposium during which it was presented
it was also published in the highly respected IEEE journal - and that in itself constitutes peer review
there is no requirement for any researcher to confirm every bit of others' work that they rely upon, to say otherwise is so ridiculous, if academics had to do that then nothing would get done

you have absolutely no idea what you are talking about
there is absolutely no requirement whatsoever that ANY research be confirmed by peer review, it is a voluntary process and the vast majority of academic work-product is not submitted for peer review - academic, private, government
researchers that are subject to a publish requirement per their terms of employment are the only ones required to submit their work for peer review
much research is not even subject to peer review, for example research done in the humanities and in areas of the social sciences
there are some 20,000,000 researchers in the world, and only about 1.8 million participate in the peer review process
What do you think a literature review study is? "Considered a form of research that reviews, critiques, and synthesizes representative literature on a topic in an integrated way such that new frameworks and perspectives on the topic are generated. The body of literature includes all studies that address related or identical hypotheses or research problems." - Research Guides: Organizing Your Social Sciences Research Paper: 5. The Literature Review

You're creating a strawman and a red herring, no one mentioned anything about polls, so this is irrelevant. By that remark, Andy is correct, all reliable studies (unless a pre-print) should be peer-reviewed, this shows it's reliable, reputable & harbors minimal conflict of interest. In any articles/studies, any discussion around any field of science should ONLY be evidence from the scientific literature, i.e. empirical studies published in peer-reviewed scholarly journals.

It is YOU that has no idea what you're talking about, if any research holds any weight, or for it to be cited anywhere, it should be peer-reviewed, that is why the process is there for. Otherwise, we have quacks, dubious individuals etc, selling snake oil, as an example.

So if no scientific research is not subjected to peer review then we must have absolute faith in it and cite it?

This is why the scientific consensus and evidence from the scientific literature exist. "the paper itself was peer reviewed during its creation by other academics" - this quote makes zero sense and this is not how the peer-review process works.

Hate to break it to you but IEEE is a predatory journal, as it's listed on Beall's list - Standalone Journals – Beall's List
So much for you knowing anything buddy. Have a great day.

~LDogg
 
  • Like
Reactions: vtqhtr413

Andrezj

Level 6
Thread author
Nov 21, 2022
248
What do you think a literature review study is? "Considered a form of research that reviews, critiques, and synthesizes representative literature on a topic in an integrated way such that new frameworks and perspectives on the topic are generated. The body of literature includes all studies that address related or identical hypotheses or research problems." - Research Guides: Organizing Your Social Sciences Research Paper: 5. The Literature Review
you do not know what you are talking about, lol

You're creating a strawman and a red herring, no one mentioned anything about polls, so this is irrelevant.
polls and questionnaires form the basis of much of the research cited in the references
again, you don't know what you are talking about

What do you think a literature review study is? "Considered a form of research that reviews, critiques, and synthesizes representative literature on a topic in an integrated way such that new frameworks and perspectives on the topic are generated. The body of literature includes all studies that address related or identical hypotheses or research problems." - Research Guides: Organizing Your Social Sciences Research Paper: 5. The Literature Review
really? please link literature reviews that are put under rigorous peer-review and where everything cited is fact-checked and verified by a third party
i'll give you every opportunity to prove me wrong, i'll wait

the linked paper just repeats what is contained in the cited sources, it does not make any extraneous conclusions that need to be defended
you would be laughed out of university by insisting that literature reviews must be peer reviewed to verify all the sources relied upon
it has never worked that way
you have absolutely no idea what you are talking about

researcher "we did a study, observed computer users and then asked them why they did or did not do things"
study participants "we did these things because"
researcher "this is what the study participants did and here is participant-supplied evidence and the type and incidence of the reasons"

lmfao, that kind of study does not require peer-reivew

This is why the scientific consensus and evidence from the scientific literature exist. "the paper itself was peer reviewed during its creation by other academics" - this quote makes zero sense and this is not how the peer-review process works.
really? then why do research projects sometimes have independent third party teams working to verify others' research before publication?
the way peer review works is of two types - during the project - and then afterwards, but you seem to think there is only the peer review that happens after publishing
you obviously have never performed any graduate or post-graduate research
having other parties review work that is intended to be published as the project proceeds has been the standard of practice going back all the way to the 1400s, newton and leibnitz had others review their work before publishing
again, you have absolutely no idea what you are talking about

Hate to break it to you but IEEE is a predatory journal, as it's listed on Beall's list - Standalone Journals – Beall's List
nice story
again, you have no idea what you are talking about

the webpage says at the top "Here we include journals that were not originally on the Beall’s list, but may be predatory."
it does not say "proven to be predatory"

and linking that ridiculous list here to discredit the IEEE speaks for itself
you do know that IEEE creates, maintains and currates a vast amount of the standards for digital devices and the internet (e.g wireless standards), right?


In any articles/studies, any discussion around any field of science should ONLY be evidence from the scientific literature, i.e. empirical studies published in peer-reviewed scholarly journals.
lol, that is never how it has ever worked
if that was a requirement then so much work would be hindered or never happen
you can keep making claims all you want here, but you will not change reality
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
fwiw I looked at Beall's List, and it appears to list IEEEAJ and not IEEE. perhaps they are the same but the link provided www dot ieeeaj returns
"ieeeaj.com’s server IP address could not be found." This makes me think they could be two different entities or journals, but I do not know that for a fact.
 

Andrezj

Level 6
Thread author
Nov 21, 2022
248
fwiw I looked at Beall's List, and it appears to list IEEEAJ and not IEEE. perhaps they are the same but the link provided www dot ieeeaj returns
"ieeeaj.com’s server IP address could not be found." This makes me think they could be two different entities or journals, but I do not know that for a fact.
IEEE and IEEEAJ are two different organzations, not that it matters
ldogg's argument is so ridiculous i did not even bother to look

it wouldn't matter to ldogg what IEEE is or its reputation, all they cared about was linking something desparately trying to discredit IEEE

IEEE is very highly respected and serves as the source of most of standards that define developments in levels 1 and 2 of the open system interconnect (osi) model, along with establishing requests for comment internetworking standards, and hardware standards that oems adhere to across the world
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Guys, there was not my intention to provoke a passionate discussion about science. :)
We are not considered experts to do so. I cannot see anything wrong with the study in the OP (thanks again for posting it). It looks like most of the research in the area of psychology and sociology. Such studies cannot be as precise as studies in the area of physics, chemistry, molecular biology, etc. There are many factors that can have an impact on the results and only some of them can be controlled in the experiments. The authors of the review are as skeptical as I am. For example:

We believe that the methodologies for home user studies need to be broadened. Most of the studies involved self-report surveys.
Presenting a cohesive, comprehensive view is impossible as the studies asked different questions, had different goals, solicited participants in different ways and sometimes are temporally disconnected (the oldest study is from 1999, most recent from 2011). Longitudinal studies are lacking.
We believe that new studies should cover a broader range of society and identify the commonalities and differences between them in their perceptions of risk, threats, and adaptive behaviors.
To understand risk relative to benefit decision-making, we opine that a scale for assessing perceptions be formulated. Currently no such scale exists for determining which risk computer users are willing to make and for what gain.
More studies are needed to identify where poor mental models produce poor decisions. What exact data to collect depends on the goal of the study; however, the significant factors found in [14], [24], [35], [32], [37], [39] provide good starting points.
... ; a great deal more needs to be done both in terms of facilitating models of the user and suitable approaches to security that conform to these models. As we recommend in Section VI, user studies need to be broadened and designed to provide more reliable information about what users will actually do, especially investigating the factors that influence home users’ decision making.

It is pretty much the same as what I posted in this thread.
Of course, some suggestions and qualitative conclusions are possible like those noted by @Andrezj. (y)
 
Last edited:

Andrezj

Level 6
Thread author
Nov 21, 2022
248
The authors of the review are as skeptical as I am.
lol, the authors state nowhere in their paper that they are skeptical of the results of any study they reviewed. what they said is that they cannot make a broad statement of psychological theory based upon the limited studies, but they have no question whatsoever that users are a primary cause of their own unsafe behaviors.

the things you are quoting relate to the authors suggesting additional studies and refinements related to psychological science, such as clarifying mental models - which is a model that explains how and what people think. and longitudinal studies which are studies across years. the authors also suggest studies that differentiate based upon demographics. none of that has anything to do with the conclusions of the cited studies, which are studies that present the self-reported behaviors of computer users that participated in each study. some are basic polls. the psychologist, in particular, is interested in the question "why do humans behave irrationally, and against their own interests?"

please explain what needs to be confirmed through statistical studies when a computer user downloads a software crack, then installs it, infects their machine, and then self-reports "i did it because i wanted the software"? when you poll 100 people on the street and ask them questions about computer security and 70 of them state "i don't know" or "i don't care," what exactly needs to be confirmed? the participant statements are a matter-of-fact and the only conclusion is this... "70% of the participants either do not know or do not care."

This is the statement of the authors in the conclusion of the study (they are not stating anything that is already not established fact and there is no expression of doubt by the authors):

"However, many studies suggest that users often do not understand the threats and sometimes are not willing or able to incur the costs to defend against them. At least three studies [24], [50], [32] found that users still want the benefits of potentially unsafe behavior."

they also go on to suggest predictive studies to improve automation to remove user decisions and behaviors from the risk equation
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top