In the late 1990s, we came to the realization that users were central to computer and information security. Ross Anderson famously argued that "the threat model was completely wrong" when referring to our historical focus on securing technical components while ignoring possible human mistakes. A large and growing body of research has subsequently attempted to study how people face computer security challenges. Studies in the adjacent field of information privacy revealed that user behavior is complex. People may profess caring about their privacy, but frequently end up making decisions that prove costly, for example, due to limited information or to behavioral biases that lead them to miscalculate long-term risks.
Measuring security behavior turns out to be even more difficult than measuring privacy preferences and actions but imagine for a second that we had the ability to do so. For instance, we could examine the practical relevance of the following well-known, but rarely evaluated, security advice: updating software frequently, browsing reputable websites, using encryption whenever possible, and trying to avoid operating systems that are too common and targeted by villains.
No entries found