Undergraduates Perception of Informal Personal Learning Environments: Affordances for Self-regulated Learning

Mental Models, informal representations of reality, provide an appealing explanation for the apparently non-rational decisions of users. Although users may be attempting to make secure decisions, the use of incomplete or incorrect information security mental models as a shortcut to decision making may lead to undesirable results. We describe mental models of Viruses and Hackers drawing on data from a survey of 609 adult computer users and link these to security behaviours and perceptions. We find that there are potentially just a small number of common security beliefs and suggest that accommodating these mental models during security design may be more beneficial to long-term security than expecting users to change to accommodate security requirements

A Comparison of American and German Folk Models of Home Computer Security

Although many security solutions exist, home computer systems are vulnerable against different type of attacks. The main reason is that users are either not motivated to use these solutions or not able to correctly use them. In order to make security software more usable and hence computers more secure, we re-ran the study by Wash about “Folk Models of Home Computer Security” in Germany. We classified the different mental models in eleven folk models. Eight of the identified folk models are similar to the models Wash presented. We describe each folk model and illustrate how users think about computer security

Obstacles to the Adoption of Secure Communication Tools

The computer security community has advocated widespread adoption of secure communication tools to counter mass surveillance. Several popular personal communication tools (e.g., WhatsApp, iMessage) have adopted end-to-end encryption, and many new tools (e.g., Signal, Telegram) have been launched with security as a key selling point. However it remains unclear if users understand what protection these tools offer, and if they value that protection. In this study, we interviewed 60 participants about their experience with different communication tools and their perceptions of the tools' security properties. We found that the adoption of secure communication tools is hindered by fragmented user bases and incompatible tools. Furthermore, the vast majority of participants did not understand the essential concept of end-to-end encryption, limiting their motivation to adopt secure tools. We identified a number of incorrect mental models that underpinned participants' beliefs

Evaluating the End-User Experience of Private Browsing Mode

Nowadays, all major web browsers have a private browsing mode. However, the mode's benefits and limitations are not particularly understood. Through the use of survey studies, prior work has found that most users are either unaware of private browsing or do not use it. Further, those who do use private browsing generally have misconceptions about what protection it provides. However, prior work has not investigated \emph{why} users misunderstand the benefits and limitations of private browsing. In this work, we do so by designing and conducting a three-part study: (1) an analytical approach combining cognitive walkthrough and heuristic evaluation to inspect the user interface of private mode in different browsers; (2) a qualitative, interview-based study to explore users' mental models of private browsing and its security goals; (3) a participatory design study to investigate why existing browser disclosures, the in-browser explanations of private browsing mode, do not communicate the security goals of private browsing to users. Participants critiqued the browser disclosures of three web browsers: Brave, Firefox, and Google Chrome, and then designed new ones. We find that the user interface of private mode in different web browsers violates several well-established design guidelines and heuristics. Further, most participants had incorrect mental models of private browsing, influencing their understanding and usage of private mode. Additionally, we find that existing browser disclosures are not only vague, but also misleading. None of the three studied browser disclosures communicates or explains the primary security goal of private browsing. Drawing from the results of our user study, we extract a set of design recommendations that we encourage browser designers to validate, in order to design more effective and informative browser disclosures related to private mode

Investigation of Attitudes Towards Security Behaviors

Cybersecurity attacks have increased as Internet technology has proliferated. Symantec’s 2013 Internet Security Report stated that two out of the top three causes of data breaches in 2012 were attributable to human error (Pelgrin, 2014). This suggests a need to educate end users so that they engage in behaviors that increase their cybersecurity. This study researched how a user’s knowledge affects their engagement in security behaviors. Security behaviors were operationalized into two categories: cyber hygiene and threat response behaviors. A sample of 194 San José State University students were recruited to participate in an observational study. Students completed a card sort, a semantic knowledge quiz, and a survey of their intention to perform security behaviors. A personality inventory was included to see if there would be any effects of personality on security behaviors. Multiple regression was used to see how card sorting and semantic knowledge quiz scores predicted security behaviors, but the results were not significant. Despite this, there was a correlation between cyber hygiene behaviors and threat response behaviors, as well as the Big Five personality traits. The results showed that many of the Big Five personality traits correlated with each other, which is consistent with other studies’ findings. The only personality trait that had a correlation with one of the knowledge measures was neuroticism, in which neuroticism had a negative correlation with the semantic knowledge quiz. Implications for future research are discussed to understand how knowledge, cyber hygiene behaviors, and threat response behaviors relate

Human Factors Standards and the Hard Human Factor Problems: Observations on Medical Usability Standards

With increasing variety and sophistication of computer-based medical devices, and more diverse users and use environments, usability is essential, especially to ensure safety. Usability standards and guidelines play an important role. We reviewed several, focusing on the IEC 62366 and 60601 sets. It is plausible that these standards have reduced risks for patients, but we raise concerns regarding: (1) complex design trade-offs that are not addressed, (2) a focus on user interface design (e.g., making alarms audible) to the detriment of other human factors (e.g., ensuring users actually act upon alarms they hear), and (3) some definitions and scope restrictions that may create “blind spots”. We highlight potential related risks, e.g. that clear directives on “easier to understand” risks, though useful, may preclude mitigating other, more “difficult” ones; but ask to what extent these negative effects can be avoided by standard writers, given objective constraints. Our critique is motivated by current research and incident reports, and considers standards from other domains and countries. It is meant to highlight problems, relevant to designers, standards committees, and human factors researchers, and to trigger discussion about the potential and limits of standards

Padronização de uma bateria para a avaliação de fatores de risco psicossociais trabalhistas em trabalhadores colombianos

A battery of questionnaires to assess psychosocial risk factors at work was developed in 2010 in response to Resolution 2646 created by the Colombian Ministry of Social Protection. However, this battery presents some theoretical and practical limitations. A new battery of instruments has been designed and validated that includes instruments and risk indicators of the demand-control-social support and the effort-reward imbalance models. Other factors, not included in these models, but that Resolution 2646 suggests should be assessed, have also been added, and with this additional information, the new battery allows us to also calculate a “global indicator” of demand, control, and social support; family and social risk conditions, coping and personality; and health and wellbeing. The new battery was administered to a sample of 16,095 workers from different occupations and representative Colombian regions. An analysis of the various domains indicates that internal consistency of the various scales is high. The new battery has the following properties: it is simple to use in paper format or when administered by computer, it enables comparison between occupations, it offers unified scores for each variable, and provides information to assess the risk factors suggested by Resolution 2646. In addition, it will make it possible to compare the results obtained when analyzing Colombian workers with those obtained from studies of workers from other countries.Em 2010, desenvolveu-se uma bateria de instrumentos para avaliar fatores psicossociais trabalhistas de risco para a saúde, em resposta à Resolução 2 646 do Ministério da Proteção Social da Colômbia. Contudo, esta conta com algumas limitações que, a partir da construção e da validação de uma nova bateria, neste estudo se pretendem superar. Além disso, a nova bateria oferece recursos adicionais para a avaliação desses fatores: a presente bateria incorpora os instrumentos e os indicadores centrais dos modelos demanda-controle-apoio social e desiquilíbrio esforço-recompensa e os fatores internos do trabalho não considerados nesses modelos, mas que a Resolução considera necessários, mediram-se com testes preexistentes ou desenvolvidos pelos autores. Com os dados coletados, é possível calcular indicadores globais de demanda, controle e apoio social; além de condições familiares e sociais de risco, enfrentamento, personalidade e indicadores de saúde e bem-estar. Para a validação, a bateria foi aplicada a uma amostra de 16 095 trabalhadores de diferentes cargos e municípios colombianos. As anál i ses de consistência interna e validade permitem afirmar que a bateria é simples de aplicar em papel ou digital, permitirá comparar cargos, obter pontuações unificadas por variável, oferecer um diagnóstico de um número importante das variáveis sugeridas na Resolução bem como permitirá comparar os resultados dos trabalhadores colombianos com os de outros países. Palavras-chave: fatores trabalhistas de risco psicossocial, Resolução 2 646 de 2008, modelo demanda-controle-apoio social, modelo desiquilíbrio esforço-recompensa, estresse profissional, avaliação.En 2010 se desarrolló una batería de instrumentos para evaluar factores psicosociales laborales de riesgo para la salud, en respuesta a la Resolución 2646 de 2008 del Ministerio de la Protección Social de Colombia. Sin embargo, esta cuenta con algunas limitaciones que, a partir de la construcción y validación de una nueva batería, en el presente estudio se buscan superar. La nueva batería ofrece recursos adicionales para la evaluación de estos factores: incorpora los instrumentos e indicadores centrales de los modelos demanda-control-apoyo social y desequilibrio esfuerzo-recompensa, y los factores intralaborales no contemplados en dichos modelos, pero que la Resolución considera necesarios, se midieron con pruebas preexistentes o desarrolladas por los autores. Con los datos recolectados es posible calcular indicadores globales de demanda, control y apoyo social; además de condiciones familiares y sociales de riesgo, afrontamiento, personalidad e indicadores de salud y bienestar. Para la validación, la batería se aplicó a una muestra de 16.095 trabajadores de diferentes ocupaciones y municipios colombianos. Los análisis de consistencia interna y validez permiten afirmar que la batería es sencilla de aplicar en papel o por computador, permitirá comparar ocupaciones, obtener puntuaciones unificadas por variable, ofrecer un diagnóstico de un número importante de las variables sugeridas en la Resolución y comparar los resultados de los trabajadores colombianos con los de otros países

Gulfs of Expectation: Eliciting and Verifying Differences in Trust Expectations using Personas

Personas are a common tool used in Human Computer Interaction to represent the needs and expectations of a system’s stakeholders, but they are also grounded in large amounts of qualitative data. Our aim is to make use of this data to anticipate the differences between a user persona’s expectations of a system, and the expectations held by its developers. This paper introduces the idea of gulfs of expectation – the gap between the expectations held by a user about a system and its developers, and the expectations held by a developer about the system and its users. By evaluating these differences in expectation against a formal representation of a system, we demonstrate how differences between the anticipated user and developer mental models of the system can be verified. We illustrate this using a case study where persona characteristics were analysed to identify divergent behaviour and potential security breaches as a result of differing trust expectations

Why do People Adopt, or Reject, Smartphone Security Tools?

A large variety of security tools exist for Smartphones, to help their owners to secure the phones and prevent unauthorised others from accessing their data and services. These range from screen locks to antivirus software to password managers. Yet many Smartphone owners do not use these tools despite their being free and easy to use. We were interested in exploring this apparent anomaly. A number of researchers have applied existing models of behaviour from other disciplines to try to understand these kinds of behaviours in a security context, and a great deal of research has examined adoption of screen locking mechanisms. We review the proposed models and consider how they might fail to describe adoption behaviours. We then present the Integrated Model of Behaviour Prediction (IMBP), a richer model than the ones tested thus far. We consider the kinds of factors that could be incorporated into this model in order to understand Smartphone owner adoption, or rejection, of security tools. The model seems promising, based on existing literature, and we plan to test its efficacy in future studies