Applying Text Analytics to Examination of End Users’ Mental Models of Cybersecurity

Mental models can explain how end users perceive their interactions with information systems, and inform cybersecurity awareness training. In this study, we used text analytic techniques to extract mental models representing cybersecurity concepts in learners at different levels of expertise. We applied these analytic techniques to text data collected from open-ended questions designed to capture learners’ understanding of cybersecurity concepts. We analyzed similarities and differences between learner groups using frequency, entropy and cosine similarity measures applied to n-gram features of their written responses. Our analysis showed that there is a difference in mental models between learners with informal exposure to cybersecurity topics and those with formal exposure. Furthermore, as a proof to demonstrate the predictive power of mental models, we correlated end users mental models with their perceived security. Finally, this study validated text analytics as a tool for capturing the mental models of end users without influencing the models

Do Different Mental Models Influence Cybersecurity Behavior? Evaluations via Statistical Reasoning Performance

Citation: Brase GL, Vasserman EY and Hsu W (2017) Do Different Mental Models Influence Cybersecurity Behavior? Evaluations via Statistical Reasoning Performance. Front. Psychol. 8:1929. doi: 10.3389/fpsyg.2017.01929Cybersecurity research often describes people as understanding internet security in terms of metaphorical mental models (e.g., disease risk, physical security risk, or criminal behavior risk). However, little research has directly evaluated if this is an accurate or productive framework. To assess this question, two experiments asked participants to respond to a statistical reasoning task framed in one of four different contexts (cybersecurity, plus the above alternative models). Each context was also presented using either percentages or natural frequencies, and these tasks were followed by a behavioral likelihood rating. As in previous research, consistent use of natural frequencies promoted correct Bayesian reasoning. There was little indication, however, that any of the alternative mental models generated consistently better understanding or reasoning over the actual cybersecurity context. There was some evidence that different models had some effects on patterns of responses, including the behavioral likelihood ratings, but these effects were small, as compared to the effect of the numerical format manipulation. This points to a need to improve the content of actual internet security warnings, rather than working to change the models users have of warnings

“I Don’t Know Too Much About It”: On the Security Mindsets of Computer Science Students

The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples' code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers

A visual exploration of cybersecurity concepts

Funding: This research was funded by the UK EPSRC under grant EP/N028228/1 (PACTMAN).Cybersecurity-related concepts can be difficult to explain or summarise. The complexity associated with these concepts is compounded by the impact of rapid technological changes and the contextual nature of the meaning ascribed to the various themes. Since visual imagery is often employed in articulation and explanation, we conducted a study in which we asked participants to sketch their understanding of cybersecurity concepts. Based on an analysis of these sketches and subsequent discussions with participants, we make the case for the use of sketching and visuals as a tool for cybersecurity research. Our collection of sketches and icons can further serve as the seed for a visual vocabulary for cybersecurity-related interfaces and communication

Communicating about Extreme Heat: Results from Card Sorting and Think Aloud Interviews with Experts from Differing Domains

Climate trends indicate that extreme heat events are becoming more common and more severe over time, requiring improved strategies to communicate heat risk and protective actions. However, there exists a disconnect in heat-related communication from experts, who commonly include heat related jargon (i.e., technical language), to decision makers and the general public. The use of jargon has been shown to reduce meaningful engagement with and understanding of messages written by experts. Translating technical language into comprehensible messages that encourage decision makers to take action has been identified as a priority to enable impact-based decision support. Knowing what concepts and terms are perceived as jargon, and why, is a first step to increasing communication effectiveness. With this in mind, we focus on the mental models about extreme heat among two groups of domain experts –those trained in atmospheric science and those trained in emergency management to identify how each group understands terms and concepts about extreme heat. We use a hybrid data collection method of open card sorting and think-aloud interviews to identify how participants conceptualize and categorize terms and concepts related to extreme heat. While we find few differences within the sorted categories, we learn that the processes leading to decisions about the importance of including, or not including, technical information differs by group. The results lead to recommendations and priorities for communicating about extreme heat

Human factor security: evaluating the cybersecurity capacity of the industrial workforce

Purpose: As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment. / Design/methodology/approach: A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques. / Findings: Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce. / Practical implications: The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies. / Originality/value: This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations

Security Mental Models and Personal Security Practices of Internet Users in Africa

Recent trends show an increase in risks for personal cyberattacks, in part due to an increase in remote work that has been imposed by worldwide Covid-19 lockdowns. These attacks have further exposed the inefficiencies of the "paternalistic" design of Internet security systems and security configuration frameworks. Prior research has shown that users often have inadequate Internet security and privacy mental models. However, little is known about the causes of flawed mental models. Using mixed methods over a period of nine months, we investigate Internet security mental models of users in Africa and the implications of these mental models on personal security practice. Consistent with prior research, we find inadequate Internet security mental models in self-reported expert and non-expert Internet users. In addition, our mental modelling and task analysis reveal that the flawed security practice does not only result from users' negligence, but also from lack of sufficient Internet security knowledge. Our findings motivate for reinforcing users' Internet security mental models through personalised security configuration frameworks to allow users, especially those with limited technical skills, to easily configure their desired security levels

From nosy little brothers to stranger-danger: Children and parents' perception of mobile threats

The rise in mobile media use by children has heightened parents' concerns for their online safety. Through semi-structured interviews of parent-child dyads, we explore the perceived privacy and security threats faced by children aged seven to eleven along with the protection mechanisms employed. We identified four models of privacy held by children. Furthermore, we found that children's concerns fit into four child-adversary threat models: child-peers, child-media, child-strangers, and child-parents. Their concerns differed from the five threat models held by the parents: child-peers, child-media, child-strangers, child-technology, and child-self. Parents used a variety of protection strategies to minimize children's exposure to external threats. In reality, however, our results suggest that security and privacy risks from an internal family member or a friend are far more common than harm from outsiders