In the course of past three years at LERSSE, we have done several studies that helped us to further the understanding of users’ mental models, when it comes to security. A mental model is “an abstraction of system’s architecture and software structures that is simple enough for non-technical users to grasp. . . It provides an integrated package of knowledge that allows the user to predict what the system will do if certain commands are executed, to predict the state of the system after the commands have been executed, to plan methods for novel tasks, and to deal with odd error situations” (Card and Moran, 1986). Adequate mental models of security controls are critical for computer users in order to avoid dangerous errors. Yet, security controls and their interfaces are hard to design in a way that could help users in developing and maintaining adequate mental models.
Findings from our projects led us to the following lessons:
- users develop and maintain their mental models (mostly) through UI
- users’ mental models are quite adaptive, changing sometimes as quickly as the system interface
- “automating away” security can lead to inadequate mental models and dangerous errors
- adequacy of mental models, not just UIs, has to be tested
- security UIs must be consistent and users need to be made aware of the consistency if they are expected to notice inconsistencies
- combining UIs for existing and new security functions can lead to unexpected mental models
You can find more details from the talk I’ve gave recently at Microsoft Research on the subject of users’ mental models of security. I discussed those projects in which we either intentionally studied users’ mental models of security controls or ended-up stumbling upon them (or their parts) by accident. Specifically, I focused on the studies of Vista personal firewall, UAC prompt, and web authentication with OpenID