A look at mental models and risk communication to better understand the security decisions end users make, why they make them, and how to guide them in their decision-making process.

仔细研究心理模型和风险交流，以更好地了解最终用户做出的安全决策，他们做出这些决策的原因以及如何指导他们进行决策。

介绍 (Introduction)

Developers are faced with a difficult task. Design an application that is usable for a wide range of end users, with the expectation that these end users do not have the same knowledge as the developer. An area of particular significance is computer security. The average user is unlikely to understand the intricacies of TLS or botnets. Additionally, the user is rarely focused on security; it is almost always a secondary thought to the primary purpose of the software. While end users can sometimes make seemingly irrational decisions, they are, in actuality, calculated decisions based on limited knowledge.

开发人员面临着艰巨的任务。 设计一个可用于广泛最终用户的应用程序，并期望这些最终用户不具备与开发人员相同的知识。 特别重要的领域是计算机安全性。 一般用户不太可能理解TLS或僵尸网络的复杂性。 另外，用户很少专注于安全性。 它几乎永远是软件主要目的的次要思想。 尽管最终用户有时可能会做出看似不合理的决策，但实际上，它们是基于有限知识而计算得出的决策。

Despite a lack of knowledge, it is important that a user’s account is protected, and inevitably, some of that protection falls on them to do. How then can a programmer ensure users make secure decisions? This is by no means an easy question to answer. The research field of usable security and privacy has been continuously growing in an effort to solve this question.

尽管缺乏知识，但是保护用户帐户非常重要，并且不可避免地，部分保护措施由用户来执行。 程序员如何才能确保用户做出安全的决定？ 这绝不是一个容易回答的问题。 为了解决这个问题，可用安全性和隐私性的研究领域一直在不断发展。

This post looks at two connected areas in usable security and privacy: user mental models and risk communication. The goal of looking at these areas is to help uncover what information users are missing, and how their existing knowledge, along with risk communication, guides their decision making.

这篇文章着眼于可用安全性和隐私性的两个相关领域：用户心理模型和风险沟通。 研究这些领域的目的是帮助发现用户所缺少的信息，以及他们现有的知识以及风险交流如何指导他们的决策。

用户的心理模型 (User’s Mental Models)

A mental model is a user’s thought process for describing and explaining how something works in the real world. Mental models can be very useful for understand end users’ security practices. They often reveal gaps in knowledge or other limiting factors that can cause users to not see a particular attack vector.

心理模型是用户的思维过程，用于描述和解释事物在现实世界中的工作方式。 心智模型对于理解最终用户的安全实践非常有用。 它们通常会揭示知识方面的空白或其他限制因素，这些空白可能会导致用户看不到特定的攻击媒介。

As an introduction, one paper [1] explored mental models of the internet. The paper began with having subjects draw diagrams for the internet. They then asked a variety of questions about subject’s online data and where it goes.

作为引言，一篇论文[1]探索了互联网的心理模型。 该论文首先让主题为互联网绘制图表。 然后，他们询问了有关受试者在线数据及其去向的各种问题。

They found that non-technical participants often represented the internet with a simple system wherein the participant connects to a central database. The diagrams typically contained only organizations the participant directly interacted with on a regular basis. These included companies like Google or Facebook, but not entities such as the participant’s ISP.

他们发现，非技术参与者通常使用简单的系统代表互联网，其中参与者连接到中央数据库。 这些图通常仅包含与参与者定期直接互动的组织。 这些公司包括Google或Facebook之类的公司，但不包括参与者ISP之类的实体。

When asked about where their data goes, non-technical people listed less places as opposed to technical users. Of note, the non-technical answers were more vague, with answers such as ‘whoever tries to make money off of you’. While most subjects understood that the services they use have access to their data, there was an alarming misconception. They found that, “A few [subjects] were not sure if information would be stored permanently, using the evidence of having seen webpages removed.” This is an excellent example of users basing their mental model on something familiar. While they understand websites can change and be removed, they wrongly extend this idea to data storage on other websites.

当被问及数据的去向时，非技术人员列出的位置少于技术用户。 值得注意的是，非技术性的答案比较模糊，例如“谁试图从你身上赚钱”。 尽管大多数对象都知道他们使用的服务可以访问其数据，但存在令人震惊的误解。 他们发现，“ 有一些[主题]不确定是否会使用删除了网页的证据来永久存储信息。” 这是用户将其心理模型建立在熟悉的事物上的一个很好的例子。 尽管他们了解网站可以更改和删除，但他们错误地将此想法扩展到其他网站上的数据存储。

This study shows how users’ mental models are limited to things that they have knowledge of. While this is a somewhat obvious statement, it is important to consider when designing for users. Another potential concern can be gleaned from this study: how to add information to an existing mental model. If the user who drew the diagram above was taught about ISPs or the DNS, where would these fit in? It is unlikely that an explanation would lead to them being correctly added to the model. Therefore, it is important to consider a user’s existing mental model of something before attempting to add to it.

这项研究显示了用户的心理模型如何仅限于他们所了解的事物。 尽管这是一个显而易见的陈述，但在为用户设计时必须考虑这一点。 这项研究可以发现另一个潜在的问题：如何向现有的心理模型添加信息。 如果绘制了上图的用户被告知有关ISP或DNS的信息，这些内容将适合哪里？ 解释不可能导致将它们正确添加到模型中。 因此，在尝试将其添加到用户之前，考虑用户的现有心智模型非常重要。

In another look at mental models, Rick Wash [2] explored folk models for home computer security threats. The term ‘folk models’ is used to draw similarity to folk tales, stories that are passed around culturally and typically contain inaccuracies. In total, he found eight distinct folk models throughout his interviews. These models fell into two distinct categories of viruses and hackers.

在对心理模型的另一种观察中，Rick Wash [2]探索了针对家用计算机安全威胁的民间模型。 术语“民间模型”用于与民间故事相似，民间故事在文化上流传并且通常包含不准确之处。 在整个采访中，他总共发现了八个不同的民间模特。 这些模型分为病毒和黑客两大类。

Of the four models for viruses, subjects only felt the need to actively protect themselves in one. This group thought viruses silently stole personal information such as credit cards, but did nothing to the computer itself. To combat this, they regularly used anti-virus software. The other three groups generally thought viruses caused harm to the computer through crashing or erasing data. While all thought viruses could be installed through active methods (e.g. running a program), some also thought simply visiting a website could install a virus. One user related the automatic nature of web cookies to how viruses could be installed. For these three models, the most protection needed was to avoid unknown or insecure websites.

在这四种病毒模型中，受试者只感觉到需要积极地自我保护。 该小组认为病毒会悄悄地窃取信用卡等个人信息，但对计算机本身却无济于事。 为了解决这个问题，他们定期使用防病毒软件。 其他三个组通常认为病毒会通过崩溃或擦除数据对计算机造成损害。 尽管所有认为的病毒都可以通过主动方法(例如运行程序)安装，但也有人认为仅访问网站就可以安装病毒。 一位用户将网络Cookie的自动性质与如何安装病毒相关联。 对于这三种模型，最需要的保护是避免访问未知或不安全的网站。

The four folk models for hackers provide greater insight into how mental models are developed. The first model describes hackers as ‘graffiti artists’. These hackers are typically skilled individuals who want to show off by hacking a computer. They tend to choose targets at random, and little can be done to protect against their attacks. The next model describes hackers as ‘burglars’. These hackers look around a computer for pieces of financial information that they could use themselves. They choose targets opportunistically, so protection is important to ward off attacks. The next group feels hackers target ‘big fish’ specifically, so subjects need not worry because they aren’t important enough to be targeted. The final group sees hackers as ‘contractors’ who steal information for criminals. These contractors typically target databases to get more information at once. Here, subjects protected themselves by only using services they believe would handle security correctly.

四种针对黑客的民间模型提供了关于如何开发心理模型的更深入的了解。 第一种模型将黑客描述为“涂鸦艺术家”。 这些黑客通常是技术娴熟的人，他们想通过黑客计算机来炫耀。 他们倾向于随机选择目标，并且几乎无能为力以防受到攻击。 下一个模型将黑客描述为“窃贼”。 这些黑客在计算机周围四处寻找自己可以使用的金融信息。 他们是机会选择目标，因此保护对于抵御攻击很重要。 下一组认为黑客专门针对“大鱼”，因此主题不必担心，因为它们的重要性不足以使其成为目标。 最后一组将黑客视为窃取犯罪分子信息的“承包商”。 这些承包商通常将数据库作为目标以立即获取更多信息。 在这里，受试者仅通过使用他们认为可以正确处理安全性的服务来保护自己。

This study clearly highlights how mental models are created. People base their models off of something concrete, that they have an understanding of. Wash also found that subjects would extrapolate their existing models to work with new scenarios. An example of this was seen in the user who related viruses and web cookies. Finally, this study demonstrates that mental models are shared among individuals. While this study was primarily qualitative, every model discovered was shared by multiple subjects.

这项研究清楚地突出了如何创建心理模型。 人们的模型基于他们已经了解的具体事物。 沃什还发现，受试者可以推断出他们现有的模型，以适应新的场景。 在与病毒和Web Cookie相关的用户中看到了一个示例。 最后，这项研究表明心理模型在个人之间是共享的。 虽然这项研究主要是定性的，但是发现的每个模型都由多个主题共享。

From this look at mental models, there are a few key takeaways that can be summarized as follows:

从这种对心理模型的观察中，可以总结出一些关键要点：

1. Mental Models often lack details or over-simplify — In the models for the internet, subjects typically only knew about services they directly interacted with. As a result, their model was simple, and it excluded potential places data could be leaked.

   心理模型通常缺乏细节或过于简化 -在互联网模型中，受试者通常只知道与他们直接交互的服务。 结果，他们的模型很简单，并且排除了可能泄漏潜在地点的数据。

2. Models are often based on real-world examples — The models for hackers made this especially clear. The ‘graffiti’ hacker chose targets at random, and there was little a subject could do to protect themselves, similar to graffiti in real life. Alternatively, the ‘burglar’ hacker could be thwarted because they are opportunistic, like a thief looking for unlocked cars. While some users had mixed mental models, many only considered one type of hacker.

   模型通常基于真实的例子 -黑客模型特别清楚地表明了这一点。 “涂鸦”黑客是随机选择目标的，几乎没有一个对象可以保护自己，就像现实生活中的涂鸦一样。 另外，“窃贼”黑客可能因为他们的投机取巧而受到挫败，例如窃贼正在寻找解锁的汽车。 尽管有些用户的思维模式参差不齐，但许多人只考虑了一种类型的黑客。

3. Users make their security decisions based on the mental models they have — For example, those who believed viruses were actively installed only had to be careful about the software they downloaded. In their model, there was no concern with visiting an insecure website. For those thinking of hackers as graffiti artists, they didn’t bother with security because there was nothing that could be done to prevent an attack. If an attack vector is not present in a user’s mental model, they are more likely to make insecure decisions that don’t consider that vector.

   用户根据他们所拥有的思维模型来做出安全决策 -例如，那些认为主动安装了病毒的用户只需要注意所下载的软件。 在他们的模型中，不必担心访问不安全的网站。 对于那些认为黑客是涂鸦艺术家的人来说，他们不必担心安全性，因为无法采取任何措施来阻止攻击。 如果用户的心理模型中没有攻击向量，则他们更有可能做出不考虑该向量的不安全决策。

To lead end users toward better security decisions, there is a clear path forward. Developing users’ mental models will help them to understand attack vectors and make informed decisions. This is not a trivial task by any means. A mental model that is easy to understand but covers all vectors is difficult to craft. The next section looks at how to best communicate potential risks to users.

为了引导最终用户做出更好的安全决策，有一条明确的道路。 开发用户的心理模型将帮助他们了解攻击媒介并做出明智的决策。 无论如何这都不是一件容易的事。 易于理解但涵盖所有向量的心理模型很难制作。 下一节将介绍如何最好地向用户传达潜在风险。

风险沟通 (Risk Communication)

Risk communication is a well-studied field when applied to natural disasters or health concerns. However, it has only recently seen applications in computer security. At its core, risk communication is the process of technical experts informing non-technical users of the choices they have and the potential consequences of each. Of note, risk communication is not about forcing users into making the most secure decision. Instead it is about allowing them to make an informed cost-benefit analysis.

当应用于自然灾害或健康问题时，风险沟通是一个经过充分研究的领域。 但是，它只是在最近才看到计算机安全方面的应用。 风险沟通的核心是技术专家将非技术用户的选择以及他们各自的潜在后果告知非技术用户的过程。 值得注意的是，风险沟通并不是要强迫用户做出最安全的决定。 相反，它是关于允许他们进行明智的成本效益分析。

This was a main focus of [4] who sought to improve Signal’s authentication ceremony. This study attempted to first increase risk perception, a user’s feeling of there being a risk involved. By redesigning dialogs to more clearly communicate the possibility of a man-in-the-middle attack, there was a significant increase in users who perceived some risk involved. Once users knew there was a risk involved in sending a message, the next step was giving them an informed choice.

这是[4]试图改善Signal的认证仪式的主要重点。 这项研究试图首先增加风险感知，即用户对所涉及风险的感觉。 通过重新设计对话框以更清楚地传达中间人攻击的可能性，认为存在某些风险的用户数量显着增加。 一旦用户知道发送消息存在风险，下一步就是为他们提供明智的选择。

The authors of this didn’t force users to make a specific decision. First, they renamed the ‘authentication ceremony’ to a ‘privacy check’. This was done to better convey the benefit of the process. Next, they explained that the privacy check would take a few minutes and that users should avoid sending sensitive information if they choose not to do it. Thus, users understood the benefit of performing the check, but if they didn’t have the time, or simply didn’t care, they could ignore it while understanding the risk.

作者并未强迫用户做出特定决定。 首先，他们将“身份验证仪式”重命名为“隐私检查”。 这样做是为了更好地传达该过程的好处。 接下来，他们解释说隐私检查将花费几分钟，并且如果用户选择不执行此操作，则应避免发送敏感信息。 因此，用户了解执行检查的好处，但是如果他们没有时间或根本不在乎，他们可以在了解风险的同时忽略它。

This study demonstrates the key idea behind risk communication: allowing the user to make an informed decision. The most secure option isn’t necessarily right for all users, so it is important they understand the pros and cons of each choice. Similarly, it is important that the potential risk is clear. If users do not perceive a threat, they have no reason to perform a security action. By communicating both the risk and options clearly, users will be able to make the best decision for themselves.

这项研究展示了风险沟通背后的关键思想：允许用户做出明智的决定。 最安全的选项不一定适合所有用户，因此他们了解每种选择的优缺点非常重要。 同样，清除潜在风险也很重要。 如果用户没有感觉到威胁，则没有理由执行安全措施。 通过清楚地传达风险和选项，用户将能够为自己做出最佳决策。

Another study [5] looked at improving firewall messages. They state near the beginning of the paper that, “Risk communications in computer security have been based on experts’ mental models, which are not good models for typical users.” They base their work off of another study [6] which found physical security mental models to be the best fit for explaining computer security to non-technical users. For their study, they replaced textual firewall messages with images depicting a person trying to get to a computer behind a locked door. Depending on the potential risk of allowing the application through the firewall, the person was either a burglar, unknown entity, or a happy individual.

另一项研究[5]着眼于改进防火墙消息。 他们在论文开始时指出： “计算机安全中的风险通信基于专家的心理模型，对于典型用户而言，这不是好的模型。” 他们的工作基于另一项研究[6]，该研究发现物理安全性心理模型最适合向非技术用户解释计算机安全性。 在研究中，他们用文字防火墙消息替换为图像，该图像描述了一个人试图进入锁着门后的计算机。 根据允许应用程序通过防火墙的潜在风险，此人是防盗，未知实体或快乐的人。

They found that their drawing conveyed more risk to study participants when compared to the textual messages. However, 1/3 of participants still preferred the text-based messages. It is also worth noting that the mental model created by the diagrams is potentially flawed. It depicts the application, ‘easyChat’, trying to gain access to the computer. However, the application has already been installed. The firewall message is actually about allowing the app to use the internet. It is possible this model could falsely lead users to believe that blocking the application protects their computer, when in reality harm can still be done (e.g. erasing data).

他们发现，与文字信息相比，他们的绘画给研究参与者带来了更大的风险。 但是，仍有1/3的参与者仍然偏爱基于文本的消息。 还值得注意的是，由图表创建的思维模型可能存在缺陷。 它描述了试图访问计算机的应用程序“ easyChat”。 但是，该应用程序已经安装。 防火墙消息实际上是关于允许应用程序使用互联网的。 当实际上仍然可以造成损害(例如擦除数据)时，此模型可能会错误地使用户认为阻止应用程序可以保护其计算机。

This points out a difficult balance in risk communication. It is important to simplify for normal users, but this may lead to inaccuracies and complaints by technical users. It is unlikely for there to be a one-size-fits-all way of communicating risk. One potential option is to include a drop-down that contains technical information in text form.

这指出了风险沟通中的困难平衡。 对于普通用户而言，简化操作很重要，但这可能会导致技术用户的不准确和投诉。 不可能有一种千篇一律的风险交流方式。 一种可能的选择是包括一个包含文本形式技术信息的下拉菜单。

Both of the studies above highlight the importance of helping users make informed decisions. Neither forced users into making a specific decision, but instead enhanced the users’ mental models to allow them to weigh the costs and benefits on their own.

以上两项研究均强调了帮助用户做出明智决策的重要性。 两者都没有强迫用户做出特定的决定，而是增强了用户的思维模式，使他们能够自己权衡成本和收益。

These studies also demonstrate the difficulties of successful risk communication. Both went through multiple rounds of effort in redesigning the applications for maximum clarity. Even still, there are more improvements that could be made. [7] provides some excellent guidelines for risk communication. In particular, they mention three key things to consider when planning how to communicate risk:

这些研究还证明了成功进行风险沟通的困难。 两者都经过了多轮努力以重新设计应用程序，以实现最大的清晰度。 即使如此，还有更多可以改进的地方。 [7]为风险交流提供了一些极好的指导。 他们特别提到在计划如何传达风险时要考虑的三个关键事项：

1. The goal of the communication (e.g., is it to educate users or draw them away from a security decision that may be too risky)沟通的目标(例如，是教育用户还是使他们远离可能风险太大的安全决策)
2. What type of security messages and communication strategies would be most useful (for example, strategies reliant on visuals and mental models)哪种类型的安全消息和通信策略最有用(例如，依赖于视觉和心理模型的策略)
3. The characteristics (e.g., level of knowledge and education, literacy and numeracy, mental models, attitudes/beliefs about the security issue) of individuals targeted by risk messages (e.g., knowledgeable Web users might desire more specifics than novice users regarding a security risk posed by a potentially malicious Web site).风险消息所针对的个人的特征(例如，知识和教育水平，识字和计算能力，心理模型，对安全问题的态度/信念)(例如，知识渊博的Web用户可能比新手用户更希望了解所带来的安全风险)通过潜在的恶意网站)。

These guidelines can serve as powerful tools when crafting messages for risk communication. They will help in reaching users in a relevant and understandable way. As a result, the message will enable users to make security decisions that fit their needs.

在为风险沟通编写消息时，这些准则可以用作强大的工具。 他们将以相关且易于理解的方式帮助您吸引用户。 结果，该消息将使用户能够做出适合其需求的安全决策。

结论 (Conclusion)

This post looked at two specific areas of research in usable security. First, mental models help in understanding an end user’s decisions. Users typically make rational decisions but are confined to their limited mental models. Many users also draw upon real-life examples for their models, but they may also extrapolate inaccurate parallels. Improving a user’s mental model of a threat will help them to make informed decisions.

这篇文章探讨了可用安全性研究的两个特定领域。 首先，心理模型有助于理解最终用户的决定。 用户通常会做出理性的决定，但仅限于他们有限的心理模型。 许多用户还为他们的模型借鉴了现实生活中的例子，但是他们也可能推断出不准确的相似之处。 改善用户的威胁心理模型将有助于他们做出明智的决定。

To improve user’s mental models, risk communication can be used. With risk communication, it is important to clearly and succinctly define what the threat is. From there, users should be empowered to make a decision that best fits them. This will involve explaining the costs and benefits of each decision.

为了改善用户的心理模型，可以使用风险沟通。 通过风险沟通，清楚明确地定义什么是威胁很重要。 从那里开始，应该授权用户做出最适合他们的决定。 这将涉及解释每个决策的成本和收益。

While it is easy to see end users as cavemen, making incoherent security decisions, these poor decisions are ultimately the developer’s fault. When designing applications, it is important for developers to understand the end user’s mental model. From there, they can communicate risk in a clear way that both utilizes the model and fills in any gaps. Finally, developers should clearly describe the pros and cons to each security decision. By doing this, users will be able to make informed security decisions that fit their needs, without needing to have a technical understanding of the underlying threat.

尽管很容易将最终用户视为穴居人，做出不一致的安全决策，但这些糟糕的决策最终是开发人员的错。 在设计应用程序时，对于开发人员而言，了解最终用户的心理模型很重要。 他们可以从那里以清晰的方式传达风险，既可以利用模型，也可以填补任何空白。 最后，开发人员应明确描述每个安全决策的利弊。 这样，用户将能够做出适合他们需求的明智的安全决策，而无需对潜在威胁有技术上的了解。

引文 (Citations)

1. Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, Sara Kiesler, ‘My Data Just Goes Everywhere’: User Mental Models of the Internet and Implications for Privacy and Security. In Proceedings of SOUPS 2015.

   Ruogu Kang，Laura Dabbish，Nathaniel Fruchter，Sara Kiesler，“我的数据随处可见”：互联网的用户心理模型及其对隐私和安全性的影响。 在SOUPS会议录，2015年。

2. Wash, Rick, Folk models of home computer security, Proceedings of the Sixth Symposium on Usable Privacy and Security. ACM, 2010.

   Wash，Rick，家用计算机安全性的民间模型，第六届可用隐私和安全性研讨会论文集。 ACM，2010年。

3. National Research Council et al. Improving risk communication. National Academies, 1989.

   国家研究委员会等。 改善风险沟通 。 美国国家科学院，1989年。

4. ‘Something isn’t secure, but I’m not sure how that translates into a problem’: Promoting autonomy by designing for understanding in Signal, Justin Wu, Cyrus Gattrell, Devon Howard, Jake Tyler, Elham Vaziripour, Kent Seamons, and Daniel Zappala.

   “有些事情是不安全的，但是我不确定这将如何转化为问题”：通过设计以理解Signal，Justin Wu，Cyrus Gattrell，Devon Howard，Jake Tyler，Elham Vaziripour，Kent Seamons和Daniel的理解来促进自治扎帕拉。

5. Fahimeh Raja, Kirstie Hawkey, Steven Hsu, Kai- Le Clement Wang, and Konstantin Beznosov. A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings. In Symposium on Usable Privacy and Security (SOUPS) 2011.

   Fahimeh Raja，Kirstie Hawkey，Steven Hsu，Kai-Le Clement Wang和Konstantin Beznosov。 砖墙，上锁的门和强盗：防火墙警告的物理安全隐喻。 在2011年可用隐私和安全性(SOUPS)研讨会上。

6. L. Camp, F. Asgharpour, D. Liu, and I. Bloomington. Experimental Evaluations of Expert and Non-expert Computer Users? Mental Models of Security Risks. Proceedings of WEIS 2007, 2007.

   L. Camp，F。Asgharpour，D。Liu和I. Bloomington。 专家和非专家计算机用户的实验评估？ 安全风险的心理模型。 WEIS会议论文集，2007年。

7. Jason RC Nurse, Sadie Creese, Michael Goldsmith, and Koen Lamberts. Trustworthy and effective communication of cybersecurity risks: A review. In Workshop on Socio-Technical Aspects in Security and Trust (STAST 2011). IEEE, 2011.

   Jason RC护士，Sadie Creese，Michael Goldsmith和Koen Lamberts。 可靠和有效地传达网络安全风险：回顾。 在“安全和信任中的社会技术方面的研讨会”上(STAST 2011) 。 IEEE，2011年。