Abstract
Mental models are essential in learning how to adapt to new and evolving circumstances. The landscape of best practices in cybersecurity is a constantly changing area, as the list of best practices evolves in response to the increasing complexity and scope of threats. In response, users have adapted to the threats and corresponding countermeasures with mental models that simplify the complex networked environments that they inhabit. This paper presents an overview that spans over a decade of research in mental models of users when dealing with cybersecurity threats and corresponding security measures in different kinds of environments. The lessons from over a decade of research in mental models for cybersecurity offer valuable insights about how users learn and adapt, and how their backgrounds and situational awareness play a critical role in shaping their mental models about cybersecurity.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Threatlocker: 12 steps to protect against ransomware. https://www.threatlocker.com/12-steps-to-protect-against-ransomware/. Accessed 16 May 2022
IBM Cyber Security Intelligence Index Report. https://www.ibm.com/security/threat-intelligence/ (2021). Accessed 16 May 2022
Richardson, G.P., Andersen, D.F., Maxwell, T.A., Stewart, T.R.: Foundations of mental model research. In: Proceedings of the 1994 International System Dynamics Conference (1994)
Rowe, A.L., Cooke, N.J., Hall, E.P., Halgren, T.L.: Toward an online knowledge assessment methodology: Building on the relationship between knowing and doing. J. Exp. Psychol. Appl. 3–47 (1996)
Volkamer, M., Renaud, K.: Mental models—general introduction and review of their application to human-centered security. In: Number Theory and Cryptography, pp. 255–280. Springer, Berlin, Heidelberg (2013)
Morgan, G., Fischoff, B., Bostrom, A., Atman, C.J.: Creating an expert model of the risk. In: Risk Communication: A Mental Models Approach, pp. 34–61 (2002)
Fulton, K.R., Gelles, R., McKay, A., Abdi, Y., Roberts, R., Mazurek, M.L.: The effect of entertainment media on mental models of computer security. In: Proceedings of the Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019), pp. 79–95 (2019)
Castelfranchi, C., Falcone, R.: Trust is much more than subjective probability: mental components and sources of trust. In: Proceedings of the 33rd Annual Hawaii International Conference on System Sciences (2000)
FBI: 2016 Internet crime report. https://www.fbi.gov/news/stories/ic3-releases-2016-internet-crime-report. Accessed 16 May 2022
Akhawe, D., Felt, A.P.: Alice in warning-land: a large-scale field study of browser security warning effectiveness. In: Proceedings of the 22nd USENIX Security Symposium, pp. 257–272 (2013)
Porter-Felt, A.P., Reeder, R.W., Almuhimedi, H., Consolvo, S.: Experimenting at scale with google chrome’s SSL warning. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2667–2670 (2014)
NCSC: The problems with forcing regular password expiry. https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry#:~:text=The%20NCSC%20now%20recommend%20organisations,of%20long%2Dterm%20password%20exploitation. Accessed 16 May 2022
Cotoranu, A., Chen, L.C.: Applying text analytics to examination of end users’ mental models of cybersecurity. In: AMCIS 2020 Proceedings, vol. 10 (2020)
Camp, L.J.: Mental models of privacy and security. IEEE Technol. Soc. Mag. 28(3), 37–46 (2009)
Blythe, J., Camp, L.J.: Implementing mental models. In: 2012 IEEE Symposium on Security and Privacy Workshops, pp. 86–90 (2012)
Wash, R., Rader, E.: Influencing mental models of security: a research agenda. In: Proceedings of the 2011 New Security Paradigms Workshop, pp. 57–66 (2011)
Prettyman, S.S., Furman, S., Theofanos, M., Stanton, B.: Privacy and security in the brave new world: the use of multiple mental models. In: Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust, pp. 260–270 (2015)
Houser, A., Bolton, M.L.: Formal mental models for inclusive privacy and security. In: Proceedings of SOUPS (2017)
Andrade, R.O., Yoo, S.G.: Cognitive security: a comprehensive study of cognitive science in cybersecurity. J. Inf. Secur. Appl. 48, 102352 (2019)
Raja, F., Hawkey, K., Beznosov, K.: Revealing hidden context: improving mental models of personal firewall users. In: Proceedings of the 5th SOUPS (2009)
Wu, J., Zappala, D.: When is a tree really a truck? Exploring mental models of encryption. In: 14th Proceedings of ({SOUPS} 2018), pp. 395–409 (2018)
Theofanos, M.F., Pfleeger, S.L.: Guest editors’ introduction: shouldn’t all security be usable? IEEE Secur. Priv. 9(2), 12–17 (2011)
Theofanos, M.: Is usable security an oxymoron? Computer 53(2), 71–74 (2020)
Oltramari, A., Henshel, D.S., Cains, M., Hoffman, B.: Towards a human factors ontology for cyber security. Stids 26–33 (2015)
Mai, A., Pfeffer, K., Gusenbauer, M., Weippl, E., Krombholz, K.: User mental models of cryptocurrency systems—a grounded theory approach. In: Proceedings of the Sixteenth Symposium on Usable Privacy and Security ({SOUPS}), pp. 341–358 (2020)
Tversky, A., Kahneman, D.: The framing of decisions and the psychology of choice. Science 211(4481), 453–458 (1981)
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)
Degani, A., Heymann, M.: Formal verification of human-automation interaction. Hum. Factors 44(1), 28–43 (2002)
Wash, R.: Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, pp. 1–16 (2010)
Wash, R., Rader, E.: Too much knowledge? Security beliefs and protective behaviors among united states internet users. In: Proceedings of SOUPS (2015)
Chen, J.: Risk communication in cyberspace: a brief review of the information-processing and mental models approaches. Curr. Opin. Psychol. 36, 135–140 (2020)
Brase, G.L., Vasserman, E.Y., Hsu, W.: Do different mental models influence cybersecurity behavior? Evaluations via statistical reasoning performance. Front. Psychol. 8, 1929 (2017)
Agrawal, N., Zhu, F., Carpenter, S.: Do you see the warning? Cybersecurity warnings via nonconscious processing. In: Proceedings of the 2020 ACM Southeast Conference, pp. 260–263 (2020)
Proctor, R.W., Vu, K.P.L.: Human information processing: an overview for human-computer interaction. In: The Human-Computer Interaction Handbook, pp. 69–88 (2007)
Breakwell, G.M.: Risk communication: factors affecting impact. Br. Med. Bull. 56(1), 110–120 (2000)
Fagan, M., Khan, M.M.H., Buck, R.: A study of users’ experiences and beliefs about software update messages. Comput. Hum. Behav. 51, 504–519 (2015)
Wogalter, M.S., Laughery, K.R., Mayhorn, C.B.: Communication-human information processing stages in consumer product warnings. In: Human Factors and Ergonomics in Consumer Product Design, pp. 41–67. CRC Press (2011)
Wogalter, M.S.: Communication-human information processing (C-HIP) model in forensic warning analysis. In: Bagnara, S., Tartaglia, R., Albolino, S., Alexander, T., Fujita, Y. (eds.) Proceedings of the 20th Congress of the International Ergonomics Association, Advances in Intelligent Systems and Computing, p. 821 (2019)
Conzola, V., Wogalter, M.: A communication–human information processing (C–HIP) approach to warning effectiveness in the workplace. J. Risk Res. 4(4), 309–322 (2001)
Aliperti, G., Nagai, H., Cruz, A.M.: Communicating risk to tourists: a mental models approach to identifying gaps and misperceptions. Tour. Manag. Perspect. 33, 100615 (2020)
Lazrus, H., Morss, R.E., Demuth, J.L., Lazo, J.K., Bostrom, A.: “Know what to do if you encounter a flash flood”: mental models analysis for improving flash flood risk communication and public decision making. Risk Anal. 36(2), 411–427 (2016)
Stevenson, M., Taylor, B.J.: Risk communication in dementia care: family perspectives. J. Risk Res. 21(6), 692–709 (2018)
Norman, D.A.: Some Observations on Mental Model Models. Hillsdale, NJ (1983)
Van den Berg, J.: Grasping cybersecurity: a set of essential mental models. In: European Conference on Cyber Warfare and Security, p. 534 (2019)
Nixon, J., McGuinness, B.: Framing the human dimension in cybersecurity. EAI Endorsed Trans. Secur. Saf. 1(2) (2013)
Still, J.D.: Cybersecurity needs you! Interactions 23(3), 54–58 (2016)
Hernandez, J.: The human element complicates cybersecurity. Defense Systems. https://defensesystems.com/cyber/2010/03/the-human-element-complicates-cybersecurity/189831/. Accessed 16 May 2022
Maier, J., Padmos, A., Bargh, M.S., Wörndl, W.: Influence of mental models on the design of cyber security dashboards. In: Proceedings of VISIGRAPP (3: IVAPP), pp. 128–139 (2017)
Nurse, J.R., Creese, S., Goldsmith, M., Lamberts, K.: Guidelines for usable cybersecurity: past and present. In: Proceedings of the 3rd International Workshop on Cyberspace Safety and Security, pp. 21–26 (2011)
Wästlund, E., Angulo, J., Fischer-Hübner, S.: Evoking comprehensive mental models of anonymous credentials. In: Proceedings of the International Workshop on Open Problems in Network Security, pp. 1–14. Springer, Berlin, Heidelberg (2011)
Stanton, B., Theofanos, M.F., Prettyman, S.S., Furman, S.: Security fatigue. IT Prof. 18(5), 26–32 (2016)
Moon, B., Johnston, C., Moon, S.: A case for the superiority of concept mapping-based assessments for assessing mental models. In: Proceedings of the 8th International Conference on Concept Mapping. Universidad EAFIT, Medellín, Colombia (2018)
Mohamed, M., Chakraborty, J., Dehlinger, J.: Trading off usability and security in user interface design through mental models. Behav. Inf. Technol. 36(5), 493–516 (2017)
Asgharpour, F., Liu, D., Camp, L.J.: Mental models of security risks. In: Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 367–377. Springer, Berlin, Heidelberg (2007)
Fagan, M., Khan, M.M.H.: To follow or not to follow: a study of user motivations around cybersecurity advice. IEEE Internet Comput. 22(5), 25–34 (2018)
Haney, J.M., Lutters, W.G.: “It’s Scary… It’s Confusing… It’s Dull”: how cybersecurity advocates overcome negative perceptions of security. In: Proceedings of the Fourteenth Symposium on Usable Privacy and Security ({SOUPS}), pp. 411–425 (2018)
Theofanos, M., Stanton, B., Furman, S., Prettyman, S.S., Garfinkel, S.: Be prepared: how US government experts think about cybersecurity. In: Proceedings of the Workshop on Usable Security (USec), Internet Society (2017)
Jones, K.S., Lodinger, N.R., Widlus, B.P., Namin, A.S., Hewett, R.: Do warning message design recommendations address why non-experts do not protect themselves from cybersecurity threats? A review. Int. J. Hum. Comput. Interact. 1–11 (2021)
Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: “My data just goes everywhere”: user mental models of the internet and implications for privacy and security. In: Proceedings of 2015 SOUPS, pp. 39–52 (2015)
Bartsch, S., Volkamer, M.: Effectively communicate risks for diverse users: a mental-models approach for individualized security interventions. In: INFORMATIK 2013–Informatik angepasst an Mensch, Organisation und Umwelt (2013)
Abu-Salma, R., Redmiles, E.M., Ur, B., Wei, M.: Exploring user mental models of end-to-end encrypted communication tools. In: Proceedings of the 8th USENIX Workshop on Free and Open Communications on the Internet (2018)
Ruoti, S., Seamons, K.: Johnny’s journey toward usable secure email. IEEE Secur. Priv. 17(6), 72–76 (2019)
Zhang-Kennedy, L., Chiasson, S., Biddle, R.: The role of instructional design in persuasion: a comics approach for improving cybersecurity. Int. J. Hum. Comput. Interact. 32(3), 215–257 (2016)
Zielinska, O.A., Welk, A.K., Mayhorn, C.B., Murphy-Hill, E.: Exploring expert and novice mental models of phishing. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 59(1), pp. 1132–1136 (2015)
Day, E.A., Arthur, W., Jr., Gettman, D.: Knowledge structures and the acquisition of a complex skill. J. Appl. Psychol. 86(5), 1022 (2001)
Dorsey, D., Campbell, G.E., Foster, L.F., Miles, D.E.: Assessing knowledge structures: relations with experience and post training performance. Hum. Perform. 12(1), 31–57 (1999)
Goldsmith, T.E., Johnson, P.J., Acton, W.H.: Assessing structural knowledge. J. Educ. Psychol. 83(1), 88 (1991)
Rowe, A.L., Cooke, N.J.: Measuring mental models: choosing the right tools for the job. Hum. Resour. Dev. Q. 6(3), 243–255 (1995)
Van der Veer, G., Melguize, M.: Mental models. In: Jacko, J.A. Sears, A. (eds.) The Human Computer Interaction Handbook, pp. 52–80. Lawrence Associates, Mahwah, NJ (2003)
Heckle, R., Lutters, W.G., Gurzick, D.: Network authentication using single sign-on: the challenge of aligning mental models. In: Proceedings of the 2nd ACM Symposium on Computer Human Interaction For Management of Information Technology, pp. 1–10 (2008)
Krombholz, K., Busse, K., Pfeffer, K., Smith, M., von Zezschwitz, E.: “If HTTPS were secure, I wouldn’t need 2FA”—end user and administrator mental models of https. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy, pp. 246–263 (2019)
Fritsch, L., Tjostheim, I., Kitkowska, A.: I’m not that old yet! the elderly and us in HCI and assistive technology. In: Proceedings of the 20th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI) (2018)
Floodeen, R., Haller, J., Tjaden, B.: Identifying a shared mental model among incident responders. In: Proceedings of the 2013 Seventh International Conference on IT Security Incident Management and IT Forensics (2013)
Stobert, E., Barrera, D., Homier, V., & Kollek, D.: Understanding cybersecurity practices in emergency departments. In: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (2020)
Shillair, R.: Talking about online safety: a qualitative study exploring the cybersecurity learning process of online labor market workers. In: Proceedings of the 34th ACM International Conference on the Design of Communication (2016)
Kumar, P., Naik, S.M., Devkar, U.R., Chetty, M., Clegg, T.L., Vitak, J.: ‘No telling passcodes out because they’re private’ understanding children’s mental models of privacy and security online. In: Proceedings of the ACM on Human-Computer Interaction (CSCW), vol. 1, pp. 1–21 (2017)
Choong, Y.Y., Theofanos, M.F., Renaud, K., Prior, S.: “Passwords protect my stuff”—a study of children’s password practices. J. Cybersecur. 5(1) (2019)
McGregor, S.E., Watkins, E.A.: “Security by obscurity”: journalists’ mental models of information security. In: Quieting the Commenters: The Spiral of Silence’s Persistent Effect, p. 33 (2016)
Caine, K.E.: Supporting privacy by preventing misclosure. In: Proceedings of the CHI’09 Extended Abstracts on Human Factors in Computing Systems, pp. 3145–3148 (2009)
Sarriegi, J.M., Torres, J.M., Santos, J.: Explaining security management evolution through the analysis of CIOs’ mental models. In: Proceedings of the 23rd International Conference of the System Dynamics Society, Boston (2005)
Henshel, D., Cains, M.G., Hoffman, B., Kelley, T.: Trust as a human factor in holistic cyber security risk assessment. Proc. Manuf. 3, 1117–1124 (2015)
Sørensen, L.T.: User perceived privacy: mental models of users’ perception of app usage. Nord. Balt. J. Inf. Commun. Technol. 1, 1–20 (2018)
Abu-Salma, R., Sasse, M.A., Bonneau, J., Danilova, A., Naiakshina, A., Smith, M.: Obstacles to the adoption of secure communication tools. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 137–153 (2017)
Renaud, K., Volkamer, M., Renkema-Padmos, A. Why doesn’t Jane protect her privacy? In: Proceedings of the International Symposium on Privacy Enhancing Technologies Symposium, pp. 244–262 (2014)
Bieringer, L., Grosse, K., Backes, M., Krombholz, K.: Mental models of adversarial machine learning (2021). arXiv preprint arXiv:2105.03726
Zimmermann, V., Bennighof, M., Edel, M., Hofmann, O., Jung, J., von Wick, M.: “Home, smart home”—exploring end users’ mental models of smart homes. In: Mensch und Computer 2018-Workshopband (2018)
Yarosh, S., Zave, P.: Locked or not? Mental models of IoT feature interaction. In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 2993–2997 (2017)
Shappie, A.T., Dawson, C.A., Debb, S.M.: Personality as a predictor of cybersecurity behavior. Psychol. Popul. Media 9(4), 475 (2020)
Adnan, M., Leak, A., Longley, P.: A geocomputational analysis of Twitter activity around different world cities. Geo-Spat. Inf. Sci. 17(3), 145–152 (2014)
Gil-Clavel, S., Zagheni, E.: Demographic differentials in Facebook usage around the world. In: Proceedings of the International AAAI Conference on Web and Social Media, vol. 13, pp. 647–650 (2019)
Srinivasan, S., Diepeveen, S.: The power of the “audience-public”: interactive radio in Africa. Int. J. Press Polit. 23(3), 389–412 (2018)
Dawson, J., Thomson, R.: The future cybersecurity workforce: going beyond technical skills for successful cyber performance. Front. Psychol. 9, 744 (2018)
Garvin, D.A., Wagonfeld, A.B., Kind, L.: Google’s Project Oxygen: Do Managers Matter? Harvard Business School Review, Boston, MA (2013)
Yao, W., Ye, J., Murimi, R., Wang, G.: A survey on consortium blockchain consensus mechanisms (2021). arXiv preprint arXiv:2102.12058
Carlin, D., Burgess, J., O’Kane, P., Sezer, S.: You could be mine (d): the rise of cryptojacking. IEEE Secur. Priv. 18(2), 16–22 (2019)
Yaqoob, I., Ahmed, E., ur Rehman, M.H., Ahmed, A.I.A., Al-Garadi, M.A., Imran, M., Guizani, M.: The rise of ransomware and emerging security challenges in the Internet of Things. Comput. Netw. 129, 444–458 (2017)
Jarjoui, S., Murimi, R., Murimi, R.: Hold my beer: a case study of how ransomware affected an Australian beverage company. In: Proceedings of the International Conference on Cyber Situational Awareness, Data Analytics and Assessment (2021)
Murimi, R.: Use of Botnets for Mining Cryptocurrencies, pp. 359–386. CRC Press, Botnets (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Murimi, R., Blanke, S., Murimi, R. (2023). A Decade of Development of Mental Models in Cybersecurity and Lessons for the Future. In: Onwubiko, C., et al. Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity. Springer, Singapore. https://doi.org/10.1007/978-981-19-6414-5_7
Download citation
DOI: https://doi.org/10.1007/978-981-19-6414-5_7
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-6413-8
Online ISBN: 978-981-19-6414-5
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)