Device-Specific Mental Models of Security and Privacy

People adopt security technologies and make security decisions based on their perceptions, or mental models, of what risks they have and what they can do to protect their devices. Thus, people rely on their mental models to decide how to use their computing devices and the consequences of these actions. Understanding why users make security decisions and addressing the misconceptions in their mental models, specifically regarding security risks, can help prevent security mistakes made by users and help determine how to help users make good security decisions. This dissertation seeks to understand how users perceive security risks, why they make security-related decisions, and where they have misconceptions. In my dissertation, I examine how users' mental models of security and privacy differ by device platform, how that impacts how people use and interact with applications on each platform, and how user’s mental models can be used to influence adoption of good device security practices. I will present the results of three user studies exploring user mental models of security and privacy and how users need an increasing awareness of security risks and measures across all types of computing platforms in order to adopt appropriate practices to protect themselves and their information.