13 Pages Posted: 9 Aug 2006
Date Written: 2006
The mental models method is a mechanism for risk communication that was pioneered in environmental risk communication, and is being used to improve medical risk communication. This paper proposes that mental models as a method of risk communication can be used to improve communication to end users about computer security risks. In fact, there exist at least five mental models that are currently being used to communicate in an atheoretical, and thus arguably suboptimal, manner.
Understanding why mental models is sometimes preferable to direct quantifiable risk information requires an introduction to risk perception. There are well-known heuristics of individual risk perception, validated by decades of experimental economics. Thus this work begins with an introduction to risk perception. Then, an introduction to mental models and some familiarity with computer security brings to the fore a set of mental models that are applicable to and already implied in computer security. Each of these models is discussed as being (in)appropriate to computer security.
Consistent communication using already extant (but inchoate) mental models is a promising method of risk communication for computer security. Yet continuing to use the mental models as metaphors has risks of its own.
Keywords: privacy, security, usability
JEL Classification: D81, D11, D7, L86, O3
Suggested Citation: Suggested Citation