Trust and Risk in Website Legitimacy and Software Applications: Delving Into User Understanding of Internet Security Mechanisms

When people choose to visit a given website, they make a trust decision about the supplier and source. It appears that a large majority of users commonly place their trust in most, if not all, websites they encounter, and this causes significant security problems. Any solutions proposed to reduce the threat of malicious websites must include a consideration of the psychological processes of the end users. This thesis presents several studies with the aim of understanding how people interpret the available information when making a trust decision. This understanding will better support users in making appropriate decisions and should inform better design of security mechanisms. It was found that users show some understanding of some of the key concepts in Internet security, and often make reasonable decisions. However, there are important anomalies. For example, many users had important misunderstandings about malware, suggesting they had poor mental models about the capabilities of malware and the capabilities of antivirus software applications in protecting them from threats online. Moreover, participants showed lack of confidence across a range of issues, but in practice they were still willing to make decisions even with this uncertainty. Some evidence was found which suggests that users employ heuristics in making such decisions and judgments under uncertainty. Potential solutions to address this would include closed software markets with certificates, or improved design to help users build better mental models.