Formal Mental Models for Human-Centered Cybersecurity

Human users are increasingly recognized as a vector of cybersecurity attack. One problem that contributes to this condition is the growing complexity of digital tools. Such complexity can make it difficult for users to understand how tools work and how their actions will impact security. This work s...

Full description

Saved in:
Bibliographic Details
Published in:International journal of human-computer interaction 2025-01, Vol.41 (2), p.1414-1430
Main Authors: Houser, Adam M., Bolton, Matthew L.
Format: Article
Language:English
Subjects:
checking
Complexity
Cybersecurity
Data storage
formal
Human engineering
human error
Human factors
Impact analysis
mental
methods
mode confusion
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Human users are increasingly recognized as a vector of cybersecurity attack. One problem that contributes to this condition is the growing complexity of digital tools. Such complexity can make it difficult for users to understand how tools work and how their actions will impact security. This work sought to answer the research question: Can mental modeling analyses (from human factors engineering and human-automation interaction) be developed to effectively discover cybersecurity risks? To answer this, we extend mental models with cybersecurity-specific concepts. The resulting models are then incorporated into model checking analyses (an automated approach to formal verification) to discover if and when mismatches between human mental models and systems can cause security failures. We evaluated our approach by successfully applying it to a case study regarding the security configuration of a popular cloud data storage service. We ultimately discuss the results of this analysis and outline future research possibilities.
ISSN:1044-7318
1532-7590
1044-7318
DOI:10.1080/10447318.2024.2314353