Commonsense Misconceptions in Computer Security

We present the results of a survey of 85 computer security experts identifying commonsense misconceptions in computer security. Misconceptions can be hard to unlearn because they are often based on incorrect inferences about personal experience. Misconceptions can lead to mistakes when people reason correctly based on these false beliefs. Therefore, it is important for instructors to address misconceptions in their teaching and help students dispel them (e.g., through in-class and hands-on education) to keep graduates from repeating classic and pernicious mistakes. After developing a codebook of approximately 100 security misconceptions with a group of eight external security experts, two researchers coded all survey responses to identify the most frequent misconceptions seen in the data. Selecting the misconceptions appearing ten times or more in the data, we identified a list of seven classes of frequent and significant misconceptions held by novices in computer security. We describe our methodology and those misconceptions in depth along with their background.  These misconceptions are serving as the target for an under-development concept inventory on computer security, along with a set of educational resources to remediate them.

Dr. Peterson earned a Bachelors of Music Education (BME) from North Park University in Chicago in 1999, and an MS (2009) and PhD (2013) in Computer Science from UCLA. His research and teaching interests center on operating systems and computer security, particularly in computer security education. He has an NSF grant to identify and remediate commonsense misconceptions about computer security, is part of an NSF grant team studying the effect of active learning on security education, and an NSF CAREER project to identify and assess the critical cybersecurity ability known as "adversarial thinking." He also leads a team of students restoring and demonstrating a 50-year old PDP-12 minicomputer, one of only a handful still operating in the world. He is a member of the ACM, IEEE, USENIX, and Sigma Xi.

Host: Alan T. Sherman, sherman@umbc.edu. Support for this event was provided in part by the National Science Foundation under SFS grant DGE-1753681. The UMBC Cyber Defense Lab meets biweekly Fridays 12-1pm.  All meetings are open to the public. Upcoming CDL meetings: Nov 4, Russ Fink (APL), ARMR: Autonomous resilience / machine recovery, Nov 18, Josiah Dykstra (DoD), Myths in cybersecurity, Dec 2, Peter Peterson (UMN Duluth), Adversarial Thinking, SFS/CySP Research Study: January 2-6, 2023 (tentative)