{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T17:59:17Z","timestamp":1775066357684,"version":"3.50.1"},"reference-count":37,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2023,11,20]],"date-time":"2023-11-20T00:00:00Z","timestamp":1700438400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2024,6,11]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The purpose of this study is to understand user perceptions and misconceptions regarding security tools. Security and privacy-preserving tools (for brevity, the authors term them as \u201csecurity tools\u201d in this paper, unless otherwise specified) are designed to protect the security and privacy of people in the digital environment. However, inappropriate use of these tools can lead to unexpected consequences that are preventable. Hence, it is significant to examine why users do not understand the security tools.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The authors conducted a qualitative study with 40 participants in the USA to investigate the prevalent misconceptions of people regarding security tools, their perceptions of data access and the corresponding impact on their usage behavior and data protection strategies.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>While security vulnerabilities are often rooted in people\u2019s internet usage behavior, this study examined user\u2019s mental models of the internet and unpacked how the misconceptions about security tools relate to those mental models.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>Based on the findings, this study offers recommendations highlighting the design aspects of security tools that need careful attention from researchers and industry practitioners, to alleviate users\u2019 misconceptions and provide them with accurate conceptual models toward the desired use of security tools.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-04-2023-0047","type":"journal-article","created":{"date-parts":[[2023,11,16]],"date-time":"2023-11-16T11:48:36Z","timestamp":1700135316000},"page":"282-303","source":"Crossref","is-referenced-by-count":18,"title":["\u201c\u2026I have my dad, sister, brother, and mom\u2019s password\u201d: unveiling users\u2019 mental models of security and privacy-preserving tools"],"prefix":"10.1108","volume":"32","author":[{"given":"Prakriti","family":"Dumaru","sequence":"first","affiliation":[]},{"given":"Ankit","family":"Shrestha","sequence":"additional","affiliation":[]},{"given":"Rizu","family":"Paudel","sequence":"additional","affiliation":[]},{"given":"Cassity","family":"Haverkamp","sequence":"additional","affiliation":[]},{"given":"Maryellen Brunson","family":"McClain","sequence":"additional","affiliation":[]},{"given":"Mahdi Nasrullah","family":"Al-Ameen","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2023,11,20]]},"reference":[{"key":"key2024060713480528000_ref001","first-page":"1","article-title":"Evaluating the end-user experience of private browsing mode","volume-title":"Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems","year":"2020"},{"key":"key2024060713480528000_ref002","article-title":"Exploring user mental models of end-to-end encrypted communication tools","volume-title":"8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 18)","year":"2018"},{"key":"key2024060713480528000_ref003","first-page":"1","article-title":"Nudges for privacy and security: understanding and assisting users\u2019 choices online","volume-title":"ACM Computing Surveys (CSUR) 50","year":"2017"},{"key":"key2024060713480528000_ref004","first-page":"203","article-title":"We, three brothers have always known everything of each other: a cross-cultural study of sharing digital devices and online accounts","year":"2021"},{"key":"key2024060713480528000_ref005","first-page":"787","article-title":"Your location has been shared 5,398 times! A field study on mobile app privacy nudging","year":"2015"},{"key":"key2024060713480528000_ref006","first-page":"3","article-title":"Intermediate help with using digital devices and online accounts: understanding the needs, expectations, and vulnerabilities of young adults","year":"2022"},{"key":"key2024060713480528000_ref007","article-title":"Cyber security awareness campaigns: why do they fail to change be- haviour?","year":"2019"},{"key":"key2024060713480528000_ref008","volume-title":"Understanding Your Users: A Practical Guide to User Research Methods","year":"2015","edition":"2nd ed"},{"issue":"2","key":"key2024060713480528000_ref009","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1191\/1478088706qp063oa","article-title":"Using thematic analysis in psychology","volume":"3","year":"2006","journal-title":"Qualitative Research in Psychology"},{"issue":"3","key":"key2024060713480528000_ref010","doi-asserted-by":"crossref","first-page":"328","DOI":"10.1080\/14780887.2020.1769238","article-title":"One size fits all? What counts as quality practice in (reflexive) thematic analysis?","volume":"18","year":"2021","journal-title":"Qualitative Research in Psychology"},{"key":"key2024060713480528000_ref011","first-page":"117","article-title":"Replication: no one can hack my mind revisiting a study on expert and non- expert security practices and advice","volume-title":"Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019)","year":"2019"},{"key":"key2024060713480528000_ref012","doi-asserted-by":"crossref","first-page":"401","DOI":"10.1109\/EuroSP.2019.00037","article-title":"In encryption we don\u2019t trust: the effect of end-to-end encryption to the masses on user perception","volume-title":"2019 IEEE European Symposium on Security and Privacy (EuroS&P)","year":"2019"},{"key":"key2024060713480528000_ref013","first-page":"1","article-title":"Security-visible, yet unseen?","year":"2019"},{"key":"key2024060713480528000_ref014","article-title":"Understanding how and why university students use virtual private networks","year":"2020"},{"issue":"3","key":"key2024060713480528000_ref015","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1037\/0033-295X.87.3.215","article-title":"Verbal reports as data","volume":"87","year":"1980","journal-title":"Psychological Review"},{"key":"key2024060713480528000_ref016","first-page":"59","article-title":"Why do they do what they do? A study of what motivates users to (not) follow computer security advice","year":"2016"},{"key":"key2024060713480528000_ref017","first-page":"97","article-title":"Do or do not, there is no try: user engagement may not improve security outcomes","year":"2016"},{"key":"key2024060713480528000_ref018","first-page":"385","article-title":"New me: understanding expert and non-expert perceptions and usage of the tor anonymity network","volume-title":"Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017)","year":"2017"},{"key":"key2024060713480528000_ref019","first-page":"327","article-title":"\u2026 No one can hack my mind\u201d: comparing expert and non-expert security practices","volume-title":"Eleventh Symposium on Usable Privacy and Security (SOUPS 2015)","year":"2015"},{"key":"key2024060713480528000_ref020","first-page":"39","article-title":"My data just goes everywhere: user mental models of the internet and implications for privacy and security","volume-title":"Eleventh Symposium on Usable Privacy and Security (SOUPS 2015)","year":"2015"},{"key":"key2024060713480528000_ref021","first-page":"217","article-title":"Data breaches: user comprehension, expectations, and concerns with handling exposed data","year":"2018"},{"key":"key2024060713480528000_ref022","first-page":"310","article-title":"Understanding user\u2019s behavior and protection strategy upon losing, or identifying unauthorized access to online account","year":"2021"},{"issue":"1","key":"key2024060713480528000_ref023","doi-asserted-by":"crossref","first-page":"83","DOI":"10.2478\/popets-2020-0006","article-title":"Emotional and practical considerations towards the adoption and abandonment of VPNS as a privacy-enhancing technology","volume":"2020","year":"2020","journal-title":"Proceedings on Privacy Enhancing Technologies"},{"key":"key2024060713480528000_ref024","first-page":"17","article-title":"Cognitive artifacts","volume":"1","year":"1991","journal-title":"Designing Interaction: Psychology at the Human-Computer Interface"},{"key":"key2024060713480528000_ref025","first-page":"5","article-title":"Turtles, locks, and bathrooms: understanding mental models of privacy through illustration","year":"2018"},{"key":"key2024060713480528000_ref026","article-title":"What are pets for privacy experts and non-experts","year":"2020"},{"key":"key2024060713480528000_ref027","first-page":"89","article-title":"A comprehensive quality evaluation of security and privacy advice on the web","year":"2020"},{"key":"key2024060713480528000_ref028","first-page":"211","article-title":"Weighing context and trade-offs: how suburban adults selected their online security posture","year":"2017"},{"key":"key2024060713480528000_ref029","article-title":"Understanding users\u2019 decision of clicking on posts in Facebook with implications for phishing","volume-title":"Workshop on Technology and Consumer Protection (ConPro 18)","year":"2018"},{"key":"key2024060713480528000_ref030","doi-asserted-by":"crossref","first-page":"102227","DOI":"10.1016\/j.cose.2021.102227","article-title":"A first look into users\u2019 perceptions of facial recognition in the physical world","volume":"105","year":"2021","journal-title":"Computers and Security"},{"key":"key2024060713480528000_ref031","doi-asserted-by":"crossref","first-page":"2347","DOI":"10.1145\/2556288.2557421","article-title":"Leakiness and creepiness in app space: perceptions of privacy and mobile app use","volume-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems","year":"2014"},{"key":"key2024060713480528000_ref032","doi-asserted-by":"crossref","first-page":"100034","DOI":"10.1016\/j.chbr.2020.100034","article-title":"Identifying the values associated with users\u2019 behavior to- wards anonymity tools through means-end analysis","volume":"2","year":"2020","journal-title":"Computers in Human Behavior Reports"},{"key":"key2024060713480528000_ref033","article-title":"Design and evaluation of security and privacy nudges: from protection motivation theory to implementation intentions","year":"2021"},{"key":"key2024060713480528000_ref034","doi-asserted-by":"crossref","unstructured":"Story, P., Smullen, D., Yao, Y., Acquisti, A., Cranor, L.F., Sadeh, N. and Schaub, F. (2021), \u201cAwareness, adoption, and misconceptions of web privacy tools\u201d, UMBC Faculty Collection.","DOI":"10.2478\/popets-2021-0049"},{"issue":"4\/5","key":"key2024060713480528000_ref035","first-page":"299","article-title":"Mental models of the internet","volume":"22","year":"1998","journal-title":"International Journal of Industrial Ergonomics"},{"key":"key2024060713480528000_ref036","first-page":"395","article-title":"When is a tree really a truck? Exploring mental models of encryption","volume-title":"Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018)","year":"2018"},{"key":"key2024060713480528000_ref037","first-page":"197","article-title":"I\u2019ve got nothing to lose\u201d: consumers\u2019 risk perceptions and protective actions after the Equifax data breach","year":"2018"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2023-0047\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2023-0047\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:53Z","timestamp":1753406573000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/32\/3\/282-303\/1237033"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,20]]},"references-count":37,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2023,11,20]]},"published-print":{"date-parts":[[2024,6,11]]}},"alternative-id":["10.1108\/ICS-04-2023-0047"],"URL":"https:\/\/doi.org\/10.1108\/ics-04-2023-0047","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11,20]]}}}