Using the Internet every day does not necessitate knowing about it. The Internet has become an indispensable tool in our lives, yet still, many Internet users still possess small and incomplete portions of understanding of how the Internet really works and impacts their privacy and security decisions. On the one hand, there are the lay people who possess simpler mental models without an awareness of Internet levels or related entities; on the other hand, there are individuals with a more sophisticated understanding of technical models due to their technological backgrounds who have an increased understanding of privacy threats. There needs to be an understanding of what individuals can understand and not understand the workings of the Internet due to the following reasons:
- An understanding of users’ mental models will lead to the effective design of security and privacy controls which will take into account the user perceptions.
- An understanding of users’ mental models will lead to the effective design of user training programs so that they can be better informed about Internet governance with a focus on privacy policies.
As the cyberspace cannot be conceptualized as an automated mechanism working in simple ways to fulfill some goals, users need to understand the consequences of their decisions regarding their security and privacy whether it be a simple act of accessing public Wi-Fi in a cafe or whether it be an act of sharing a file with a co-worker. Network security tools also seem not supporting users’ understanding of these aspects as they are not being used widely.
A full big picture that takes into account how the users think about the Internet will also be useful in terms of fulfilling users’ expectations when it comes to developing related policies.
One of the most used methods to get the users’ conceptualization of an issue is mental models, which refer to the mental schemas of imaginary or real-life conditions. Being a model of how something in general works according to the individual’s mind, mental models explain in general what the user’s thoughts are about a particular problem or system. These models reflect upon the mental rehearsal of the possible impact of an action which can be effective in influencing interface design aspect based on their potential suggestions on how to visualize complex system components.
While having an incomplete cognitive model may result in a decreased level of awareness of potential online privacy and security risks, an awareness of it does not necessarily alleviate the issue. The Internet could be categorized as follows:
- Declarative knowledge: The knowledge of attributes or facts about the cyberspace
- Procedural knowledge: The knowledge of how to take actions or bring them to completion on the cyberspace.
Often times, the following factors are considered to make sense of information access, use and protection in the digital realm:
- Individual experiences: These refer to actions taken by the individual with regard to password protection or dealing with spam.
- Visual cues: These can vary from interface cues such as lock signs to social information such as comments on a post on a social networking site or more dynamic information such as tailored advertisements which might indicate the presence of others as well as their activity on these sites.
One of the reasons for choosing visible cues is that they provide information in the application layer about the privacy and security issues which eventually also inform on threats from corporate or governmental entities while other cues provide information on threats from other individuals through other network layers.
At a minimum level, applications could provide information on the user control over their data in case they would choose to put it online. Although data access might be one of the crucial aspects of privacy, it is still one of the most challenging aspects to understand as it would be difficult to prioritize for individual attention which security or data threats to focus on given the multiple sources of risk. Even if an awareness would be raised on some risk sources such as third-party tracking or online ads, there would still be other areas left uncovered which might eventually cause the user to become overloaded or abandon the security tools completely. On the other hand, being exposed to constant warnings would make the users have too much confidence in institutions so that they would eventually take less responsibility. So, if users could not take the privacy actions into their own hands and accept only a limited role, it would be difficult to decide where responsibility should reside.
Unless effective user training is provided to raise awareness of the impact of user data policies on individual data on the Internet, merely developing more stricter policies would provide no results. Although laws might provide good protection for privacy or security to some extent, without knowledge of policies related to the Internet, no effective change could occur.
There are several differences among individuals depending on their educational backgrounds as those without a technical background displayed simple and service-oriented mental model in comparison to those with a technical background who had a more sophisticated articulation of multi-layered model of the Internet along with main entities.
Almost globally, users’ actions or lack of action to protect their own privacy and security were influenced by individual context and experiences, such as a visible cue being recognized immediately in the digital realm (security emblem or popular tech enterprise name). In order to gain the trust of the users, companies should decrease the users’ responsibility to make several privacy protection decisions based on their fundamental technical knowledge of the Internet.