Abstract
In real world domains, from healthcare to power to finance, we deploy computer systems intended to
streamline and improve the activities of human agents in the corresponding non-cyber worlds. However,
talking to actual users (instead of just computer security experts) reveals endemic circumvention of the
computer-embedded rules. Go od-intentioned users, trying to get their jobs done, systematically work
around security and other controls embedded in their IT systems.
This paper reports on our work compiling a large corpus of such incidents and developing a model
based on semiotic triads to examine security circumvention. This model suggests that mismorphisms—
mappings that fail to preserve structure—lie at the heart of circumvention scenarios; differential percep-
tions and needs explain users’ actions. We support this claim with empirical data from the corpus.
1 Introduction
Users systematically work around security controls. We can pretend this doesn’t happen, but it does. In our
research, we address this problem via observation and grounded theory (Bernard and Ryan, 2010; Charmaz,
2003; Pettigrew, 2000). Rather than assuming that users behave perfectly or that only bad users do bad
things, we instead observe and record what really goes on compared to the various expectations. Then, after
reviewing data, we develop structure and models, and bring in additional data to support, reject and refine
these models.
Over the last several years, via interviews, observations, surveys, and literature searches, we have explored the
often tenuous relationship among c omputer rules, users’ needs, and designers’ goals of computer systems. We
have collected and analyzed a corpus of hundreds of circumvention and unusability scenarios. We categorized
296 examples of these “misunderstandings” and the circumventions users undertook to accomplish their
needed tasks. We derived the examples from 285 different sources and categorized them into 60 fine-grained
codes. Because several examples reflect multiple codes, there were 646 applications of the codes linked to the
examples; e.g., the e xample of a woman with a hysterectomy listed in the current record as having an intact,
normal womb was coded as: 1. A copy-and-paste issue (bec ause the “current” record reflected an earlier
examination from before her recent surgery); and 2. The I T not representing the reality. Most examples
had only one or two codes associated with them; some had as many as four.
Semiotic triads, proposed almost a century ago (e.g., Ogden and Richards, 1927), offer models to help un-
derstand why human agents so often circumvent computer-embedded rules. The triads reflect the differences
and similarities among: a) what the speaker/listener is thinking, b) what words or symbols are used to
convey those thoughts, and c) what is the reality or the thing to which they are referring. We suggest that
these triads provide a framework to illuminate, organize, and analyze circumvention problems.
This Paper In this pap er, we present these ideas and support them with examples from our corpus.
Examples where we don’t cite a source came from interviews with parties who wish to remain anonymous.
As we are working on developing a typology rather than supporting a hypothesis, many of the usual factors in
confirmation bias to do not apply. Section 2 presents our model of how users’ actions will often differ from the
expectations of the security designers. Section 3 hypothesizes how our model of differential perceptions and
needs explains users’ actions and non-linear/non-monotonic responses to increases in turning the security
knob higher. Section 4 and Section 5 then supports these hypotheses with data item from our corpus.
Section 6 considers some related work, and Section 7 concludes.
2
