Control and Understanding in Malware and Legitimate Software

This paper presents a study examining mental models of malware and regular software, in search of deep misunderstandings about malware and software which can be used in the design of new software and educational material. The study involved both a questionnaire, and two diagramming exercises. We decided to use a diagramming exercise because it is an effective medium for expressing spatial information which is important to mental models, and can get lost in verbal reports. Ours is the first study to examine mental models of malware using this technique. For the diagramming tasks, participants were asked to draw their understanding of how a word processor and malware work, respectively. Several key patterns emerged. General knowledge about malware, shown in the questionnaire responses was reasonable, but the deeper understanding of how malware functions, shown in the drawings, was concerning. Participants showed lesser knowledge of malware compared to regular software, and they seemed to regard malware as a fundamentally different kind of entity than regular software. They made black-and-white distinctions between malware and regular software in terms of whether the software is helpful or harmful, who the software serves, and who controls it. We discuss how these findings relate to decision-making online, and suggest that it might be beneficial to increase support for the control users have over their software. We speculate this might better equip users to make safe decisions surrounding software, thereby decreasing the effectiveness of malware.