The Security Misconceptions Project

As will surprise very few researchers, our blog is out of date! However, that's because we've been working hard coding our data, working on our concept inventory, and developing hands-on exercises (and a delivery framework) to teach improved ways of thinking about these issues. Here's a status report, as of late October, 2019. We completed our survey in the spring of 2019; 87 respondents generated 469 responses about  "commonsense misconceptions" that they believed novices often hold about computer security. We coded our data looking for highly represented misconceptions, which resulted in a list of 17 succinct, one-sentence descriptions of those misconceptions, which we have also expanded into short (1-2 paragraph) explanations. We have started work on our concept inventory, which will be a multiple-choice test to help identify the extent to which CS students (or other novices) hold these misconceptions about security. We are following an approach where we d

Survey Design The design of our survey asking experts what they saw as the most critical security-related misconceptions held by novices was one of the most important aspects of this project. One possible approach would be to collect misconceptions from the literature and ask experts to rank them, but we felt it was important to avoid influencing what experts thought. As a result, we had to be careful to not ask leading questions or include examples of misconceptions that might sway the results. On the other hand, we felt that a single question, such as “What are common computer security mistakes you have observed?” would be too vague and might only generate a fraction of the responses from each participant. For example, an expert might think of a misconception they encounter daily, but might not have other misconceptions come to mind in other areas of security. Another issue we faced was that it is often easy for people to identify mistakes that they see, but can be difficult f