Your user’s ‘mental model’ may be very different than yours

I recently helped a family member get set up with a new MacBook (no, that is not her in the photo). To make everything work as she expected and to answer any questions she may have, I had her visit a few websites she normally visits and logs into. 

After successfully logging into her banking site and making sure she could access everything she needed, my usability testing habits kicked in. I asked her what she would normally do next when she wanted to go to another website. She told me she would log out of the site and then click one of the bookmarks. For some reason, I asked her why she felt she needed to log out of the site first before going to another site. 

Now, logging out of a site that contains lots of PII is not a bad idea – but since her computer never leaves her house, and she’s the only one that ever uses it, the site would eventually time out and log her out anyway, I asked. She answered, “Well, I don’t want other people to get in”. I asked her, “What other people? People coming into the house?”. She replied, “Oh no, I’m not worried about that. I mean other people on the Internet.” 

It turns out that her understanding (mental model) of how website security works is similar to accessing your safe deposit box at a bank. You have to unlock the little door inside the bank vault to access your safe deposit box (Logging In). When you’re done, you put the box away and lock the little door (Logging out). But, if you don’t lock the little door, anyone else can access it and take all your stuff.