Investigating the adoption and correct use of secure communication tools has been an open research question for the past two decades, starting with research on encrypted email and moving on to a wide range of security & privacy tools. Barriers to adoption include; usability issues, social factors (e.g., network effects), and misaligned mental models. More recently, as secure instant messengers have seen widespread adoption—with some products reaching billions of users—and VPNs have become increasingly popular, researchers have uncovered a fundamental problem; misalignments between what secure communication tools can offer and what users believe. Even though users might have already adopted the state-of-the-art secure communication tools, insufficient mental models lead to users overestimating capabilities, or, erroneously thinking other tools are more appropriate for use. Both scenarios are likely to hurt users’ security & privacy postures. In this thesis I describe my approach to characterizing and improving mental models, I detail background and related works, my contributions, and discuss implications. Among my main contributions, I first describe my work on an emerging vector of questionable security information, influencer VPN ads on YouTube. I show how this questionable information is linked to real-world mental models. Next, I detail my investigation into how the description of security & privacy technology, another source of influence, changes mental models. Further, I report on my efforts to improve mental models when they are already misaligned in the context of end-to-end encryption. A related study exploring best user sampling practices for studies like mine is discussed.