There is evidence that the communication of security risks to home computer users has been unsuccessful. Prior research has found that users do not heed risk communications, that they do not read security warning texts, and that they ignore them. Risk communication should convey the basic facts relevant to the warning recipient’s decision. In the warning science literature, one successful technique for characterizing and designing risk communication is to employ the mental models approach, which is a decision-analytic framework. With this approach, the design of risk communication is based on the recipients’ mental model(s). The goal of the framework is to help people make decisions by providing risk communication that improves the recipients’ mental models in one of three ways: (1) adding missing knowledge, (2) restructuring the person’s knowledge when it inappropriately focussed (i.e., too general or too narrow), and (3) removing misconceptions.
The mental models approach has been successfully applied in such areas as medical and environmental risk communications, but not in computer security. Risk communications in computer security have been based on experts’ mental models, which are not good models for typical users. An expert’s mental model of security is different from that of a non-expert. This difference could lead to ineffective risk communications to non-experts. Similarly, Asgharpour et al. (2007) proposed that risk communication methods such as security warnings should be designed based on non-expert mental models and metaphors from the real world, emphasizing that:
“the purpose of risk communication is not conveying the perfect truth, but rather prompting the users to take an appropriate action to defend their system against a certain threat. While mitigation of a risk requires knowledge of the general nature of the risk, efficacy of the risk communication requires communication that is aligned with the mental model of the target group.”
While employing a mental models approach has been previously proposed for computer security warnings, it was not evaluated. The goal of the research led by my Masters student Fahimeh Raja was to do exactly this. This work has been recently presented at SOUPS.
In this paper, we present our iterative design of a firewall warning using a physical security metaphor, and we present our study of the effectiveness of this approach. In the warnings, the functionality of a personal firewall is visualized based on a physical security metaphor, which includes the metaphor of a firewall, a fireproof wall that “separates the parts of a building most likely to have a fire from the rest of a structure”. The goals of our study were to determine the degree to which the warnings are understandable for our participants and the degree to which they convey the risks and encourage safe behavior. We used an open-ended test to evaluate the initial clarity of the warnings, and we used Likert-type scales, followed by an interview, to evaluate participants’ risk perceptions. We also used the self-reported likelihood of choosing any action as the intention for performing that action.
We compared our warnings with warnings based on those from the Comodo personal firewall. The Comodo firewall is the most popular personal firewall, and is the top one in online reviews not only for its protection, but also for its “warning features that make it easy for novices to understand how to respond to those warnings”. Our results show that our proposed warnings facilitate comprehension of warning information.
They also better communicated the risk; with our warnings, participants had a better estimation of the level of hazard, likelihood of damage or loss, and the severity of potential damage or loss. Participants could also better describe the potential consequences of their intended actions. More importantly, our warnings increased the likelihood of safe behavior in response to the warnings. These findings suggest that our use of a physical security metaphor in the warnings has altered the participants mental model(s) of the functionality of a personal firewall as it relates to their security and risk. Our warnings were also preferred by the majority of participants.
See more details in the paper.
Can Metaphors of Physiscal Security Work for Computers?
Heuristics for Evaluating IT Security Management Tools
The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. However, standard usability heuristics (e.g., Nielsen’s) are hard to apply, as IT security management occurs within a complex and collaborative context that involves diverse stakeholders. In a joint project with CA Technologies, my Ph.D. student Pooya Jaferian has proposed a set of ITSM usability heuristics that are based on activity theory, are supported by prior research, and consider the complex and cooperative nature of security management. The paper reporting the evaluation of the heuristics received Best Paper Award at SOUPS ’11.
In a between-subjects study, we compared the employment of the ITSM and Nielsen’s heuristics for evaluation of a commercial identity management system. Participants who used the ITSM set found more problems categorized as severe than those who used Nielsen’s. As evaluators identified different types of problems with the two sets of heuristics, we recommend employing both the ITSM and Nielsen’s heuristics during evaluation of ITSM tools.
See more details of the study and the results in the paper.
Have users signed up?
I participated in a panel “Password Managers, Single Sign-On, Federated ID: Have users signed up?” at Workshop on The Future of User Authentication and Authorization on the Web: Challenges in Current Practice, New Threats, and Research Directions, which was collocated with the conference on Financial Cryptography and Data Security. In my panel presentation, I showed the most recent results of the evaluation of OpenID authentication experience by participants, conducted in my lab, which shed some light on why users have not signed up, at least for OpenID. An apparent reluctance among the end users of employing OpenID, despite the fact that there are over one billion OpenId-enabled accounts, results from technical, business, and human factors. This particular short presentation was devoted to the usability factors.
Is OpenID too Open? Technical, Business, and Human Issues That Get in the Way of OpenID and Ways of Addressing Them
The web is essential for business and personal activities well beyond information retrieval, such online banking, financial transactions, and payment authorization, but reliable user authentication remains a challenge. OpenID is a mainstream Web single sign-on (SSO) solution intended for Internet-scale adoption. There are currently over one billion OpenID-enabled user accounts provided by major content-hosting and service providers (CSPs), e.g., Yahoo!, Google, Facebook, but only a few relying parties that allow users to use their OpenID credentials for SSO. Why is that? I presented at Eurecom an overview OpenID, and then discussed weaknesses of (1) the protocol and its implementations, (2) the business model behind it, and (3) the user interface. The talk concluded with a discussion of a proposal for addressing some of OpenID issues.
See presentation slides for more details.
CHI Work in Progress to Feature LERSSE Research
This year, in Vancouver, Work In Progress Posters session of SIG CHI Conference will feature three research projects of my graduate students.
San-Tsai Sun and his team-mates will present results of investigating the challenges web users face when using OpenID for authentication. They also designed a phishing-resistant, privacy-preserving browser add-on to provide a consistent and intuitive single sign-on user experience for average web users: OpenID-Enabled Browser: Towards Usable and Secure Web Single Sign-On.
Pooya Jaferian and Andreas Sotirakopoulos will present Heuristics for Evaluating IT Security Management Tools. The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. However, ITSM occurs within a complex and collaborative context that involves diverse stakeholders; this makes standard usability heuristics difficult to apply. We propose a set of ITSM usability heuristics that are based on activity theory and supported by prior research. We performed a study to compare the use of the ITSM heuristics to Nielsen’s heuristics for the evaluation of a commercial identity management system. Our preliminary results show that our new ITSM heuristics performed well in finding usability problems. However, we need to perform the study with more participants and perform more detailed analysis to precisely show the differences in applying the ITSM heuristics as compared to Nielsen’s heuristics.
Fahimeh Raja will present her research on Promoting A Physical Security Mental Model For Personal Firewall Warnings. We used an iterative process to design personal firewall warnings in which the functionality of a firewall is visualized based on a physical security mental model. We performed a study to determine the degree to which our proposed warnings are understandable for our participants, and the degree to which they convey the risks and encourage safe behavior as compared to warnings based on those from a popular personal firewall. Initial results show that our warnings facilitate the comprehension of warning information, better communicate risk, and increase the likelihood of safe behavior. Moreover, they provided participants with a better understanding of both the functionality of a personal firewall and the consequences of their actions.
My former postdoc Kirstie Hawkey has been involved in all the above work projects.