Effective security of a personal firewall depends on (1) the rule granularity and the implementation of the rule enforcement and (2) the correctness and granularity of user decisions at the time of an alert. A misconfigured or loosely configured firewall may be more dangerous than no firewall at all because of the user’s false sense of security. This study assesses effective security of 13 personal firewalls by comparing possible granularity of rules as well as the usability of rule set-up and its influence on security.

In order to evaluate usability, we have submitted each firewall to use cases that require user decisions and cause rule creation. In order to evaluate the firewalls’ security, we analysed the created rules. In addition, we ran a port scan and replaced a legitimate, network-enabled application with another program to assess the firewalls’ behaviour in misuse cases. We have conducted a cognitive walkthrough paying special attention to user guidance and user decision support.

We conclude that a stronger emphasis on user guidance, on conveying the design of the personal firewall application, on the principle of least privilege and on implications of default settings would greatly enhance both usability and security of personal firewalls.


User Guidance File Transfer Protocol Misuse Case User Decision Default Behaviour 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    S. M. Furnell. Using security: easier said than done. Computer Fraud & Security, 2004(4):6–10, April 2004.CrossRefGoogle Scholar
  2. 2.
    S. M. Furnell and S. Bolakis. Helping us to help ourselves: Assessing administrators’ use of security analysis tools. Network Security, 2004(2):7–12, February 2004.Google Scholar
  3. 3.
    S. M. Furnell, A. Jusoh, and D. Katsabas. The challenges of understanding and using security: A survey of end users. Computers & Security, 25:27–35, 2006.CrossRefGoogle Scholar
  4. 4.
    S. L. Garfinkel. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. PhD thesis, Massachusetts Institute of Technology, May 2005.Google Scholar
  5. 5.
    D. Gerd torn Markotten. Benutzbare Sicherheit in informationstechnischen Systemen. Rhombos Verlag, Berlin, 2004. ISBN 3-937231-06-4.Google Scholar
  6. 6.
    M. Hertzum, N. Jørgensen, and M. Nørgaard. Usable security and e-banking: Ease of use vis-à-vis security. In Proceedings of the Annual Conference of CHISIG (OZCHI’04). (visited 3-Aug-2005), November 2004.
  7. 7.
    A. Herzog and N. Shahmehri. A usability study of security policy managment. In S. Fischer-Hübner, K. Rannenberg, and S. L. Louise Yngström, editors, Security and Privacy in Dynamic Environments, Proceedings of the 21st International Information Security Conference (IFIP TC-11) (SEC’06), pages 296–306. Springer-Verlag, May 2006.Google Scholar
  8. 8.
    J. Johnston, J. H. P. Eloff, and L. Labuschagne. Security and human computer interfaces. Computers & Security, 22(8):675–684, December 2003.Google Scholar
  9. 9.
    S. Kamara, S. Fahmy, E. E. Schultz, F. Kerschbaum, and M. Frantzen. Analysis of vulnerabilities in Internet firewalls. Computers & Security, 22(3):214–232, April 2003.Google Scholar
  10. 10.
    N. Leveson. Safeware: System Safety and Computers. Addison Wesley, 1995.Google Scholar
  11. 11.
    J. Nielsen. Usability Engineering. Morgan Kaufmann Publishers, Inc, 1993.Google Scholar
  12. 12.
    M. Nilsson, A. Adams, and S. Herd. Building security and trust in online banking. In Proceedings of the Conference on Human Factors in Computing Systems (CHI’05), pages 1701–1704. ACM Press, April 2005.Google Scholar
  13. 13.
    B. Shneiderman and C. Plaisant. Designing the User Interface. Addison Wesley, 4th edition, 2004.Google Scholar
  14. 14.
    A. Whitten and J. D. Tygar. Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium (Security’99). Usenix, August 1999.Google Scholar
  15. 15.
    A. Wool. The use and usability of direction-based filtering in firewalls. Computers & Security, 23(6):459–468, September 2004.Google Scholar
  16. 16.
    K.-P. Yee. User interaction design for secure systems. In Proceedings of the International Conference on Information and Communications Security (ICICS’02), pages 278–290. Springer-Verlag, December 2002.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Almut Herzog
    • 1
  • Nahid Shahmehri
    • 1
  1. 1.Dept. of Computer and Information ScienceLinköpings universitetSweden

Personalised recommendations