Advertisement

Improving Computer Security Dialogs

  • Cristian Bravo-Lillo
  • Lorrie Faith Cranor
  • Julie Downs
  • Saranga Komanduri
  • Manya Sleeper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6949)

Abstract

Security dialogs warn users about security threats on their computers; however, people often ignore these important communications. This paper explores the links between warning dialog design and user understanding of, motivation to respond to, and actual response to computer security warnings. We measured these variables through a 733-participant online study that tested a set of four existing computer security warnings and two redesigned versions of each across low- and high-risk conditions. In some cases our redesigned warnings significantly increased participants’ understanding and motivation to take the safest action; however, we were not able to show that participants’ responses were differentiated between low and high risk conditions. We also observed that motivation seemed to be a more important predictor of taking the safest action than understanding. However, other factors that may contribute to this behavior warrant further investigation.

Keywords

Security warning dialog usable security 

References

  1. 1.
    Wogalter, M.S.: Purposes and scope of warnings. In: Wogalter, M.S. (ed.) Handbook of Warnings. Human Factors and Ergonomics, 1st edn., pp. 3–9. Lawrence Erlbaum Associates, Mahwah (2006)Google Scholar
  2. 2.
    Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Cranor, L.F. (ed.) Proceedings of the 2nd Symposium on Usable Privacy and Security (SOUPS). ACM International Conference Proceeding Series, vol. 149, pp. 79–90. ACM, New York (2006)CrossRefGoogle Scholar
  3. 3.
    Egelman, S., Cranor, L.F., Hong, J.I.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Czerwinski, M., Lund, A.M., Tan, D.S. (eds.) Proceedings of the 2008 Conference on Human Factors in Computing Systems (CHI), pp. 1065–1074. ACM, New York (2008)Google Scholar
  4. 4.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: An empirical study of ssl warning effectiveness. In: Proceedings of the 18th Usenix Security Symposium (August 2009)Google Scholar
  5. 5.
    Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: SP 2007: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 51–65. IEEE Computer Society, Washington, DC (2007)Google Scholar
  6. 6.
    Camp, L.J.: Mental models of privacy and security. IEEE Technology and Society Magazine 28(3), 37–46 (2009)CrossRefGoogle Scholar
  7. 7.
    Meyer, J.: Responses to dynamic warnings. In: Wogalter, M.S. (ed.) Handbook of Warnings. Human Factors and Ergonomics, 1st edn., pp. 221–229. Lawrence Erlbaum Associates, Mahwah (2006)Google Scholar
  8. 8.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Grinter, R.E., Rodden, T., Aoki, P.M., Cutrell, E., Jeffries, R., Olson, G.M. (eds.) Proceedings of the Conference on Human Factors in Computing Systems (CHI), pp. 601–610. ACM, New York (2006)Google Scholar
  9. 9.
    Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, NSPW 2009, pp. 133–144. ACM, New York (2009)CrossRefGoogle Scholar
  10. 10.
    Downs, J.S., Holbrook, M.B., Cranor, L.F.: Behavioral response to phishing risk. In: Cranor, L.F. (ed.) Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit 2007. ACM International Conference Proceeding Series, vol. 269, pp. 37–44. ACM, New York (2007)CrossRefGoogle Scholar
  11. 11.
    Motieé, S., Hawkey, K., Beznosov, K.: Do windows users follow the principle of least privilege?: investigating user account control practices. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, New York, NY, USA, pp. 1–13 (2010)Google Scholar
  12. 12.
    Wogalter, M.S.: Communication-human information processing model. In: Wogalter, M.S. (ed.) Handbook of Warnings. Human Factors and Ergonomics, 1st edn., pp. 51–61. Lawrence Erlbaum Associates, Mahwah (2006)Google Scholar
  13. 13.
    Cranor, L.F.: A framework for reasoning about the human in the loop. In: Churchill, E.F., Dhamija, R. (eds.) Usability, Psychology, and Security, USENIX Association (April 2008)Google Scholar
  14. 14.
    Apple Inc.: Apple human interface guidelines (2010), Online document available at http://developer.apple.com
  15. 15.
    Benson, C., Elman, A., Nickell, S., Robertson, C.Z.: Gnome human interface guidelines 2.2.1 (2010), Online document available at http://library.gnome.org (last visit on April 08, 2010)
  16. 16.
    Microsoft Corporation: Windows user experience interaction guidelines (2010), Online document available at http://msdn.microsoft.com (last visit on April 08, 2010)
  17. 17.
    Egelman, S.: Trust me: Design Patterns for Constructing Trustworthy Trust Indicators. PhD thesis, School of Computer Science, Carnegie Mellon University (2009), Available as technical Report CMU-ISR-09-110Google Scholar
  18. 18.
    Nodder, C.: Users and trust: a microsoft case study. In: Cranor, L.F., Garfinkel, S.L. (eds.) Security and Usability: Designing Secure Systems that People Can Use. Theory in Practice, 1st edn., pp. 589–606. O’Reilly Media, Inc., Sebastopol (2005)Google Scholar
  19. 19.
    Ross, B.: Firefox and the worry-free web. In: Cranor, L.F., Garfinkel, S.L. (eds.) Security and Usability: Designing Secure Systems that People Can Use. Theory in Practice, 1st edn., pp. 577–587. O’Reilly Media, Inc., Sebastopol (2005)Google Scholar
  20. 20.
    Bravo-Lillo, C., Cranor, L., Downs, J., Komanduri, S.: Bridging the gap in computer security warnings: a mental model approach. IEEE Security and Privacy Magazine (to appear, 2011)Google Scholar
  21. 21.
    Ross, J., Irani, L., Silberman, M.S., Zaldivar, A., Tomlinson, B.: Who are the crowdworkers?: shifting demographics in mechanical turk. In: CHI EA 2010: Proceedings of the 28th of the International Conference Extended Abstracts on Human Factors in Computing Systems, pp. 2863–2872. ACM, New York (2010)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Cristian Bravo-Lillo
    • 1
  • Lorrie Faith Cranor
    • 1
    • 3
  • Julie Downs
    • 2
  • Saranga Komanduri
    • 3
  • Manya Sleeper
    • 3
  1. 1.Engineering and Public PolicyCarnegie Mellon UniversityPennsylvaniaUSA
  2. 2.Social and Decision SciencesCarnegie Mellon UniversityPennsylvaniaUSA
  3. 3.Computer ScienceCarnegie Mellon UniversityPennsylvaniaUSA

Personalised recommendations