Contextualized Web Warnings, and How They Cause Distrust

  • Steffen Bartsch
  • Melanie Volkamer
  • Heike Theuerling
  • Fatih Karayumak
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7904)

Abstract

Current warnings in Web browsers are difficult to understand for lay users. We address this problem through more concrete warning content by contextualizing the warning – for example, taking the user’s current intention into account in order to name concrete consequences. To explore the practical value of contextualization and potential obstacles, we conduct a behavioral study with 36 participants who we either confront with contextualized or with standard warning content while they solve Web browsing tasks. We also collect exploratory data in a posterior card-sorting exercise and interview. We deduce a higher understanding of the risks of proceeding from the exploratory data. Moreover, we identify conflicting effects from contextualization, including distrust in the content, and formulate recommendations for effective contextualized warning content.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Adams, A., Lunt, P., Cairns, P.: A qualitative approach to HCI research. Cambridge Univ. Press, Cambridge (2008)Google Scholar
  2. 2.
    Amer, T., Maris, J.: Signal Words and Signal Icons in Application Control and Information Technology Exception Messages – Hazard Matching and Habituation Effects. Tech. Rep. 06-05, Nothern Arizona University (2006)Google Scholar
  3. 3.
    Asgharpour, F., Liu, D., Camp, L.J.: Mental Models of Computer Security Risks. In: WEIS 2007: Workshop on the Economics of Information Security (2007)Google Scholar
  4. 4.
    Bartsch, S., Volkamer, M.: Towards the Systematic Development of Contextualised Security Interventions. In: Proceedings of Designing Interactive Secure Systems, BCS HCI 2012. BLIC (2012)Google Scholar
  5. 5.
    Biddle, R., van Oorschot, P.C., Patrick, A.S., Sobey, J., Whalen, T.: Browser interfaces and extended validation SSL certificates: an empirical study. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW 2009, pp. 19–30. ACM, New York (2009)CrossRefGoogle Scholar
  6. 6.
    Bravo-Lillo, C., Cranor, L.F., Downs, J., Komanduri, S., Sleeper, M.: Improving Computer Security Dialogs. In: Campos, P., Graham, N., Jorge, J., Nunes, N., Palanque, P., Winckler, M. (eds.) INTERACT 2011, Part IV. LNCS, vol. 6949, pp. 18–35. Springer, Heidelberg (2011), http://www.springerlink.com/content/q551210n08h16970 CrossRefGoogle Scholar
  7. 7.
    De Keukelaere, F., Yoshihama, S., Trent, S., Zhang, Y., Luo, L., Zurko, M.E.: Adaptive Security Dialogs for Improved Security Behavior of Users. In: Gross, T., Gulliksen, J., Kotzé, P., Oestreicher, L., Palanque, P., Prates, R.O., Winckler, M. (eds.) INTERACT 2009. LNCS, vol. 5726, pp. 510–523. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: SOUPS 2006: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 79–90. ACM, New York (2006)CrossRefGoogle Scholar
  9. 9.
    Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: CHI 2008: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems (2008)Google Scholar
  10. 10.
    Fogg, B.J., Marshall, J., Laraki, O., Osipovich, A., Varma, C., Fang, N., Paul, J., Rangnekar, A., Shon, J., Swani, P., Treinen, M.: What makes Web sites credible?: a report on a large quantitative study. In: CHI 2001. ACM, New York (2001)Google Scholar
  11. 11.
    Glaser, B.G., Strauss, A.L.: The Discovery of Grounded Theory: Strategies for Qualitative Research. Aldine Transaction (1967)Google Scholar
  12. 12.
    Kahneman, D., Tversky, A.: The simulation heuristic. Cambridge University Press, Cambridge (1982)Google Scholar
  13. 13.
    Kauer, M., Pfeiffer, T., Volkamer, M., Theuerling, H., Bruder, R.: It is not about the design – it is about the content! Making warnings more efficient by communicating risks appropriately. In: GI SICHERHEIT 2012 Sicherheit – Schutz und Zuverlässigkeit (2012)Google Scholar
  14. 14.
    Krol, K., Moroz, M., Sasse, M.: Don’t work. Can’t work? Why it’s time to rethink security warnings. In: 7th International Conference on Risk and Security of Internet and Systems (CRiSIS), pp. 1–8 (October 2012)Google Scholar
  15. 15.
    Lazar, J., Feng, J.H., Hochheiser, H.: Research methods in human-computer interaction. Wiley (2010)Google Scholar
  16. 16.
    Rothman, A.J., Kiviniemi, M.T.: Treating People With Information: an Analysis and Review of Approaches to Communicating Health Risk Information. J. Natl. Cancer Inst. Monogr. (25) (1999)Google Scholar
  17. 17.
    Rugg, G., McGeorge, P.: The sorting techniques: a tutorial paper on card sorts, picture sorts and item sorts. Expert Systems 14(2), 80–93 (1997)CrossRefGoogle Scholar
  18. 18.
    Sotirakopoulos, A., Hawkey, K., Beznosov, K.: On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings. In: SOUPS 2011: Proceedings of the 7th Symposium on Usable Privacy and Security. ACM, New York (2011)Google Scholar
  19. 19.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In: USENIX Security 2009 (2009)Google Scholar
  20. 20.
    Wogalter, M.S.: Handbook of warnings. Routledge (2006)Google Scholar
  21. 21.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: CHI 2006: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610. ACM, New York (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Steffen Bartsch
    • 1
  • Melanie Volkamer
    • 1
  • Heike Theuerling
    • 2
  • Fatih Karayumak
    • 3
  1. 1.CASEDTU DarmstadtDarmstadtGermany
  2. 2.IADTU DarmstadtDarmstadtGermany
  3. 3.Cyber Security InstituteTUBITAK BILGEMGebzeTurkey

Personalised recommendations