Perceptions of Beauty in Security Ceremonies

When we use secure computer systems, we engage with carefully orchestrated and ordered interactions called “security ceremonies”, all of which exist to assure security. A great deal of attention has been paid to improving the usability of these ceremonies over the last two decades, to make them easier for end-users to engage with. Yet, usability improvements do not seem to have endeared end users to ceremonies. As a consequence, human actors might subvert the ceremony’s processes or avoid engaging with it. Here, we consider whether beautification could be one way of making ceremonies more appealing. To explore beautification in this context, we carried out three studies. Study 1 surveyed 250 participants to derive a wide range of potential dimensions of “beautiful ceremonies”. These statements were sorted into dominant themes and converted into statements, which fed into the second study, with 309 respondents, to reveal the dominant dimensions constituting beauty. Study 3 asked 41 participants to carry out a Q-sort, which revealed the ways that people combine the identified dimensions when characterising security ceremonies as “beautiful”. These studies have allowed us to pin down the perceived dimensions of beauty in the context of security ceremonies, and also to understand how people combine these dimensions in different ways in judging security ceremonies to be beautiful, confirming the old adage of beauty being “in the eye of the beholder”. We conclude by highlighting the constraints imposed by the overarching requirement for security to be maintained in the face of any usability improvements and beautification endeavours.

Because the raison d'être of these ceremonies is security assurance, it is not possible to maximise usability. It is only feasible to strive towards a "sweet spot" where both usability and security are maximised. This means that, despite usability improvements, holding the line with respect to security could still lead to a negative experience, which is unhelpful in encouraging people to engage with the ceremonies precisely the way that the ceremony designers anticipated.
In 2019, Bella et al. (2019) coined the term "beautification" to refer to the process of making security ceremonies (more) beautiful so as to trigger positive attitudes towards them (see also Bella and Viganò 2015). Beauty may seem an alien characteristic to attribute to security ceremonies. Yet, Maslow's hierarchy of needs (McLeod, 2007) explains that people have a deep need to experience beauty (Hashim et al., 2009), which makes it worth striving towards beautification efforts to design beauty into all aspects of peoples' lives. This includes beautifying security ceremonies. Moreover, Soltanzadeh argues that "technologies are intrinsically open to evaluative and comparative judgments which are made by humans" (Soltanzadeh, 2015, p. 15). If humans are making judgements anyway, it is not a great stretch to consider that judgements related to beauty or ugliness of a ceremony could be made.
The beautification we are referring to should not be conflated with the aesthetic beauty of the ceremony's user interface. Beautification, in our context, should focus on maximising the beauty of the user's experience of the ceremony (Molavi Arabshahi, 2012). How might experiences of security ceremonies be beautified? Beautification focuses on everything involved in the choreographed ritual that can contribute to a positive experience, echoing Rönkkö et al. (2009) and Loewy (1950).

Research Questions and Methodology
If we want designers to beautify ceremonies, the first step is to pin down the quality dimensions of the ceremony that would engender perceptions of beauty in users' minds. To home in on these quality dimensions, we address three research questions: RQ1: "Which quality dimensions of security ceremonies lead to perceptions of beauty?" RQ2: "What are the dominant perceptions with respect to quality dimensions of beauty in security ceremonies?" RQ3: "Which quality dimensions do people commonly combine in attributing beauty to security ceremonies?" To answer the research questions, we carried out three user studies. First, we provided participants with a scenario and asked them questions to elicit their perspectives related to beautification. This allowed us to identify four quality dimensions of beauty in the security ceremony context. The outputs from this study subsequently fed into studies two and three. The second study identified the dominant quality dimensions related to perceptions of beauty, once again in the context of a familiar security ceremony. In the third study, we represented the concourse using a Q-sample of 26 statements that emerged from Study 1. We administered these statements in the form of a Q-sort, which asks participants to rank their agreement with the statements. This assessed the nature of subjectivity and revealed different ways that people combine the quality dimensions reflecting their personal perceptions of the beauty of a specific security ceremony. Figure 1 depicts our research methodology revolving around the three studies.

Contributions
The contributions of this paper are as follows: 1. A discussion of the role of beauty in security ceremonies, with an argument for the need to engage in beautification endeavours in this context (Section 2). 2. A proposal for a number of dimensions of beauty in security ceremonies (Section 3).

Revealing dominant quality dimensions (Sections 4).
4. An identification of the ways people combine quality dimensions in perceptions of beautiful security ceremonies (Section 5). 5. A final discussion bringing all our findings together to discuss the practical and research-oriented implications (Section 6).
We conclude by drawing some brief conclusions in Section 7.

Background and Methodology
Beauty is traditionally thought of as something visual, but it has also been applied to such diverse areas as music (Portanova, 1975), leadership (Moore, 2016), mathematics (Erickson, 2011;Russell, 1956), truth (Nass et al., 2000), nature (Moore, 2016), and design (Gelernter, 1998;Moore, 2016).  Carritt (1932) claims that beauty is not simply related to the agreeableness or usefulness of an item or experience. He says that beauty has more to do with a contemplation of a feeling experienced during, or remembered after, an encounter with a particular artefact. Hence, beauty is interwoven with a person's lived experiences.
What characteristics of the user experience might contribute to beauty? The literature suggests the following: ease of use (fluency) (Reber et al., 2004), a sense of pleasure (Tatarkiewicz, 2006), simplicity (Chen et al., 2010;Karvonen, 2000;Glynn, 2010), aptness (Gelernter, 1998), elegance (Gelernter, 1998), the value of the system in a given context (goodness) (Hassenzahl and Monk, 2010) and responsiveness (Pancake, 2001). This confirms that beauty will be derived from a person's experiences with a particular artefact, in this case security ceremonies. In other words, it elicits positive feelings, based on prior user experiences. Kujala et al. (2011) also highlight the importance of the positive long-term user experience with a product, and the need to focus on the attractiveness of a product being related to the user's satisfaction of the process. Attractiveness, too, can be considered a synonym of "beauty".
It is important, at this point, to draw a distinction between the field of User Experience (UX) and that of beautification. Various perspectives on UX exist, often including overlapping aspects. Prominent amongst these is acknowledging the importance of affective and emotional aspects of interactions, the nature of technology-use experiences, and a focus on values that extend "beyond the instrumental" (Hassenzahl and Tractinsky, 2006). It is this latter perspective which emphasises beauty as an important construct which influences perceptions of goodness, and ultimately usability (Hassenzahl & Monk, 2010).
While no single perspective fully encapsulates UX, each contributes to a better understanding of the user experience. Specifying the phenomenon more precisely, Hassenzhal (2008, p. 12) provides a widely cited definition of UX as "a momentary, primarily evaluative feeling (good-bad) while interacting with a product or service." He says this is different from usability in that it shifts the attention from the product to humans and their feelings, focusing on the subjective part of product use. He then augments his definition with a second part: "Good UX is the consequence of fulfilling the human needs for autonomy, competency, stimulation (self-oriented), relatedness, and popularity (others-oriented) through interacting with the product or service (i.e., hedonic quality). Pragmatic quality facilitates the potential fulfilment of be-goals." From this, it is clear that UX extends beyond purely instrumental needs.
Beauty can arguably be aligned with the first half of this definition, encapsulating the aesthetic experience when using a particular artefact (Alben, 1996). Hence, we could argue that beauty is a subset of UX. Bevan (Bevan, 2008) also mentions the different components of UX, as a meta category, which appears to include beauty (although the author does not explicitly refer to "beauty"). Subsequent literature reviews have confirmed beauty (Hornbaek & Hertzum, 2017) or aesthetics (Bargas-Avila & Hornbaek, 2011) as prominent constructs in UX research. This discussion confirms that beauty, as a construct, is not equivalent to UX, and that perceptions of beauty are interwoven with positive experiences.
In conclusion, to beautify a security ceremony, we have to focus on creating positive experiences. Before discussing how to go about doing this, we first consider how other industries have seen the need for beauty, and built it into their products.

Beautification with Maturity
Beautification becomes apparent also through parallels with other fields. It could be argued that beauty has required time and various alternate developments to explicitly consolidate as a quality of human artefacts. Consider automobiles, for example, which were initially conceived to address the functional need of moving somewhere without animal power. While "Steam car manufacturers were often master craftsmen, mainly interested in making beautiful steam cars" (Geels, 2006), beauty was not a consideration for Henry Ford when he later started mass-selling his Model T Ford (Venugopal, 2018), perhaps in the assumption that beauty would not be affordable for the masses. His customers were, in fact, happy to have this new and unusual functionality in a world where most transport was public. As time went by, other manufacturers entered the market, as did safety requirements imposed by governments. The latter could not be used as a market discriminator, so beauty consolidated as a way for the layperson to distinguish automobiles from each other, and the entire car industry began to realise that. At the time of writing, the Bugatti is the world's most expensive car, and is undeniably beautiful. 1 Such beauty is not only connected to its appearance: it has been designed to give the driver a positive experience as its "sophisticated design, innovative technology, and iconic, performanceoriented form make it a unique masterpiece of art, form and technique". 2 Personal computers have undergone a similar evolution over the last decades. The first laptops were not designed with beauty in mind-the mere mobility of the device was already revolutionary enough. Yet now, in 2022, it is possible to purchase a laptop of a particular hue, and their outward appearance is often sleek and specifically designed to please the eye. Yet, similar to the Bugatti, the designers have realised that this is not enough. They have also added a number of features to give the owner of the laptop a positive experience due to the functionality and ease of use designed into the system.
It remains clear that people seek, first and foremost, their personal benefit and in fact tend to opt for "beneficial choices" through their online activities (Acquisti et al., 2017). Still, we also know that user interface designers put a great deal of thought into the design of all aspects of their systems: icons, movement of windows and sounds. Similarly, audio-visual notifications may undergo "parametric adaptation" to increase the user acceptance of authentication ceremonies (Desolda et al., 2021). Therefore, the value of beauty is certainly not being neglected (Hassenzahl, 2004). It is as if a market, as it matures, mandates more than mere functionality (FlexibleBoss, 2014;Goodwin, 1987). As Rönkkö et al. argue: "It is the design of the total experience that sells" (Rönkkö et al., 2009, p. 18). We argue that the time for a consideration of beauty in designing security ceremonies has arrived.

Security Ceremonies-the Basics
The term ceremony was coined by Jesse Walker (Lortz et al., 2012) to describe the interaction between a user and computing devices. The use of the term in the area of information/cyber security is due to Ellison (2007) as an extension of the concept of security protocol: a security ceremony expands a security protocol with everything that is considered out-of-band to it. Precisely, "Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios" (Ellison, 2007). Therefore, the innovative stance of security ceremonies is to include human nodes alongside computer nodes, with communication links that comprise user interfaces, human-to-human communication and transfers of physical objects that carry data. Such a stance substantiates our research questions, particularly the need to address the quality dimensions of beauty in security ceremonies.
The full functioning of such a complex and heterogeneous system is oriented at achieving one or more security properties such as confidentiality, integrity or authentication (see, e.g., Network Working Group, 2007;NICCS, 2022;Menezes et al., 2001;Schneier, 2015) for a definition of these security properties and other security notions).
As technology progresses in any area, human beings are increasingly surrounded by, and immersed in, security ceremonies during their everyday lives. They carry out security tasks that occur through a virtually infinite range of scenarios interposing people's (i) professional activities, such as logging into their employer's computer systems using two-factor authentication, (ii) business or leisure activities, such as taking a flight which involves getting through airport security, and (iii) chores, such as paying for their shopping with a debit card.
As we already remarked in the introduction, the term "security ceremony" has been used in socio-technical security to refer to different kinds of ceremonies, including key-signing ceremonies (Internet Assigned Numbers Authority (IANA), 2022) and secure key generation processes (CVA Cybersecurity Working Group, 2020). In this paper, we focus on the notion of a security ceremony as an extension of a security protocol in which human agents and software-based agents exchange encrypted messages to achieve certain goals. As a concrete example, consider the security ceremony shown in Fig. 2, in which a human user carries out a two-factor authentication security ceremony by interacting with an interface to exchange messages with a device and a database.
A notable remark and a challenge posed by Ellison is relevant: "what is out-ofband to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols" (Ellison, 2007, p.1). The rest of this article takes his remark as a fundamental work assumption and also contributes to addressing this challenge. In particular, when carrying out a (formal or even semi-formal) analysis of a security ceremony, one should consider also the mistakes that human users may make through their active participation, and that have the potential to lead to violations of the security properties that the ceremony was intended to guarantee. A number of approaches have been proposed to this end, e.g., discussing different threat models of security ceremonies , providing frameworks for the analysis of security ceremonies (Bella et al., 2022;Carlos et al., 2012), or explicitly modelling and reasoning about human errors in security ceremonies (Basin et al., 2015;Basin et al., 2016;Sempreboni and Viganò, 2020).
In the following, for brevity, we will refer to "security ceremonies" as "ceremonies" and to "quality dimensions" as "dimensions".

Beauty in Security Ceremonies
Now, consider the idea of beautiful ceremonies. This is especially important because a ceremony's non-use or a negative experience of an unattractive ceremony will compromise security and leave holes open for hackers to exploit. Current experiences appear to confirm their general unattractiveness (Cranor & Garfinkel, 2005;Sheng et al., 2006;Clark et al., 2011). The consequence is that users might try to circumvent the ritual (Blythe et al., 2013), especially when their so-called "compliance budget" (Beautement et al., 2008) has been depleted. Awareness and training programmes are the standard organisational response to this (Yildirim, 2016), but the effectiveness of such drives is patchy (Banfield, 2016;Kennedy, 2016). Training is necessary but not sufficient, i.e., it does not guarantee that people will act as conveyed during training. In particular, it cannot overcome a reluctance that stems from prior negative experiences when engaging with unattractive ceremonies.

Fig. 2 A sequence diagram of a two-factor authentication security ceremony
As a first step towards beautifying these ceremonies, we need to understand perceptions of beauty in this context, and the dimensions that make people perceive beauty in them. Hence, our investigation to answer RQ1.

Study 1: Deriving Beauty Dimensions
To find out what the general public attributes beauty to in security ceremonies, we carried out our first scoping study. We chose a commonly used ceremony: buying a train ticket on a smartphone, which can be shown on demand when travelling. We asked participants to tell us what was beautiful about the ceremony, and then to give us examples of ceremonies that were as follows: (1) equally, (2) more, or (3) less beautiful.
Simplification emerged as a strong beautification theme in previous investigations Loewy, 1950). Hence, in presenting the description of the ceremony to our participants, we simplified the traditional ceremony of buying a paper ticket and moved it onto their smartphone. As such, it builds on the familiar "traditional" ticket purchasing ceremony but does not have the negative connotations of having to wait in a long queue to purchase a paper ticket, and be infused with the dread of misplacing the ticket and not being able to present it on demand.
We ran a crowdsourcing job on the Prolific platform. 3 We posed the ticket buying scenario and asked for respondents' opinions. We paid 250 participants an average of £11.62 per hour, which exceeds the UK's living wage. The survey questions are shown in Fig. 3.

Analysis and Results
This study produced outputs to lead into the other two studies: (1) the dimensions of beautiful security ceremonies, to reveal prominence (Section 3.2), and (2) statements to be sorted to reveal dimension preferences and common dimension combinations (Section 3.3).
Think about travelling on a train or bus using a paperless ticket that is displayed on your smartphone.

What is BEAUTIFUL about this ceremony?
2. Can you think of a ceremony that would be EQUALLY beautiful?
3. Can you think of a ceremony that would be MORE beautiful?
4. Can you think of a ceremony that would be LESS beautiful?

Extracting Dimensions for Study 2
Three authors coded the free text responses independently, then met to agree. Two authors then tallied all the responses and identified the themes that characterise perceptions of beauty in the security ceremony we presented to the participants (See left-hand column of Table 2).
To extract dimensions, we classified conceptually similar themes in Table 2 into dimensions of perceived beauty. This was done independently by two authors who met to agree. Table 1 shows the groupings that emerged, some with more representative themes allocated to them than others. Going forward, we will focus on the most representative dimensions with more than one theme allocated to it: (1) simplicity, (2) convenience, (3) modernity, and (4) assurance/security.
The first thing to notice about the dimensions is that they are not independent: some are subsumed by the others, and the security/assurance dimension is the one upon which all the others rely.
Consider simplicity. Loewy (1950) argues that beauty is a combination of function and simplification. He goes further to explain that multiplicity is the essence of confusion, and that we should strive for reductionism in order to beautify. Margaria and Hinchey (2013) have also linked beauty and simplicity. They argue that simplicity is a mindset, informing design decisions, and that simplicity is easily compromised by poor decisions. Choi and Lee (2012) investigated the impact of simplicity on user satisfaction and found a strong relationship between the two. They suggest that simplicity "contributes to positive satisfaction evaluations", another subjective measure. Lee et al. (2007) also argue that simplicity is the antecedent to perceived ease of use. This is confirmed by Eytam et al. (2017) and Lee et al. (2008). Maeda (2006) argues that functionality should be pared down as much as possible in order to maximise simplicity. This discussion confirms the contribution of simplicity to a positive experience, and consequently the beauty of a prior experience with a security ceremony.
Statements 1, 5, 13 and 17 are subsumed into convenience: not wasting time and ensuring reachability (Brown and McEnally, 1992). Green and futuristic themes are assigned to the modernity dimension, given that green-ness is related to the emerging concern across the globe and modernity is also related to looking to the future and ensuring sustainability. The irritation-related dimension is subtly different from convenience, which is concerned with minimisation of effort. While extra effort might well lead to irritation, this is not a guaranteed consequence, so we have kept these two separate.
Finally, we consider the foundational assurance/security dimension, which includes the concept of reliability of technology. Pilz et al. (2020Pilz et al. ( , p. 2348) define reliability as "a fulfilment attribute that is defined by the resulting quality of the product." In traditional software engineering, reliability is a non-functional requirement that can be measured in a repeatable and objective way (Software Engineering Institute,). As such a software professional may strive to define such requirements precisely, assuming that fulfilling them will result in an artefact of objective quality. However, when a quality judgement is made by end-users, based on their perceptions of an artefact, it can indeed become idiosyncratic. Perceptions across a range of end-users may differ widely and be far less consistent than those of software professionals. In this case, quality judgements might become subjective, so it makes sense that this dimension is related to beauty. This dimension reflects the overriding requirement for beautification not to compromise the security of the ceremony software system or the reliability of the underlying technology.
Once again, the inter-relatedness of the dimensions comes to the fore when we consider that Sha (2001) explicitly links reliability to simplicity.

Deriving Representative Statements for Study 3
We decided to make use of the Q-methodology, a research method introduced by Stephenson (1935) for the systematic study of subjectivity in Study 3. The Q-methodology essentially asks participants to sort Q-Statements (a process called a Q-Sort). Any study into perceptions of beauty must acknowledge the inherent subjectivity of such judgements. As such, the Q-methodology is particularly appropriate.
This methodology asks participants to sort statements. We thus needed to convert the themes in the left-hand column of Table 2 into statements (referred to as Q-Statements above). This was, once again, done independently by two researchers, who then met to discuss and agree on statement formulations. The statements are shown in the right-hand column of Table 2.

Study 2: Revealing Dominant Dimensions
To reveal perceptions related to the dominance of the different dimensions of beauty, in the security ceremony context, we conducted a second survey. The ubiquitous password-based login ceremony was used as a baseline to support beauty-related comparisons. The dimensions depicted in Fig. 4 facilitate these comparisons. (We used the word "security" instead of "assurance/security" to simplify the task.) We gave participants a number of alternatives to password-based authentication to contemplate, and asked them to tell us which were "most beautiful"? We also asked them to rate the previously identified dimensions of each alternative authentication process. Finally, we asked them how important each dimension was in the traditional password-based login process. The survey questions are shown in Fig. 5. Less irritation 20

Recruitment
We recruited 309 participants using the Prolific platform. The participants did not overlap with the first study.

Analysis
We used the answer to the first question (password-based authentication) as a baseline, which allowed us firstly to identify those alternatives to passwordbased authentication that our participants considered to be most beautiful. The next step was to look at the participants' ratings of these "most beautiful" authentication alternatives to see which of the other four dimensions they considered to be aligned with each alternative. 3. Nothing I would feel completely ambivalent to the ceremony.

Green
It is environmentally friendly.

Reachable
It is convenient.

6.
Assurance of Security I cannot lose anything and that is comforting.

7.
Easy to use It is easy.

Aesthetics
It is attractive to look at.

Futuristic
It is futuristic.

Practical
It is effective.

Personalised
It is personalised to me.

Assurance
It is a code that is hard to crack.

Reachable
It is available where you are. 14.
Reliability of Technology It is reliable.

Fun
It is a fun mechanism.

Functional
It is simply practical.

17.
Reachable I have my device with me all the time anyway.

Technology is beautiful
The beauty is in the underlying technology.

Reachable
Having everything in the palm of your hand.

Irritation
It is less irritating than the current situation.

Aesthetics
The ticket/code design is aesthetically pleasing.

22.
Liking change It changes the status quo.

23.
Reliability of Technology I do not have to worry about technology failing.

24.
Does not waste time It automates as much as possible of the ceremony.

Versatile
It allows me to use my device for more purposes.

Assurance
There is an electronic record to prove my action. Figure 6 shows that two particular authentication alternatives were chosen by the majority of the participants: (1) smart bracelet, and (2) looking into the computer's webcam. A paired-samples t-test showed that the ranking for the beauty of the password-based login process was significantly different from those of both of the two "most beautiful" alternatives (p<.001). Figures 7 and 8 depict the ratings for beauty (as the participants compared each "most beautiful" alternative to the password-based login process).

Which Dimensions Align with Beauty for the Most Beautiful Alternatives?
We now focus our attention on the ratings given to the two most popular alternatives that emerged from the previous question. It is clear from Table 3 that the top two "most beautiful" choices have moderate correlations between beauty and (1) convenience, (2) simplicity, and (3) modernity. In both cases, there is only a low correlation with security.

Which Dimensions are Most Important when Logging in with a Password?
The security of the password-based login process is clearly the most important dimension to these participants, as can be seen from Fig. 9.

Discussion
We asked our participants to focus their attention on the beauty of authentication ceremonies. The correlations reported in Table 3 provide some confirmation that 2. Now, rate each of the following six alternative authentication ceremonies, in terms of how they compare to the password-based login process (on the same five dimensions): (a) You request a link to be sent to your email address, which you provide. You use that link to log into your important online account. (b) You have a smart bracelet that detects your heart rate to ensure that it is being worn by *you*. It communicates with your device when you access your important online account to confirm your identity without you having to do anything. (c) You provide your email address and your password and then get a code sent to your phone which you need to enter to complete the log in process. (d) You have a chip implanted in your hand, and you wave your hand in front of your device to log in. (e) You look into your device's camera/webcam to log in. (f) You use a password manager (e.g. LastPass or Dashlane), which remembers and pre-fills your password for you (once you provide the password manager's master password) (g) You enter your email address. The system then displays a picture of scenery and you click on different positions in the picture that you chose when you created the account.
3. Which of the alternatives was MOST BEAUTIFUL to you? because they have no experience of the assurance/security provided by these alternatives and so cannot judge this dimension. It could be argued that the assurance/security of any security ceremony is the responsibility of the person implementing and maintaining the online service. Yet, our participants clearly did want to be assured that someone had designed security into the alternative authentication ceremony, as we can see from Fig. 9. This means that if we want people to see beauty in alternative mechanisms, we are going to have to provide security assurances that are believable and understandable. 4 One way to contemplate this finding is that beauty and security should be treated using the "separation of concerns" principle. Beauty should be maximised and security properties assured by those who design these ceremonies. The implementer should then strive to locate the sweet spot where security, usability and beauty are maximised as much as possible.

Study 3: Investigating Shared Perspectives
To assess the way people combine the dimensions in their thinking when attributing beauty to ceremonies, we used Q-methodology, a research method introduced by Stephenson (1935) for the systematic study of subjectivity. Q-methodology is essentially an informal instantiation of Cultural Consensus Theory (Weller, 2007), which provides a framework for the measurement of beliefs as cultural phenomena. In other words, it allows us to assess beliefs shared by groups of individuals. As such, this theory helps us to assess what people consider to be the culturally appropriate answers to a series of related questions (the overriding theme, in our case, being perceptions of beauty in security ceremonies).
The findings are not meant to be representative of the general population, but rather to reveal the nature of subjectivity in this domain. Not "how are people thinking on the topic?", but rather "what is the nature of their thinking?" This focus on Fig. 7 Comparing the passwordbased login to webcam security segments of similar or dissimilar points of view renders the issue of large participant numbers "relatively unimportant" (Brown, 1993).
The method essentially seeks to reveal correlations between subjects across a sample of variables that is referred to as the Q-set and that is composed of Q-statements. Factor analysis isolates the most influential "factors", which represent cultural ways of thinking. The method's strengths are that it not only applies sophisticated factor analysis, but also supports a qualitative analysis by eliciting responses that explain people's ranking of different statements. It is an exploratory technique that cannot prove hypotheses, but can provide a coherent view on a "potentially complex and socially contested" issues (Watts and Stenner, 2005). Figure 10 details the high-level steps participants engage in when doing a Q-sort, which was the method employed in this study.
After being welcomed, participants first acquainted themselves with the 26 Q-statements, as shown in Table 2, by sorting them into three categories: agree; neutral; disagree. This serves to get "an impression of the range of opinion at issue" (Brown, 1993). Next, participants sorted the statements into a fixed quasi-normal distribution, ranging from − 3 (disagree) to + 3 (agree). Participants were given a chance to amend and confirm their rankings. Following this, participants were asked for open-ended comments on the statements they found most agreeable (ranked + 3) and most disagreeable (ranked − 3), after which the study concluded.

Data Collection
The study was conducted online using the Easy HtmlQ platform. 5 We initially performed five timed pilot tests, to get a sense for the time needed for the Q-sort. Based on feedback obtained from the pilot testers, unclear statements were refined and the clarity of the process was improved. Ranking data from the pilot tests were discarded and not used for analysis.
Next, 41 participants were recruited on the Prolific platform. This is consistent with recommended participant group sizes in Q-methodology (Watts & Stenner, 2005). The participants did not overlap with either of the other studies. We paid participants £3 for approximately 20 minutes of labour, based on the pilot study timings. Participants did not provide any personal data, ensuring that participation was anonymous. Participants were aged from 18 to 64, with 12 females and 29 males.

Analysis and Findings
The analysis was conducted using the Ken-Q Analysis (version 1.0.6) web application. 6 We extracted seven factors using the centroid technique. These factors all had an Eigenvalue in excess of 1 and, together, accounted for 63% of the total variance. Next, we applied a varimax procedure for factor rotation. We eliminated two factors that had only one significantly loading participant (as recommended by Watts & Stenner 2005). The remaining five factors account for 52% of the total variance. The composite Q-sort for each of the five factors is included in the sections below. In the analysis, Pi refers to a comment by Participant i.

Factor 1: Convenience and Simplicity
This factor has an Eigenvalue of 4.65 and accounted for 11% of the total variance. The factor array was defined by four participants, two males and two females aged 38 to 60 years. Members of this group were older, with an average age of 47 years. Observed themes in this factor array were how participants valued the convenience of using an existing device, despite risks of technology failure (see Fig. 11).
Participants with this viewpoint valued the convenience of using a device they already carried all the time. In most cases, this would be a smartphone, or similar palm-sized device. P5 commented that: "I don't have to have anything rather than what I already have in my pockets/bag." Having a single device presents less risk of losing additional items, "Always have it with me so no need to carry extra things I may lose." (P35). This also provides the satisfaction of using the device for more purposes.
Statements supporting the conceptual theme of convenience of using an existing device were as follows (numbers in brackets indicate the item ranking and Z-score): • #5 "It is convenient" (3, 2.26) • #17 "I have my device with me all the time anyway" (2, 1.21) • #19 "Having everything in the palm of your hand" (2, 1.34) The convenience of using an existing device is counterbalanced by the risks of technology failure. Participants admitted that reliability is not guaranteed and that there is a concern about technology failing. As P8 commented: "Technology can always fail, what if I lose internet access? What if battery fails? If there is a bug in the software?" This could include hardware or software implementation. Referring to cracking security codes, P35 commented that: "I'm sure someone is capable of doing so!" Statements supporting the conceptual theme of risks of technology failure were as follows: • #12 "It is a code that is hard to crack" (− 2, − 1.01) • #14 "It is reliable" (− 1, − 0.7) • #23 "I do not have to worry about technology failing" (− 3, − 1.94) In summary, in the Convenience and Simplicity perspective participants see beauty in the convenience of using an existing device. Ideally, this is something small that they have with them all the time. However, they don't entirely trust the technology to be reliable, secure and to work every time.

Factor 2: Convenience and Security
This factor has an Eigenvalue of 4.69 and accounted for 11% of the total variance. The factor array was defined by four participants, all males with ages ranging from 18 to 40 years. Members of this group had an average age of 25.5 years. Observed themes in this factor array were how participants valued convenience and security (see Fig. 12). Participants with this viewpoint value availability and the freedom of using a device they have with them all the time. As P20 commented: "It's also cool that I can have it whenever I want…" and "no need to look for physical distribution places, all you need is a phone connection" (P9). It also provides a sense of comfort, as P41 explained: "It's comfortable and easy ... as I always keep my device with me." In addition, having an electronic record of actions was important, for example P9 stated: "I trust more things that are recorded on a server than paper that you can edit and counterfeit easily." It seems that this group trusts technology more than in the case of Factor 1, agreeing with the statement "I cannot lose anything and that is comforting".
Statements supporting the conceptual theme of availability and the convenience of using an existing device were as follows: • #13 "It is available where you are" (3, 1.89) • #17 "I have my device with me all the time anyway" (3, 1.61) • #7 "It is easy" (2, 1.05) Fig. 11 Factor 1 Q-Sort (Convenience and Simplicity) Yet, participants did have some concerns related to security. Almost all participants agree that "there's always a certain amount of fallibility in electronic systems" (P9). P20 said: "I think that cyber security is still in low position, it is really easy for hacker to take from us our social media accounts or even bank accounts, so I think that if somebody wants to, he will see where and when I'm going with no bigger problem." From a design perspective, being attractive to look at, or being aesthetically pleasing, was not highly ranked.
Statements supporting the conceptual theme of security assurance were as follows: • #23 "I do not have to worry about technology failing" (− 3, − 2.00) • #12 "It is a code that is hard to crack" (− 3, − 1.72) • #26 "There is an electronic record to prove my action" (2, 0.98) In summary, in this perspective participants see beauty in availability and freedom to use an existing device, which denote convenience. This is balanced by a realistic view of the security risks that may be involved.

Factor 3: Improving the Status Quo
This factor has an Eigenvalue of 6.77 and accounted for 17% of the total variance. The factor array was defined by seven participants, three males and four females aged 24 to 41 years. Members of this group had an average age of 30.7 years. Observed themes in this factor array demonstrated how participants valued the assurance and convenience of the ceremony, with a critical perspective on the notion of beauty improving the existing state of affairs (see Fig. 13).
Participants value a practical and efficient solution, e.g., "there is a beauty in efficiency" (P21). As P38 explained: "I don't have to worry about buying a ticket in the ticket booth -I have had situations where they were closed. … when I can buy them on my phone I don't have to worry about time of day, hour of day etc. … buying ticket on my phone is the safer option." P32 highlighted that: "It's just that this method is much faster than the traditional one." Several interesting perspectives on the notion of beauty also emerged. P21 mentioned: "No, I don't think the ceremony is particularly beautiful, although there are some small elements highlighted that could be considered so upon reflection (e.g. the efficiency) there is no aesthetic beauty to it." Another perspective was that "the beautiful thing is that the world is changing and opening up to new possibilities" (P38). Concern for the environment emerged as an important value to several members of this group. The role of technology was summarised by P14: "something being futuristic should not be the goal itself-it should make people's life easier using the latest technology." Statements supporting the conceptual theme of improvement were as follows: • #16 "It is simply practical" (3, 1.88) • #10 "It is effective" (2, 1.05) • #4 "It is environmentally friendly" (2, 1.18) Despite the conveniences that the use of technology allows, participants raised concerns about the failure of such technology. P32 said: "Technology can be unreliable. There is a possibility that the phone breaks down.", while P37 explained that: "Sometimes my phone collapses, and you can lose battery also easily." Concerns are specifically related to mobile devices. While these are likely no longer seen as "futuristic", they remain the primary point of interaction with modern security ceremonies.
Statements supporting the conceptual theme of risks of technology failure were as follows: • #23 "I do not have to worry about technology failing" (− 3, − 2.22) • #6 "I cannot lose anything and that is comforting" (− 3, − 1.88) • #9 "It is futuristic" (− 2, − 1.03) In summary, from an improvement perspective beauty is an efficient and easy solution, which provides a convenient alternative to traditional (paper-based) mechanisms. In this sense the environmental friendliness of a paperless ceremony can also be considered beautiful.

Factor 4: Modernity and Simplicity
This factor has an Eigenvalue of 3.89 and accounted for 9% of the total variance. The factor array was defined by two participants, both males aged 20 and 29 years respectively. Observed themes in this factor array showed that participants valued an environmentally friendly (modern) and easy to use solution, while not being overly concerned with technological issues (see Fig. 14).
Participants place a high value on being environmentally friendly, as indicated by P13, stating: "today it is fundamental that everything is environmentally friendly." In addition, being simple and easy to use is also valued. There is trust that the Fig. 13 Factor 3 Q-Sort (Improving the Status Quo) technology will work effectively. Not being a native English speaker, P6 commented that: "it's effective for me because of my English." Statements supporting the conceptual theme of modernity and simplicity were as follows: • #4 "It is environmentally friendly" (3, 1.80) • #7 "It is easy" (3, 1.80) • #2 "It is simple" (2, 1.14) This group did admit some security concerns: "I'm a little bit afraid of the huge use of electronic [tickets]" (P13) and "it is not that hard to crack…" (P6). However, in general, low value is placed on security properties (such as audit trails) and using automated, multi-purpose technologies.
Statements supporting the conceptual themes of technology and security ambivalence were as follows: • #24 "It automates as much as possible of the ceremony" (− 3, − 1.61) • #25 "It allows me to use my device for more purposes" (− 3, − 1.52) • #12 "It is a code that is hard to crack" (− 2, − 1.52) • #26 "There is an electronic record to prove my action" (− 2, − 1.42) In summary, from the Modernity and Simplicity perspective, beauty is a modern, simple, and easy to use solution. Being environmentally friendly is more important than technical automation and security nuances.

Factor 5: Modernity and Convenience
This factor has an Eigenvalue of 1.61 and accounted for 4% of the total variance. The factor array was defined by two participants, both males aged 19 years. Observed themes in this factor array showed that participants valued a futuristic (modern) and convenient solution, while still being concerned about security (see Fig. 15).
The participants valued a modern solution that is environmentally friendly. Speaking to highly rated aspects P22 commented that "Futurism is an interesting aspect of the ceremony, as it shows modernity", while P2 stated "it doesn't waste paper." The convenience of completing the ceremony on a device close at hand is also important. Nevertheless, assurance of security and reliability remains important.
Statements supporting the conceptual theme of modernity, convenience, and security were as follows: • #9 "It is futuristic" (3, 1.65) • #10 "It is effective" (3, 1.65) • #5 "It is convenient" (2, 1.23) • #12 "It is a code that is hard to crack" (1, 0.46) Contrary to the thoughts of Factor 1, this group did not find the ceremony to be fast: "The ceremony usually takes a long time and is not all that fast" (P22). It was also perceived as more difficult, P2 commenting: "I find it difficult" and P22 stating "Preparing the ceremony is not that easy, because you have to think about everything and everything." It can also be observed that using a device for more (security) purposes is not really of importance to this group.
Statements supporting the conceptual themes of ease of use and device purpose were as follows: • #1 "It is fast" (− 3, − 1.65) • #7 "It is easy" (− 2, − 1.39) • #25 "It allows me to use my device for more purposes" (− 3, − 1.44) In summary, in this perspective participants see beauty in a modern and convenient solution, that still provides an assurance of security and reliability. At the same time there is an acknowledged trade-off with usability.

Summary
This section provides evidence for a range of perspectives on beauty in security ceremonies. Although five shared perspectives were uncovered it is, of course, possible that many more exist. While we cannot definitively determine how widely held any particular perspective is, the descriptions provide a more detailed view on the elements that constitute it.

Making Sense of Beauty in Security Ceremonies
In the first study, we identified the three dimensions of beauty in the security ceremony: (1) simplicity, (2) convenience, and (3) modernity, with an overall reliance on assurance, security and reliability of the technology.
Second, we verified that the first three dimensions are moderately correlated with beauty in people's minds. We argued for developers to strive towards a "sweet spot" where security, usability and beauty of security ceremonies are maximised. This will ensure that users' experiences with these ceremonies are as positive as possible.
Finally, we identified five ways that groups of people combine these dimensions in their personal subjective views of perceptions of beauty in ceremonies.
Yet, there is both virtue and vice in our findings. There is virtue because, starting from the specific case of security ceremonies, we arrived at "standard" results for design, thus confirming the validity of our findings. There is vice because this seems to suggest that we did not need to identify bespoke quality dimensions leading to beauty, as a specific case. It might be that this beauty can be captured under the wider umbrella of "design". This is where the third dimension, modernity, plays a major role in differentiating beautiful security ceremonies from usable security ceremonies. Our findings suggest that many people value environmentally friendly (i.e., "green") solutions. The extent to which technology achieves this is what makes it beautiful, supporting the fundamental value of sustainability. Indeed, a parallel may be drawn with the Responsible Innovation domain and broader societal impact of technologies (e.g., von Schomberg & Blok, 2021). This framing of modernity suggests that beauty is subtly different from pure design or indeed the usual usability metrics of efficiency, efficacy and satisfaction. Figure 16 demonstrates the Fig. 16 The Sweet Spot between Usability, Security and Beauty (with User Experience (UX) shown as well) relationship between the different dimensions (as well as UX) reflecting the sweet spot that designers should strive towards.
On the one hand, there is the need to demonstrate the three dimensional qualities while, at the same time, acknowledging that the simultaneous maximal achievement of the three qualities for a specific security ceremony is unlikely to be feasible or workable. This leads us to argue that the importance of the quality dimensions will have to be weighted within the context of specific ceremony types.
Moreover, we should always bear in mind that the ultimate goal of a ceremony is to achieve one or more security properties. Hence, in addition to weighting the different dimensions of beauty, it will always be necessary also to confirm, via a formal analysis, that the beautification process has not compromised the security of the ceremony. 7

RQ1: "Which quality dimensions of security ceremonies lead to perceptions of beauty?"
Our first study identified three dimensions that lead people to perceive security ceremonies to be "beautiful": (1) simplicity, (2) convenience, and (3) being modern. These rest on an assurance that ceremonies and underlying technologies are secure and reliable.

RQ2: "What are the dominant perceptions, with respect to quality dimensions of beauty in security ceremonies?"
The second study found moderate correlations between perceptions of beauty and the three dimensions: simplicity, convenience, and modernity, confirming the validity of the dimensions in engendering perceptions of beauty in security ceremonies.

RQ3
: "Which quality dimensions do people commonly combine in attributing beauty to security ceremonies?" Inour third study, we identified five ways that people combine dimensions that lead to perceptions of beauty in security ceremonies. Three of the groups considered convenience as a beautifying dimension, and two included modernity and two simplicity, with one group advocating for an improvement to the status quo.

Heterogeneity in Subjective Judgements
We have derived four dimensions of beauty that pertain to subjective judgements of beauty in security ceremonies. Yet, we have to acknowledge that beauty is in the mind of the human making the judgement. Perceptions of human beauty are very different between people in the same culture and between those coming from different cultures (Poran, 2002). Our Q-methodology study consulted only 41 people-a different set of people might well have different ideas about the aspects constitute beautiful dimensions in this context. This might be especially so with those who are persons with disabilities, or those who have particular problems with security ceremonies. What does this mean for developers wishing to beautify their ceremonies? What we can say is that, at a population level, beautifying the ceremonies by focusing on the four dimensions we identified will improve beauty for many users. However, further investigations ought to be carried out with the other populations we mention here, to determine additional dimensions that would beautify ceremonies for them too.

Ethics
These studies were approved by the ethics review board of King's College London. Participants were paid the UK's minimum wage for their time, based on pilot testing to ascertain how long the tasks were likely to take.

Limitations
Phase 1 elicited responses based on a simplified ceremony. This might well have primed the mention of simplicity in the first study and subsequently alignment of beauty with simplicity in the other studies. However, we did consider the use of simplification to be justified because it had emerged as a strong beautification dimension in previous studies . Had we chosen to beautify the ceremony by, for example, providing people with an aesthetically pleasing paper ticket, the outcome may well have been different. Such a study might have primed people towards preferring aesthetic dimensions of ceremony artefacts. However, our primary focus was on the beauty of the user's experience of the ceremony, and priming people to consider aesthetics might have confounded our results. To explore the possible impact of priming on perceptions of beauty, we plan to carry out a future study.
The small number of participants in the third study could be considered a limitation. However, it should be emphasised that this methodology has been specifically designed to reveal subjective opinions, i.e., how people subjectively perceive particular situations and experiences. The relatively small number of participants (41) would indeed be considered too small a sample to provide enough data to support tests for statistical significance. Yet it is methodologically appropriate for detecting cultural opinions (Watts & Stenner, 2005) and subjectivity, which is what we aimed to achieve.

Conclusion
What we achieved in our research was to find out what makes security ceremonies beautiful, i.e., what qualities of the user's experience of engaging with a ceremony would lead to perceptions of beauty. Knowledge of these quality dimensions can inform our beautification endeavours during ceremony design. We hope that our identification of these quality dimensions, and designing ceremonies to maximise these, will encourage people to want to engage with the ceremonies because the beauty of the experience engenders positive emotions. Such positivity might instigate a reinforcing loop because people's favorable experiences will lead to subsequent positivity and greater engagement with security. This could ultimately be captured by robust human-centric user studies (Krol et al., 2016) in order to help researchers to understand end-users and their interactions with beautiful security ceremonies. As future work, we also plan to investigate whether, and how, our insights and results could be adapted to other kinds of security ceremonies such as those mentioned above. In particular, we plan to carry out a new study to investigate how professional ceremonies (e.g., key-signing ceremonies) might influence nonprofessional users' perceptions of security or beauty. To that end, we plan to survey both the professionals directly involved in such ceremonies and the professionals and laypersons that are not directly involved in the ceremony but are expected to trust the keys signed during the ceremony. Page 30 of 34 are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http:// creat iveco mmons. org/ licen ses/ by/4. 0/.