ABSTRACT
Even though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability. We conducted semi-structured interviews with a diverse set of participants to gain an understanding of their knowledge, requirements, perceptions, and misconceptions of personal firewalls. Through a qualitative analysis of the data, we found that most of our participants were not aware of the functionality of personal firewalls and their role in protecting computers. Most of our participants required different levels of protection from their personal firewalls in different contexts. The most important factors that affect their requirements are their activity, the network settings, and the people in the network. The requirements and preferences for their interaction with a personal firewall varied based on their levels of security knowledge and expertise. We discuss implications of our results for the design of personal firewalls. We recommend integrating the personal firewall with other security applications, adjusting its behavior based on users' levels of security knowledge, and providing different levels of protection based on context. We also provide implications for automating personal firewall decisions and designing better warnings and notices.
- }}Anderson, R. Psychology and security resource page. http://www.cl.cam.ac.uk/rja14/psysec.html (2009).Google Scholar
- }}Bishop, M. What is computer security? IEEE Security and Privacy, 1, 1 (2003), 67--69. Google ScholarDigital Library
- }}Brostoff, S., Sasse, M. A., Chadwick, D., Cunningham, J., Mbanaso, U., and Otenko, S. R-What?: Development of a role-based access control policy-writing tool for e-Scientists. Software Practice and Experience, 35, 9 (2005), 835--856. Google ScholarDigital Library
- }}Cranor, L. F. A framework for reasoning about the human in the loop. In UPSEC'08: Proceedings of the 1st Conference on Usability, Psychology, and Security. USENIX Association, Berkeley, CA, USA, 2008, 1--15. Google ScholarDigital Library
- }}DiGioia, P. and Dourish, P. Social navigation as a model for usable security. In SOUPS '05. ACM, Pittsburgh, Pennsylvania, 2005, 101--108. Google ScholarDigital Library
- }}Dourish, P., Grinter, R. E., de la Flor, J. D., and Joseph, M. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8, 6 (2004), 391--401. Google ScholarCross Ref
- }}Downs, J. S., Holbrook, M. B., and Cranor, L. F. Decision strategies and susceptibility to phishing. In SOUPS '06. ACM, New York, NY, USA, 2006, 79--90. Google ScholarDigital Library
- }}Ecclestone, R. Acsac 2001 review. Computers & Security, 21, 1 (2001), 47--60.Google Scholar
- }}Egelman, S., Cranor, L. F., and Hong, J. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In CHI '08: Proc. of the SIGCHI conf. on Human factors in Computing Systems. ACM, New York, NY, USA, 2008, 1065--1074. Google ScholarDigital Library
- }}Friedman, B., Hurley, D., Howe, D. C., Nissenbaum, H., and Felten, E. Users' conceptions of risks and harms on the web: a comparative study. In CHI '02: CHI '02 extended abstracts on Human factors in computing systems. ACM, New York, NY, USA, 2002, 614--615. Google ScholarDigital Library
- }}Garnkel, S. L. Design principles and patterns for computer systems that are simultaneously secure and usable. Ph.D. thesis, Massachusetts Institute of Technology, Cambridge, MA, USA (2005). Adviser-David D. Clark and Adviser-Robert C. Miller.Google Scholar
- }}Geng, W., Flinn, S., and DeDourek, J. Usable firewall configuration. In PST. 2005, 11 pages.Google Scholar
- }}Giacoppo, S. Development methods: User needs assessment & task analyses. http://otal.umd.edu/hci-rm/dvlpmeth.html (2001).Google Scholar
- }}Grinter, R. E. and Smetters, D. Three challenges for embedding security into applications. In CHI Workshop on Human-Computer Interaction and Security Systems. Fort Lauderdale, FL, 2003.Google Scholar
- }}Gross, J. B. and Rosson, M. B. Looking for trouble: understanding end-user security management. In CHIMIT '07: Proceedings of the 2007 symposium on Computer human interaction for the management of information technology. ACM, New York, NY, USA, 2007, 10. Google ScholarDigital Library
- }}Hazari, S. Perceptions of end-users on the requirements in personal firewall software: An exploratory study. The Journal of Supercomputing, 17, 3 (2005), 47--56.Google Scholar
- }}Herzog, A. and Shahmehri, N. Usability and security of personal firewalls. New Approaches for Security, Privacy and Trust in Complex Environments (2007), 37--48.Google Scholar
- }}Johnson, R. Examining the validity structure of qualitative research. Education, 118, 2.Google Scholar
- }}Johnston, J., Eloa, J. H. P., and Labuschagneb, L. Security and human computer interfaces. Computers and Security, 22 (2003), 675--684.Google ScholarDigital Library
- }}Klasnja, P., Consolvo, S., Jung, J., Greenstein, B. M., LeGrand, L., Powledge, P., and Wetherall, D. "when I am on WiFi, I am fearless": privacy concerns & practices in everyday WiFi use. In CHI '09: Proceedings of the 27th international conference on Human factors in computing systems. ACM, New York, NY, USA, 2009, 1993--2002. Google ScholarDigital Library
- }}Lampson, B. Privacy and security usable security: how to get it. Commun. ACM, 52, 11 (2009), 25--27. Google ScholarDigital Library
- }}McDermott, P. Personal firewalls... one more step towards comprehensive security. Network Security, 2000, 11 (2000), 11--14. Google ScholarDigital Library
- }}McGrath, J. E. Methodology matters: doing research in the behavioral and social sciences. Human-computer interaction: toward the year 2000 (1995), 152--169. Morgan Kaufmann Publishers Inc. Google ScholarDigital Library
- }}Nielsen, J. Usability Engineering. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1993. Google ScholarDigital Library
- }}Norman, D. A. When security gets in the way. http://www.jnd.org/dn.mss/when_security_gets_in_the_way.html (2009).Google Scholar
- }}Raja, F., Hawkey, K., and Beznosov, K. Revealing hidden context: improving mental models of personal firewall users. In SOUPS '09. ACM, New York, NY, USA, 2009, 1--12. Google ScholarDigital Library
- }}Saltzer, J. and Schroeder, M. The protection of information in computer systems. Proceedings of the IEEE, 63, 9 (1975), 1278--1308.Google ScholarCross Ref
- }}Sandelowski, M. Whatever happened to qualitative description? Research in Nursing & Health, 23, 4 (2000), 334--340.Google ScholarCross Ref
- }}Smetters, D. Usable security: Oxymoron or challenge? http://www.nae.edu/nae/naefoe.nsf/weblinks/GBAN-79EJLA/$FILE/smetters_presentation.pdf?OpenElement (2007).Google Scholar
- }}Stephenson, W. The study of behavior: Q-technique and its methodology. University of Chicago Press, 1953.Google Scholar
- }}Stoll, J., Tashman, C. S., Edwards, W. K., and Spaord, K. Sesame: informing user security decisions with system visualization. In CHI. ACM, New York, NY, USA, 2008, 1045--1054. Google ScholarDigital Library
- }}Explore the features: Windows security center. http://www.microsoft.com/windows/windows-vista/features/security-center.aspx (2010).Google Scholar
- }}Wool, A. The use and usability of direction based filtering in firewalls. Computers and Security, 37 (2004), 459--468.Google ScholarDigital Library
Index Terms
- It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls
Recommendations
Investigating an appropriate design for personal firewalls
CHI EA '10: CHI '10 Extended Abstracts on Human Factors in Computing SystemsPersonal firewalls are an important aspect of security for home computer users, but little attention has been given to their usability. We conducted semi-structured interviews to understand participants' knowledge, requirements, expectations, and ...
A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings
SOUPS '11: Proceedings of the Seventh Symposium on Usable Privacy and SecurityWe used an iterative process to design firewall warnings in which the functionality of a personal firewall is visualized based on a physical security metaphor. We performed a study to determine the degree to which our proposed warnings are ...
Turned 70?: it is time to start editing Wikipedia
WI '17: Proceedings of the International Conference on Web IntelligenceSuccess of Wikipedia would not be possible without the contributions of millions of anonymous Internet users who edit articles, correct mistakes, add links or pictures. At the same time Wikipedia editors are currently overworked and there is always more ...
Comments