ABSTRACT
We used an iterative process to design firewall warnings in which the functionality of a personal firewall is visualized based on a physical security metaphor. We performed a study to determine the degree to which our proposed warnings are understandable for users, and the degree to which they convey the risks and encourage safe behavior as compared to text warnings based on those from a popular personal firewall. The evaluation results show that our warnings facilitate the comprehension of warning information, better communicate the risk, and increase the likelihood of safe behavior. Moreover, they provide participants with a better understanding of both the functionality of a personal firewall and the consequences of their actions.
- B. Anderson, M. Smyth, R. Knott, M. Bergan, J. Bergan, and J. Alty. Minimising conceptual baggage: Making choices about metaphor. In People and Computers IX - Proceedings of HCI'94, pages 179--194, 1994. Google ScholarDigital Library
- F. Asgharpour, D. Liu, and L. J. Camp. Mental models of security risks. In FC'07/USEC'07: Proceedings of the 11th International Conference on Financial Cryptography and 1st International Conference on Usable Security, pages 367--377, Berlin, Heidelberg, 2007. Springer-Verlag. Google ScholarDigital Library
- C. J. Atman, A. Bostrom, B. Fischhoff, and M. G. Morgan. Designing risk communications: Completing and correcting mental models of hazardous processes, part i. Risk Analysis, 14(5):779--788, 1994.Google ScholarCross Ref
- J. Berson. ZoneAlarm: Creating usable security products for consumers. In L. F. Cranor and S. Garfinkel, editors, Security and Usability: Designing Secure Systems that People Can Use, chapter 27, pages 563--575. O'Reilly Media, Inc., 2005.Google Scholar
- A. Besmer, J. Watson, and H. R. Lipford. The impact of social navigation on privacy policy configuration. In SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security, pages 1--10, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- A. Bostrom, C. J. Atman, B. Fischhoff, and M. G. Morgan. Evaluating risk communications: Completing and correcting mental models of hazardous processes, part ii. Risk Analysis, 14(5):789--798, 1994.Google ScholarCross Ref
- C. Bravo-Lillo, L. Cranor, J. Downs, and S. Komanduri. Poster: What is still wrong with security warnings: a mental models approach. In SOUPS '10: Proceedings of the 6th Symposium on Usable Privacy and Security, New York, NY, USA, 2010. ACM.Google Scholar
- L. Camp, F. Asgharpour, D. Liu, and I. Bloomington. Experimental Evaluations of Expert and Non-expert Computer Users? Mental Models of Security Risks. Proceedings of WEIS 2007, 2007.Google Scholar
- L. Clark and M. A. Sasse. Conceptual design reconsidered: The case of the internet session directory tool. In Proceedings of HCI on People and Computers XII, HCI 97, pages 67--84, London, UK, 1997. Springer-Verlag. Google ScholarDigital Library
- Personal firewall software review. http://www.consumersearch.com/firewalls, 2010.Google Scholar
- L. F. Cranor. A framework for reasoning about the human in the loop. In UPSEC'08: Proceedings of the 1st Conference on Usability, Psychology, and Security, pages 1--15, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
- P. DiGioia and P. Dourish. Social navigation as a model for usable security. In SOUPS '05, pages 101--108, Pittsburgh, Pennsylvania, 2005. ACM. Google ScholarDigital Library
- J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In SOUPS '06: Proceedings of the Second Symposium on Usable Privacy and Security, pages 79--90, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- S. Egelman, L. F. Cranor, and J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In CHI '08: Proceedings of the SIGCHI Conference on Human factors in Computing Systems, pages 1065--1074, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- S. Egelman, J. King, R. C. Miller, N. Ragouzis, and E. Shehan. Security user studies: methodologies and best practices. In CHI Extended Abstracts, pages 2833--2836. ACM, 2007. Google ScholarDigital Library
- Best software firewalls for maximum protection and greater user involvement. http://www.techsupportalert.com/best-free-firewall.htm, 2010.Google Scholar
- S. Hazari. Perceptions of end-users on the requirements in personal firewall software: An exploratory study. The Journal of Supercomputing, 17(3):47--56, 2005.Google Scholar
- A. Herzog and N. Shahmehri. Usability and security of personal firewalls. New Approaches for Security, Privacy and Trust in Complex Environments, pages 37--48, 2007.Google Scholar
- K. Ingham and S. Forrest. A history and survey of network firewalls. Technical report, University of New Mexico, 2002.Google Scholar
- J. Johnston, J. H. P. Eloffa, and L. Labuschagneb. Security and human computer interfaces. Computers and Security, 22:675--684, 2003.Google ScholarDigital Library
- H. Jungermann, H. Schutz, and M. Thuring. Mental models in risk assessment: Informing people about drugs. Risk Analysis, 8(1):147--155, 1988.Google ScholarCross Ref
- S. Leonard, H. Otani, and M. Wogalter. Comprehension and memory. Warnings and risk communication, pages 149--187, 1999.Google Scholar
- D. Liu, F. Asgharpour, and L. Camp. Risk Communication in Security Using Mental Models. Usable Security, 7, 2008.Google Scholar
- J. McKechnie. Webster's new universal unabridged dictionary. Dorset & Baber, 1983.Google Scholar
- M. Morgan. Risk communication: A mental models approach. Cambridge University Press, 2002.Google Scholar
- S. Motiee, K. Hawkey, and K. Beznosov. Do windows users follow the principle of least privilege? investigating user account control practices. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS), pages 1--13, New York, NY, USA, July 14--16 2010. ACM. Google ScholarDigital Library
- J. Nielsen. Card sorting to discover the users' model of the information space. http://www.useit.com/papers/sun/cardsort.html, 1995.Google Scholar
- C. Nodder. Users and trust: A microsoft case study. Security and Usability, pages 589--606, 2005.Google Scholar
- D. A. Norman. Cognitive Engineering. Lawrence Erlbaum Associates, Hillsdale, NJ, 1986.Google Scholar
- Up-to-date coverage and product reviews of firewall software. http://www.pcmag.com/, 2010.Google Scholar
- Comodo firewall is a superb security program. http://www.pcworld.com/article/1880081, 2010.Google Scholar
- Popular in firewalls. http://www.pcworld.com/downloads/file/fid,63762-order,4/description.html, 2010.Google Scholar
- F. Raja, K. Hawkey, and K. Beznosov. Revealing hidden context: improving mental models of personal firewall users. In SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1--12, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- F. Raja, K. Hawkey, P. Jaferian, K. Beznosov, and K. S. Booth. It's Too Complicated, So I Turned It Off! Expectations, Perceptions, and Misconceptions of Personal Firewalls. In Proceedings of the 3rd ACM Workshop on Assurable & Usable Security Configuration (SafeConfig), October 4 2010. Google ScholarDigital Library
- C. Ronnfeldt. Three generations of environment and security research. Journal of Peace Research, 34(4):473--482, 1997.Google ScholarCross Ref
- S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 51--65, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarDigital Library
- A. Sotirakopoulos, K. Hawkey, and K. Beznosov. "I did it because I trusted you": Challenges with the Study Environment Biasing Participant Behaviours. In SOUPS Usable Security Experiment Reports (USER) Workshop, 2010.Google Scholar
- W. Stephenson. The study of behavior: Q-technique and its methodology. University of Chicago Press, 1953.Google Scholar
- D. W. Stewart and I. M. Martin. Intended and unintended consequences of warning messages: A review and synthesis of empirical research. Journal of Public Policy and Marketing, 13(1):1--19, 1994.Google ScholarCross Ref
- J. Stoll, C. S. Tashman, W. K. Edwards, and K. Spafford. Sesame: informing user security decisions with system visualization. In CHI '08: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human factors in Computing Systems, pages 1045--1054, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying Wolf: An empirical study of SSL warning effectiveness. In Proceedings of 18th USENIX Security Symposium, pages 399--432, 2009. Google ScholarDigital Library
- TopTenReviews: 2010 personal firewall software review product comparisons. http://personal-firewall-software-review.toptenreviews.com/, 2010.Google Scholar
- R. Wash. Folk models of home computer security. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS '10, pages 11:1--11:16, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- Explore the features: Windows security center. http://www.microsoft.com/windows/windows-vista/features/security-center.aspx, 2010.Google Scholar
- M. Wogalter, V. Conzola, and T. Smith-Jackson. Research-based guidelines for warning design and evaluation. Applied Ergonomics, 33(3):219--230, 2002.Google ScholarCross Ref
- J. S. Wolff and M. S. Wogalter. Comprehension of pictorial symbols: Effects of context and test method. Human Factors: The Journal of the Human Factors and Ergonomics Society, 40:173--186(14), 1998.Google ScholarCross Ref
- M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '06), pages 601--610, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- S. Young and D. Lovvoll. Intermediate processing stages: Methodological considerations for research on warnings. Warnings and risk communication, pages 27--52, 1999.Google Scholar
- M. E. Zurko, C. Kaufman, K. Spanbauer, and C. Bassett. Did you ever have to make up your mind? what notes users do when faced with a security decision. In ACSAC '02: Proceedings of the 18th Annual Computer Security Applications Conference, pages 371--381, Washington, DC, USA, 2002. IEEE Computer Society. Google ScholarDigital Library
Index Terms
- A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings
Recommendations
Revealing hidden context: improving mental models of personal firewall users
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and SecurityThe Windows Vista personal firewall provides its diverse users with a basic interface that hides many operational details. However, concealing the impact of network context on the security state of the firewall may result in users developing an ...
Promoting a physical security mental model for personal firewall warnings
CHI EA '11: CHI '11 Extended Abstracts on Human Factors in Computing SystemsWe used an iterative process to design personal firewall warnings in which the functionality of a firewall is visualized based on a physical security mental model. We performed a study to determine the degree to which our proposed warnings are ...
It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls
SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configurationEven though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability. We conducted semi-structured interviews with a diverse set of participants to gain an ...
Comments