research-article

A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings

Authors:

Kirstie Hawkey,

Kai-Le Clement Wang,

Konstantin BeznosovAuthors Info & Claims

SOUPS '11: Proceedings of the Seventh Symposium on Usable Privacy and Security

Article No.: 1, Pages 1 - 20

https://doi.org/10.1145/2078827.2078829

Published: 20 July 2011 Publication History

Abstract

We used an iterative process to design firewall warnings in which the functionality of a personal firewall is visualized based on a physical security metaphor. We performed a study to determine the degree to which our proposed warnings are understandable for users, and the degree to which they convey the risks and encourage safe behavior as compared to text warnings based on those from a popular personal firewall. The evaluation results show that our warnings facilitate the comprehension of warning information, better communicate the risk, and increase the likelihood of safe behavior. Moreover, they provide participants with a better understanding of both the functionality of a personal firewall and the consequences of their actions.

References

[1]

B. Anderson, M. Smyth, R. Knott, M. Bergan, J. Bergan, and J. Alty. Minimising conceptual baggage: Making choices about metaphor. In People and Computers IX - Proceedings of HCI'94, pages 179--194, 1994.

Digital Library

[2]

F. Asgharpour, D. Liu, and L. J. Camp. Mental models of security risks. In FC'07/USEC'07: Proceedings of the 11th International Conference on Financial Cryptography and 1st International Conference on Usable Security, pages 367--377, Berlin, Heidelberg, 2007. Springer-Verlag.

Digital Library

[3]

C. J. Atman, A. Bostrom, B. Fischhoff, and M. G. Morgan. Designing risk communications: Completing and correcting mental models of hazardous processes, part i. Risk Analysis, 14(5):779--788, 1994.

[4]

J. Berson. ZoneAlarm: Creating usable security products for consumers. In L. F. Cranor and S. Garfinkel, editors, Security and Usability: Designing Secure Systems that People Can Use, chapter 27, pages 563--575. O'Reilly Media, Inc., 2005.

[5]

A. Besmer, J. Watson, and H. R. Lipford. The impact of social navigation on privacy policy configuration. In SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security, pages 1--10, New York, NY, USA, 2010. ACM.

Digital Library

[6]

A. Bostrom, C. J. Atman, B. Fischhoff, and M. G. Morgan. Evaluating risk communications: Completing and correcting mental models of hazardous processes, part ii. Risk Analysis, 14(5):789--798, 1994.

[7]

C. Bravo-Lillo, L. Cranor, J. Downs, and S. Komanduri. Poster: What is still wrong with security warnings: a mental models approach. In SOUPS '10: Proceedings of the 6th Symposium on Usable Privacy and Security, New York, NY, USA, 2010. ACM.

[8]

L. Camp, F. Asgharpour, D. Liu, and I. Bloomington. Experimental Evaluations of Expert and Non-expert Computer Users? Mental Models of Security Risks. Proceedings of WEIS 2007, 2007.

[9]

L. Clark and M. A. Sasse. Conceptual design reconsidered: The case of the internet session directory tool. In Proceedings of HCI on People and Computers XII, HCI 97, pages 67--84, London, UK, 1997. Springer-Verlag.

Digital Library

[10]

Personal firewall software review. http://www.consumersearch.com/firewalls, 2010.

[11]

L. F. Cranor. A framework for reasoning about the human in the loop. In UPSEC'08: Proceedings of the 1st Conference on Usability, Psychology, and Security, pages 1--15, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[12]

P. DiGioia and P. Dourish. Social navigation as a model for usable security. In SOUPS '05, pages 101--108, Pittsburgh, Pennsylvania, 2005. ACM.

Digital Library

[13]

J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In SOUPS '06: Proceedings of the Second Symposium on Usable Privacy and Security, pages 79--90, New York, NY, USA, 2006. ACM.

Digital Library

[14]

S. Egelman, L. F. Cranor, and J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In CHI '08: Proceedings of the SIGCHI Conference on Human factors in Computing Systems, pages 1065--1074, New York, NY, USA, 2008. ACM.

Digital Library

[15]

S. Egelman, J. King, R. C. Miller, N. Ragouzis, and E. Shehan. Security user studies: methodologies and best practices. In CHI Extended Abstracts, pages 2833--2836. ACM, 2007.

Digital Library

[16]

Best software firewalls for maximum protection and greater user involvement. http://www.techsupportalert.com/best-free-firewall.htm, 2010.

[17]

S. Hazari. Perceptions of end-users on the requirements in personal firewall software: An exploratory study. The Journal of Supercomputing, 17(3):47--56, 2005.

[18]

A. Herzog and N. Shahmehri. Usability and security of personal firewalls. New Approaches for Security, Privacy and Trust in Complex Environments, pages 37--48, 2007.

[19]

K. Ingham and S. Forrest. A history and survey of network firewalls. Technical report, University of New Mexico, 2002.

[20]

J. Johnston, J. H. P. Eloffa, and L. Labuschagneb. Security and human computer interfaces. Computers and Security, 22:675--684, 2003.

Digital Library

[21]

H. Jungermann, H. Schutz, and M. Thuring. Mental models in risk assessment: Informing people about drugs. Risk Analysis, 8(1):147--155, 1988.

[22]

S. Leonard, H. Otani, and M. Wogalter. Comprehension and memory. Warnings and risk communication, pages 149--187, 1999.

[23]

D. Liu, F. Asgharpour, and L. Camp. Risk Communication in Security Using Mental Models. Usable Security, 7, 2008.

[24]

J. McKechnie. Webster's new universal unabridged dictionary. Dorset & Baber, 1983.

[25]

M. Morgan. Risk communication: A mental models approach. Cambridge University Press, 2002.

[26]

S. Motiee, K. Hawkey, and K. Beznosov. Do windows users follow the principle of least privilege? investigating user account control practices. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS), pages 1--13, New York, NY, USA, July 14--16 2010. ACM.

Digital Library

[27]

J. Nielsen. Card sorting to discover the users' model of the information space. http://www.useit.com/papers/sun/cardsort.html, 1995.

[28]

C. Nodder. Users and trust: A microsoft case study. Security and Usability, pages 589--606, 2005.

[29]

D. A. Norman. Cognitive Engineering. Lawrence Erlbaum Associates, Hillsdale, NJ, 1986.

[30]

Up-to-date coverage and product reviews of firewall software. http://www.pcmag.com/, 2010.

[31]

Comodo firewall is a superb security program. http://www.pcworld.com/article/1880081, 2010.

[32]

Popular in firewalls. http://www.pcworld.com/downloads/file/fid,63762-order,4/description.html, 2010.

[33]

F. Raja, K. Hawkey, and K. Beznosov. Revealing hidden context: improving mental models of personal firewall users. In SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1--12, New York, NY, USA, 2009. ACM.

Digital Library

[34]

F. Raja, K. Hawkey, P. Jaferian, K. Beznosov, and K. S. Booth. It's Too Complicated, So I Turned It Off! Expectations, Perceptions, and Misconceptions of Personal Firewalls. In Proceedings of the 3rd ACM Workshop on Assurable & Usable Security Configuration (SafeConfig), October 4 2010.

Digital Library

[35]

C. Ronnfeldt. Three generations of environment and security research. Journal of Peace Research, 34(4):473--482, 1997.

[36]

S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 51--65, Washington, DC, USA, 2007. IEEE Computer Society.

Digital Library

[37]

A. Sotirakopoulos, K. Hawkey, and K. Beznosov. "I did it because I trusted you": Challenges with the Study Environment Biasing Participant Behaviours. In SOUPS Usable Security Experiment Reports (USER) Workshop, 2010.

[38]

W. Stephenson. The study of behavior: Q-technique and its methodology. University of Chicago Press, 1953.

[39]

D. W. Stewart and I. M. Martin. Intended and unintended consequences of warning messages: A review and synthesis of empirical research. Journal of Public Policy and Marketing, 13(1):1--19, 1994.

[40]

J. Stoll, C. S. Tashman, W. K. Edwards, and K. Spafford. Sesame: informing user security decisions with system visualization. In CHI '08: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human factors in Computing Systems, pages 1045--1054, New York, NY, USA, 2008. ACM.

Digital Library

[41]

J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying Wolf: An empirical study of SSL warning effectiveness. In Proceedings of 18th USENIX Security Symposium, pages 399--432, 2009.

Digital Library

[42]

TopTenReviews: 2010 personal firewall software review product comparisons. http://personal-firewall-software-review.toptenreviews.com/, 2010.

[43]

R. Wash. Folk models of home computer security. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS '10, pages 11:1--11:16, New York, NY, USA, 2010. ACM.

Digital Library

[44]

Explore the features: Windows security center. http://www.microsoft.com/windows/windows-vista/features/security-center.aspx, 2010.

[45]

M. Wogalter, V. Conzola, and T. Smith-Jackson. Research-based guidelines for warning design and evaluation. Applied Ergonomics, 33(3):219--230, 2002.

[46]

J. S. Wolff and M. S. Wogalter. Comprehension of pictorial symbols: Effects of context and test method. Human Factors: The Journal of the Human Factors and Ergonomics Society, 40:173--186(14), 1998.

[47]

M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '06), pages 601--610, New York, NY, USA, 2006. ACM.

Digital Library

[48]

S. Young and D. Lovvoll. Intermediate processing stages: Methodological considerations for research on warnings. Warnings and risk communication, pages 27--52, 1999.

[49]

M. E. Zurko, C. Kaufman, K. Spanbauer, and C. Bassett. Did you ever have to make up your mind? what notes users do when faced with a security decision. In ACSAC '02: Proceedings of the 18th Annual Computer Security Applications Conference, pages 371--381, Washington, DC, USA, 2002. IEEE Computer Society.

Digital Library

Cited By

Wen JZhang ZTran TMu LRahman TJin H(2024)Folk Models of Loot Boxes in Video GamesProceedings of the ACM on Human-Computer Interaction10.1145/36770728:CHI PLAY(1-23)Online publication date: 15-Oct-2024
https://dl.acm.org/doi/10.1145/3677072
Kim ILee U(2024)Navigating User-System Gaps: Understanding User-Interactions in User-Centric Context-Aware Systems for Digital Well-being InterventionProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3641979(1-15)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3641979
Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Overview of Usable Privacy Research: Major Themes and Research DirectionsThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_3(43-102)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_3
Show More Cited By

Index Terms

A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. HCI design and evaluation methods
2. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Revealing hidden context: improving mental models of personal firewall users
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

The Windows Vista personal firewall provides its diverse users with a basic interface that hides many operational details. However, concealing the impact of network context on the security state of the firewall may result in users developing an ...
Promoting a physical security mental model for personal firewall warnings
CHI EA '11: CHI '11 Extended Abstracts on Human Factors in Computing Systems

We used an iterative process to design personal firewall warnings in which the functionality of a firewall is visualized based on a physical security mental model. We performed a study to determine the degree to which our proposed warnings are ...
It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls
SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

Even though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability. We conducted semi-structured interviews with a diverse set of participants to gain an ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '11: Proceedings of the Seventh Symposium on Usable Privacy and Security

July 2011

253 pages

ISBN:9781450309110

DOI:10.1145/2078827

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Carnegie Mellon CyLab

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 July 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SOUPS '11

Sponsor:

SOUPS '11: Symposium On Usable Privacy and Security

July 20 - 22, 2011

Pennsylvania, Pittsburgh

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
673
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)4

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wen JZhang ZTran TMu LRahman TJin H(2024)Folk Models of Loot Boxes in Video GamesProceedings of the ACM on Human-Computer Interaction10.1145/36770728:CHI PLAY(1-23)Online publication date: 15-Oct-2024
https://dl.acm.org/doi/10.1145/3677072
Kim ILee U(2024)Navigating User-System Gaps: Understanding User-Interactions in User-Centric Context-Aware Systems for Digital Well-being InterventionProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3641979(1-15)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3641979
Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Overview of Usable Privacy Research: Major Themes and Research DirectionsThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_3(43-102)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_3
Delgado Rodriguez SDao Phuong ABumiller FMecke LDietz FAlt FHassib M(2023)Padlock, the Universal Security Symbol? - Exploring Symbols and Metaphors for Privacy and SecurityProceedings of the 22nd International Conference on Mobile and Ubiquitous Multimedia10.1145/3626705.3627770(10-24)Online publication date: 3-Dec-2023
https://dl.acm.org/doi/10.1145/3626705.3627770
Desai STwidale M(2023)Metaphors in Voice User Interfaces: A Slippery FishACM Transactions on Computer-Human Interaction10.1145/360932630:6(1-37)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1145/3609326
Behfar AAtashpanjeh HAl-Ameen M(2023)Can Password Meter be More Effective Towards User Attention, Engagement, and Attachment?: A Study of Metaphor-based DesignsCompanion Publication of the 2023 Conference on Computer Supported Cooperative Work and Social Computing10.1145/3584931.3606983(164-171)Online publication date: 14-Oct-2023
https://dl.acm.org/doi/10.1145/3584931.3606983
Zeng MZhu FCarpenter S(2022)Dynamic WarningsInternational Journal of Information Security and Privacy10.4018/IJISP.30366216:1(1-28)Online publication date: 13-Jul-2022
https://doi.org/10.4018/IJISP.303662
Hilton KSiami Namin AJones K(2022)Metaphor identification in cybersecurity texts: a lightweight linguistic approachSN Applied Sciences10.1007/s42452-022-04939-84:2Online publication date: 28-Jan-2022
https://doi.org/10.1007/s42452-022-04939-8
Vargheese JCollinson MMasthoff J(2022)A Quantitative Field Study of a Persuasive Security Technology in the WildSocial Informatics10.1007/978-3-031-19097-1_13(211-232)Online publication date: 12-Oct-2022
https://doi.org/10.1007/978-3-031-19097-1_13
Zaaba ZLim Xin Yi CAmran AOmar M(2021)Harnessing the Challenges and Solutions to Improve Security Warnings: A ReviewSensors10.3390/s2121731321:21(7313)Online publication date: 3-Nov-2021
https://doi.org/10.3390/s21217313
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents