research-article

It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls

Authors:

Kirstie Hawkey,

Pooya Jaferian,

Konstantin Beznosov,

Kellogg S. BoothAuthors Info & Claims

SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

Pages 53 - 62

https://doi.org/10.1145/1866898.1866907

Published: 04 October 2010 Publication History

Abstract

Even though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability. We conducted semi-structured interviews with a diverse set of participants to gain an understanding of their knowledge, requirements, perceptions, and misconceptions of personal firewalls. Through a qualitative analysis of the data, we found that most of our participants were not aware of the functionality of personal firewalls and their role in protecting computers. Most of our participants required different levels of protection from their personal firewalls in different contexts. The most important factors that affect their requirements are their activity, the network settings, and the people in the network. The requirements and preferences for their interaction with a personal firewall varied based on their levels of security knowledge and expertise. We discuss implications of our results for the design of personal firewalls. We recommend integrating the personal firewall with other security applications, adjusting its behavior based on users' levels of security knowledge, and providing different levels of protection based on context. We also provide implications for automating personal firewall decisions and designing better warnings and notices.

References

[1]

}}Anderson, R. Psychology and security resource page. http://www.cl.cam.ac.uk/rja14/psysec.html (2009).

[2]

}}Bishop, M. What is computer security? IEEE Security and Privacy, 1, 1 (2003), 67--69.

Digital Library

[3]

}}Brostoff, S., Sasse, M. A., Chadwick, D., Cunningham, J., Mbanaso, U., and Otenko, S. R-What?: Development of a role-based access control policy-writing tool for e-Scientists. Software Practice and Experience, 35, 9 (2005), 835--856.

Digital Library

[4]

}}Cranor, L. F. A framework for reasoning about the human in the loop. In UPSEC'08: Proceedings of the 1st Conference on Usability, Psychology, and Security. USENIX Association, Berkeley, CA, USA, 2008, 1--15.

Digital Library

[5]

}}DiGioia, P. and Dourish, P. Social navigation as a model for usable security. In SOUPS '05. ACM, Pittsburgh, Pennsylvania, 2005, 101--108.

Digital Library

[6]

}}Dourish, P., Grinter, R. E., de la Flor, J. D., and Joseph, M. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8, 6 (2004), 391--401.

[7]

}}Downs, J. S., Holbrook, M. B., and Cranor, L. F. Decision strategies and susceptibility to phishing. In SOUPS '06. ACM, New York, NY, USA, 2006, 79--90.

Digital Library

[8]

}}Ecclestone, R. Acsac 2001 review. Computers & Security, 21, 1 (2001), 47--60.

[9]

}}Egelman, S., Cranor, L. F., and Hong, J. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In CHI '08: Proc. of the SIGCHI conf. on Human factors in Computing Systems. ACM, New York, NY, USA, 2008, 1065--1074.

Digital Library

[10]

}}Friedman, B., Hurley, D., Howe, D. C., Nissenbaum, H., and Felten, E. Users' conceptions of risks and harms on the web: a comparative study. In CHI '02: CHI '02 extended abstracts on Human factors in computing systems. ACM, New York, NY, USA, 2002, 614--615.

Digital Library

[11]

}}Garnkel, S. L. Design principles and patterns for computer systems that are simultaneously secure and usable. Ph.D. thesis, Massachusetts Institute of Technology, Cambridge, MA, USA (2005). Adviser-David D. Clark and Adviser-Robert C. Miller.

[12]

}}Geng, W., Flinn, S., and DeDourek, J. Usable firewall configuration. In PST. 2005, 11 pages.

[13]

}}Giacoppo, S. Development methods: User needs assessment & task analyses. http://otal.umd.edu/hci-rm/dvlpmeth.html (2001).

[14]

}}Grinter, R. E. and Smetters, D. Three challenges for embedding security into applications. In CHI Workshop on Human-Computer Interaction and Security Systems. Fort Lauderdale, FL, 2003.

[15]

}}Gross, J. B. and Rosson, M. B. Looking for trouble: understanding end-user security management. In CHIMIT '07: Proceedings of the 2007 symposium on Computer human interaction for the management of information technology. ACM, New York, NY, USA, 2007, 10.

Digital Library

[16]

}}Hazari, S. Perceptions of end-users on the requirements in personal firewall software: An exploratory study. The Journal of Supercomputing, 17, 3 (2005), 47--56.

[17]

}}Herzog, A. and Shahmehri, N. Usability and security of personal firewalls. New Approaches for Security, Privacy and Trust in Complex Environments (2007), 37--48.

[18]

}}Johnson, R. Examining the validity structure of qualitative research. Education, 118, 2.

[19]

}}Johnston, J., Eloa, J. H. P., and Labuschagneb, L. Security and human computer interfaces. Computers and Security, 22 (2003), 675--684.

Digital Library

[20]

}}Klasnja, P., Consolvo, S., Jung, J., Greenstein, B. M., LeGrand, L., Powledge, P., and Wetherall, D. "when I am on WiFi, I am fearless": privacy concerns & practices in everyday WiFi use. In CHI '09: Proceedings of the 27th international conference on Human factors in computing systems. ACM, New York, NY, USA, 2009, 1993--2002.

Digital Library

[21]

}}Lampson, B. Privacy and security usable security: how to get it. Commun. ACM, 52, 11 (2009), 25--27.

Digital Library

[22]

}}McDermott, P. Personal firewalls... one more step towards comprehensive security. Network Security, 2000, 11 (2000), 11--14.

Digital Library

[23]

}}McGrath, J. E. Methodology matters: doing research in the behavioral and social sciences. Human-computer interaction: toward the year 2000 (1995), 152--169. Morgan Kaufmann Publishers Inc.

Digital Library

[24]

}}Nielsen, J. Usability Engineering. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1993.

Digital Library

[25]

}}Norman, D. A. When security gets in the way. http://www.jnd.org/dn.mss/when_security_gets_in_the_way.html (2009).

[26]

}}Raja, F., Hawkey, K., and Beznosov, K. Revealing hidden context: improving mental models of personal firewall users. In SOUPS '09. ACM, New York, NY, USA, 2009, 1--12.

Digital Library

[27]

}}Saltzer, J. and Schroeder, M. The protection of information in computer systems. Proceedings of the IEEE, 63, 9 (1975), 1278--1308.

[28]

}}Sandelowski, M. Whatever happened to qualitative description? Research in Nursing & Health, 23, 4 (2000), 334--340.

[29]

}}Smetters, D. Usable security: Oxymoron or challenge? http://www.nae.edu/nae/naefoe.nsf/weblinks/GBAN-79EJLA/$FILE/smetters_presentation.pdf?OpenElement (2007).

[30]

}}Stephenson, W. The study of behavior: Q-technique and its methodology. University of Chicago Press, 1953.

[31]

}}Stoll, J., Tashman, C. S., Edwards, W. K., and Spaord, K. Sesame: informing user security decisions with system visualization. In CHI. ACM, New York, NY, USA, 2008, 1045--1054.

Digital Library

[32]

}}Explore the features: Windows security center. http://www.microsoft.com/windows/windows-vista/features/security-center.aspx (2010).

[33]

}}Wool, A. The use and usability of direction based filtering in firewalls. Computers and Security, 37 (2004), 459--468.

Digital Library

Cited By

SHOJI ASHINJO Y(2023)Implementation method of non-bypassable PC application firewalls using virtualization technologies2023 IEEE International Conference on High Performance Computing & Communications, Data Science & Systems, Smart City & Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00066(435-442)Online publication date: 17-Dec-2023
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00066
Daubner LBuhnova BPitner T(2023)Forensic experts' view of forensic‐ready software systems: A qualitative studyJournal of Software: Evolution and Process10.1002/smr.2598Online publication date: 12-Jul-2023
https://doi.org/10.1002/smr.2598
Fassl MAnell SHouy SLindorfer MKrombholz KChiasson SKapadia A(2022)Comparing user perceptions of anti-stalkerware apps with the technical realityProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563617(135-154)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563617
Show More Cited By

Index Terms

It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls
1. Human-centered computing
  1. Interaction design
    1. Interaction design process and methods
      1. User centered design
2. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Investigating an appropriate design for personal firewalls
CHI EA '10: CHI '10 Extended Abstracts on Human Factors in Computing Systems

Personal firewalls are an important aspect of security for home computer users, but little attention has been given to their usability. We conducted semi-structured interviews to understand participants' knowledge, requirements, expectations, and ...
A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings
SOUPS '11: Proceedings of the Seventh Symposium on Usable Privacy and Security

We used an iterative process to design firewall warnings in which the functionality of a personal firewall is visualized based on a physical security metaphor. We performed a study to determine the degree to which our proposed warnings are ...
Turned 70?: it is time to start editing Wikipedia
WI '17: Proceedings of the International Conference on Web Intelligence

Success of Wikipedia would not be possible without the contributions of millions of anonymous Internet users who edit articles, correct mistakes, add links or pictures. At the same time Wikipedia editors are currently overworked and there is always more ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

October 2010

98 pages

ISBN:9781450300933

DOI:10.1145/1866898

General Chair:
Tony Sager
National Security Agency, USA
,
Program Chairs:
Gail-Joon Ahn
Arizona State University, USA
,
Krishna Kant
Intel Corp./ National Science Foundation, USA
,
Heather Richter Lipford
University of North Carolina at Charlotte, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4, 2010

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 22 of 61 submissions, 36%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
584
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)9

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

SHOJI ASHINJO Y(2023)Implementation method of non-bypassable PC application firewalls using virtualization technologies2023 IEEE International Conference on High Performance Computing & Communications, Data Science & Systems, Smart City & Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00066(435-442)Online publication date: 17-Dec-2023
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00066
Daubner LBuhnova BPitner T(2023)Forensic experts' view of forensic‐ready software systems: A qualitative studyJournal of Software: Evolution and Process10.1002/smr.2598Online publication date: 12-Jul-2023
https://doi.org/10.1002/smr.2598
Fassl MAnell SHouy SLindorfer MKrombholz KChiasson SKapadia A(2022)Comparing user perceptions of anti-stalkerware apps with the technical realityProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563617(135-154)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563617
Demjaha AParkin SPym DGroß TViganò L(2022)The boundedly rational employeeJournal of Computer Security10.3233/JCS-21004630:3(435-464)Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.3233/JCS-210046
Baig KKazan EHundlani KMaqsood SChiasson SChiasson S(2021)ReplicationProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563579(119-138)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.5555/3563572.3563579
Demjaha AParkin SPym D(2021)You’ve Left Me No Choices: Security Economics to Inform Behaviour Intervention Support in OrganizationsSocio-Technical Aspects in Security and Trust10.1007/978-3-030-55958-8_4(66-86)Online publication date: 10-May-2021
https://doi.org/10.1007/978-3-030-55958-8_4
Mueller TZimmer Ede Nittis L(2019)Using Context and Provenance to defend against USB-borne attacksProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3339268(1-9)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3339268
Sharif MRoundy KDell'Amico MGates CKats DBauer LChristin NBrewster SFitzpatrick GCox AKostakos V(2019)A Field Study of Computer-Security Perceptions Using Anti-Virus Customer-Support ChatsProceedings of the 2019 CHI Conference on Human Factors in Computing Systems10.1145/3290605.3300308(1-12)Online publication date: 2-May-2019
https://dl.acm.org/doi/10.1145/3290605.3300308
Justine CPrasad RThomas C(2018)Game theoretical analysis of usable security and privacySECURITY AND PRIVACY10.1002/spy2.554:5Online publication date: 14-Dec-2018
https://doi.org/10.1002/spy2.55
Voronkov AIwaya LMartucci LLindskog S(2017)Systematic Literature Review on Usability of Firewall ConfigurationACM Computing Surveys10.1145/313087650:6(1-35)Online publication date: 6-Dec-2017
https://dl.acm.org/doi/10.1145/3130876
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents