How to design browser security and privacy alerts

It is important to design browser security and privacy alerts so as to maximise their value to the end user, and their efficacy in terms of communicating risk. We derived a list of design guidelines from the research literature by carrying out a systematic review. We analysed the papers both quantitatively and qualitatively to arrive at a comprehensive set of guidelines. Our findings aim to to provide designers and developers with guidance as to how to construct privacy and security alerts. We conclude by providing an alert template,highlighting its adherence to the derived guidelines.

[1]  可児 潤也 「"Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones」の報告 , 2013 .

[2]  John A. Clark,et al.  Defending the weakest link: phishing websites detection by analysing user behaviours , 2010, Telecommun. Syst..

[3]  Matthew Smith,et al.  Sorry, I Don't Get It: An Analysis of Warning Message Texts , 2013, Financial Cryptography Workshops.

[4]  Alan H. S. Chan,et al.  Mental Models of Construction Workers for Safety-Sign Representation , 2017 .

[5]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[6]  Costas Lambrinoudakis,et al.  Privacy in the Digital World , 2008 .

[7]  L. Almeida,et al.  Merging Technical Guidelines for Accessible Web Content with Universal Design Principles , 2010 .

[8]  Emerson R. Murphy-Hill,et al.  Recommendation Delivery - Getting the User Interface Just Right , 2014, Recommendation Systems in Software Engineering.

[9]  Bonnie Brinton Anderson,et al.  How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study , 2015, CHI.

[10]  Massimiliano Pala,et al.  On the Usability of User Interfaces for Secure Website Authentication in Browsers , 2009, EuroPKI.

[11]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[12]  Jeffrey S. Goldberg,et al.  State of Texas Municipal Web Sites: A Description of Website Attributes and Features of Municipalities with Populations Between 50,OOO-125,OOO , 2009 .

[13]  H. Lasswell The structure and function of communication in society , 2007 .

[14]  Michael S. Wogalter,et al.  Organizing Theoretical Framework: A Consolidated Communication-Human Information Processing (C-HIP) Model , 1999 .

[15]  Jessica Colnago Privacy agents in the IoT : considerations on how to balance agent autonomy and user control in privacy decisions , 2016 .

[16]  Michelle L. Mazurek,et al.  You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users , 2016, 2016 IEEE Cybersecurity Development (SecDev).

[17]  Catherine Marina Pickering,et al.  Publishing not perishing: how research students transition from novice to knowledgeable using systematic quantitative literature reviews , 2015 .

[18]  Bonnie Brinton Anderson,et al.  From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done About It , 2016, J. Manag. Inf. Syst..

[19]  Umesh Shankar,et al.  Doppelganger: Better browser privacy without the bother , 2006, CCS '06.

[20]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[21]  Michael S. Wogalter,et al.  Habituation, Dishabituation, and Recovery Effects in Visual Warnings , 2009 .

[22]  Patrick Gage Kelley Designing a privacy label: assisting consumer understanding of online privacy practices , 2009, CHI Extended Abstracts.

[23]  Irene Pollach,et al.  What's wrong with online privacy policies? , 2007, CACM.

[24]  Norman Sadeh,et al.  Understanding and capturing people's mobile app privacy preferences , 2013 .

[25]  Tom Rodden,et al.  The value of consent: Discussions with designers of ubiquitous computing systems , 2014, 2014 IEEE International Conference on Pervasive Computing and Communication Workshops (PERCOM WORKSHOPS).

[26]  Bart P. Knijnenburg,et al.  A User-Tailored Approach to Privacy Decision Support , 2015 .

[27]  Kathleen M. MacQueen,et al.  Introduction to Applied Thematic Analysis , 2012 .

[28]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[29]  Nora J. Rifon,et al.  Promoting i-Safety: Effects of Privacy Warnings and Privacy Seals on Risk Assessment and Online Privacy Behavior , 2007 .

[30]  奥村 香保里,et al.  "Sleights of Privacy: Framing, Disclosures, and the Limits of Transparency"の紹介 , 2013 .

[31]  Geoff Skinner,et al.  A framework of privacy shield in organizational information systems , 2005, International Conference on Mobile Business (ICMB'05).

[32]  Lujo Bauer,et al.  Warning Design Guidelines , 2013 .

[33]  Russell Beale,et al.  Understanding engagement with the privacy domain through design research , 2015, J. Assoc. Inf. Sci. Technol..

[34]  Ricardo Mendoza-González Guidelines to Design Usable Security Feedback for Identity Management Applications , 2015 .

[35]  Richard Kissel,et al.  Glossary of Key Information Security Terms , 2014 .

[36]  Melanie Volkamer,et al.  Design and Field Evaluation of PassSec: Raising and Sustaining Web Surfer Risk Awareness , 2015, TRUST.

[37]  Dimitris I. Rigas,et al.  Graphical Browsing of Email Data: An Empirical Investigation , 2008, Fifth International Conference on Information Technology: New Generations (itng 2008).

[38]  Nahid Shahmehri,et al.  User help techniques for usable security , 2007, CHIMIT '07.

[39]  Aharon Kellerman,et al.  Mobile Broadband Services and the Availability of Instant Access to Cyberspace , 2010 .

[40]  Thomas Pfeiffer,et al.  It is not about the design - it is about the content! Making warnings more efficient by communicating risks appropriately , 2012, Sicherheit.

[41]  Dustin Ormond,et al.  Warning! A Comprehensive Model of the Effects of Digital Information Security Warning Messages , 2015 .

[42]  Derek E. Bambauer Privacy Versus Security , 2013 .

[43]  David Eargle Security Messages: Or, How I Learned to Stop Disregarding and Heed the Warning , 2017 .

[44]  Robert E. Crossler,et al.  A Value Sensitive Design Investigation of Privacy Enhancing Tools in Web Browsers , 2012, Decis. Support Syst..

[45]  Marco Winckler,et al.  A Design Process for Exhibiting Design Choices and Trade-Offs in (Potentially) Conflicting User Interface Guidelines , 2012, HCSE.

[46]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[47]  Matthew Smith,et al.  Towards measuring warning readability , 2012, CCS.

[48]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[49]  Elissa M. Redmiles,et al.  You Want Me To Do What? A Design Study of Two-Factor Authentication Messages , 2017, SOUPS.

[50]  A. Ant Ozok,et al.  Design guidelines for effective recommender system interfaces based on a usability criteria conceptual model: results from a college student population , 2010, Behav. Inf. Technol..

[51]  Karen Renaud,et al.  Demarcating Mobile Phone Interface Design Guidelines to Expedite Selection , 2017, South Afr. Comput. J..

[52]  Sadie Creese,et al.  Guidelines for usable cybersecurity: Past and present , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[53]  Fatemeh Zahedi,et al.  Interface Design Elements for Anti-phishing Systems , 2011, DESRIST.

[54]  Jason R. C. Nurse Effective Communication of Cyber Security Risks , 2013 .

[55]  Lorrie Faith Cranor,et al.  Improving Computer Security Dialogs , 2011, INTERACT.

[56]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[57]  Bonnie Brinton Anderson,et al.  Users Aren't (Necessarily) Lazy: Using NeuroIS to Explain Habituation to Security Warnings , 2014, ICIS.