A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings

We used an iterative process to design firewall warnings in which the functionality of a personal firewall is visualized based on a physical security metaphor. We performed a study to determine the degree to which our proposed warnings are understandable for users, and the degree to which they convey the risks and encourage safe behavior as compared to text warnings based on those from a popular personal firewall. The evaluation results show that our warnings facilitate the comprehension of warning information, better communicate the risk, and increase the likelihood of safe behavior. Moreover, they provide participants with a better understanding of both the functionality of a personal firewall and the consequences of their actions.

[1]  Heather Richter Lipford,et al.  The impact of social navigation on privacy policy configuration , 2010, SOUPS.

[2]  Farzaneh Asgharpour,et al.  Experimental Evaluations of Expert and Non-expert Computer Users’ Mental Models of Security Risks , 2008 .

[3]  Sunil Hazari Perceptions of End-Users on the Requirements in Personal Firewall Software: An Exploratory Study , 2005, J. Organ. End User Comput..

[4]  Ingrid M. Martin,et al.  Intended and Unintended Consequences of Warning Messages: A Review and Synthesis of Empirical Research , 1994 .

[5]  B Fischhoff,et al.  Evaluating risk communications: completing and correcting mental models of hazardous processes, Part II. , 1994, Risk analysis : an official publication of the Society for Risk Analysis.

[6]  L. Jean Camp,et al.  Mental Models of Security Risks , 2007, Financial Cryptography.

[7]  Michael Smyth,et al.  Minimising Conceptual Baggage: Making Choices about Metaphor , 1994, BCS HCI.

[8]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[9]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[10]  Nahid Shahmehri,et al.  Usability and Security of Personal Firewalls , 2007, SEC.

[11]  Kirstie Hawkey,et al.  Revealing hidden context: improving mental models of personal firewall users , 2009, SOUPS.

[12]  Michael S. Wogalter,et al.  Comprehension and Memory , 1999 .

[13]  Carsten F. Rønnfeldt Three Generations of Environment and Security Research , 1997 .

[14]  Kirstie Hawkey,et al.  "I did it because I trusted you" : Challenges with the Study Environment Biasing Participant Behaviours , 2010 .

[15]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[16]  Stephen L. Young,et al.  Intermediate Processing Stages: Methodological Considerations for Research on Warnings , 1999 .

[17]  W. Stephenson The study of behavior : Q-technique and its methodology , 1955 .

[18]  Noah Webster,et al.  Webster's new universal unabridged dictionary : based upon the broad foundations laid down by Noah Webster , 1983 .

[19]  Kirstie Hawkey,et al.  It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls , 2010, SafeConfig '10.

[20]  Cristian Bravo-Lillo,et al.  What is still wrong with security warnings : a mental models approach , 2010 .

[21]  Paul Dourish,et al.  Social navigation as a model for usable security , 2005, SOUPS '05.

[22]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[23]  M. Angela Sasse,et al.  Conceptual Design Reconsidered: The Case of the Internet Session Directory Tool , 1997, BCS HCI.

[24]  B. Johnson Risk Communication: A Mental Models Approach , 2002 .

[25]  Mary Ellen Zurko,et al.  Did you ever have to make up your mind? What Notes users do when faced with a security decision , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[26]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[27]  W. Keith Edwards,et al.  Sesame: informing user security decisions with system visualization , 2008, CHI.

[28]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[29]  H. Jungermann,et al.  Mental models in risk assessment: informing people about drugs. , 1988, Risk analysis : an official publication of the Society for Risk Analysis.

[30]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[31]  Keith Duncan,et al.  Cognitive Engineering , 2017, Encyclopedia of GIS.

[32]  Kirstie Hawkey,et al.  Do windows users follow the principle of least privilege?: investigating user account control practices , 2010, SOUPS.

[33]  Tonya L Smith-Jackson,et al.  Research-based guidelines for warning design and evaluation. , 2002, Applied ergonomics.

[34]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[35]  L. Jean Camp,et al.  Risk Communication in Security Using Mental Models , 2007 .

[36]  Rob Miller,et al.  Security user studies: methodologies and best practices , 2007, CHI Extended Abstracts.

[37]  B Fischhoff,et al.  Designing risk communications: completing and correcting mental models of hazardous processes, Part I. , 1994, Risk analysis : an official publication of the Society for Risk Analysis.

[38]  A.,et al.  Cognitive Engineering , 2008, Encyclopedia of GIS.

[39]  Jan H. P. Eloff,et al.  Security and human computer interfaces , 2003, Comput. Secur..

[40]  Michael S. Wogalter,et al.  Comprehension of Pictorial Symbols: Effects of Context and Test Method , 1998, Hum. Factors.