It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls

Even though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability. We conducted semi-structured interviews with a diverse set of participants to gain an understanding of their knowledge, requirements, perceptions, and misconceptions of personal firewalls. Through a qualitative analysis of the data, we found that most of our participants were not aware of the functionality of personal firewalls and their role in protecting computers. Most of our participants required different levels of protection from their personal firewalls in different contexts. The most important factors that affect their requirements are their activity, the network settings, and the people in the network. The requirements and preferences for their interaction with a personal firewall varied based on their levels of security knowledge and expertise. We discuss implications of our results for the design of personal firewalls. We recommend integrating the personal firewall with other security applications, adjusting its behavior based on users' levels of security knowledge, and providing different levels of protection based on context. We also provide implications for automating personal firewall decisions and designing better warnings and notices.

[1]  Simson L. Garfinkel,et al.  Design principles and patterns for computer systems that are simultaneously secure and usable , 2005 .

[2]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[3]  Paul Mcdermott Personal firewalls-One more step towards comprehensive security , 2000 .

[4]  W. Stephenson The study of behavior : Q-technique and its methodology , 1955 .

[5]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[6]  Butler W. Lampson Privacy and securityUsable security , 2009, Commun. ACM.

[7]  Mary Beth Rosson,et al.  Looking for trouble: understanding end-user security management , 2007, CHIMIT '07.

[8]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[9]  Avishai Wool,et al.  The use and usability of direction-based filtering in firewalls , 2004, Comput. Secur..

[10]  Helen Nissenbaum,et al.  Users' conceptions of risks and harms on the web: a comparative study , 2002, CHI Extended Abstracts.

[11]  Jan H. P. Eloff,et al.  Security and human computer interfaces , 2003, Comput. Secur..

[12]  Rachel Ecclestone ACSAC 2001 review , 2001, Comput. Secur..

[13]  Nahid Shahmehri,et al.  Usability and Security of Personal Firewalls , 2007, SEC.

[14]  Sunil Hazari Perceptions of End-Users on the Requirements in Personal Firewall Software: An Exploratory Study , 2005, J. Organ. End User Comput..

[15]  Rebecca E. Grinter Three Challenges for Embedding Security into Applications , 2003 .

[16]  Kirstie Hawkey,et al.  Revealing hidden context: improving mental models of personal firewall users , 2009, SOUPS.

[17]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[18]  David W. Chadwick,et al.  ‘R‐What?’ Development of a role‐based access control policy‐writing tool for e‐Scientists , 2005, Softw. Pract. Exp..

[19]  M. Sandelowski Focus on Research Methods Whatever Happened to Qualitative Description? , 2022 .

[20]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[21]  Predrag V. Klasnja,et al.  "When I am on Wi-Fi, I am fearless": privacy concerns & practices in eeryday Wi-Fi use , 2009, CHI.

[22]  Hein S. Venter New Approaches for Security, Privacy and Trust in Complex Environments, Proceedings of the IFIP TC-11 22nd International Information Security Conference (SEC 2007), 14-16 May 2007, Sandton, South Africa , 2007, SEC.

[23]  W. Keith Edwards,et al.  Sesame: informing user security decisions with system visualization , 2008, CHI.

[24]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[25]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[26]  Paul Dourish,et al.  Social navigation as a model for usable security , 2005, SOUPS '05.

[27]  Scott Flinn,et al.  Usable Firewall Configuration , 2005, PST.

[28]  David W. Chadwick,et al.  ‘ R-Whatq ’ Development of a role-based access control policy-writing tool for e-Scientists: Research Articles , 2005 .

[29]  R. B. Johnson Examining the Validity Structure of Qualitative Research , 1997 .

[30]  J. McGrath Methodology matters: doing research in the behavioral and social sciences , 1995 .

[31]  Donald A. Norman,et al.  THE WAY I SEE ITWhen security gets in the way , 2009, INTR.

[32]  Jonathan Grudin,et al.  Human Computer Interaction: The Year 2000 and Beyond , 1995, HCI.