Participatory Design for Security-Related User Interfaces

In this short paper, we explore the advantages of using Participatory Design (PD) to improve security-related user interfaces. We describe a PD method that we applied to actively involve users in creating new SSL warning messages. Supported by a designer, participants tapped into their experiences with existing warnings and created improved dialogs in workshop sessions. The process resulted in a set of diverse new warnings, showing multiple directions that the design of this warning can take. Applying PD lets participants engage more with the subject matter and thus create nuanced designs. Overall, our exploration suggests that PD can provide a suitable, versatile, and simple set of methods that support the creation of design ideas for security- related user interfaces. Users are empowered to critically appraise and adapt security measures that they come into contact with in their everyday life on their own. In the past decade, it has been commonly accepted that IT security measures for end-users need to be designed in a way that users can understand and apply them without unwarranted effort. However, improvements of user interface design for security measures described in previous research were often achieved by experts making educated guesses, based on experiences with users and the results of user studies. This form of design process has limitations, as it is dependent on both the quality of the collected data and experiences as well as the ingenuity of the designer. In this short paper, we propose to take the generation of design ideas one step further by directly integrating end users into the design process of security measures, instead of only benefiting from their experiences indirectly. Through such a deeper involvement of the target audience, the quality of the gathered insights can be improved and even the smallest aspects of a security system can be more easily addressed, compared to iteratively eliciting opinions through formal studies and usability evaluations. This approach is known as Participatory Design (PD) in other HCI

[1]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[2]  Thomas Pfeiffer,et al.  It is not about the design - it is about the content! Making warnings more efficient by communicating risks appropriately , 2012, Sicherheit.

[3]  Erik Frøkjær,et al.  Designing daybuilder: an experimental app to support people with depression , 2012, PDC '12.

[4]  Johannes Gärtner,et al.  Bringing participatory design to practical application: the interrelation between LCD projection, facilitation, and participatory design , 1999, INTR.

[5]  Clay Spinuzzi,et al.  The Methodology of Participatory Design , 2005 .

[6]  Susanne Bødker,et al.  Experiencing security in interaction design , 2011, CHI.

[7]  Kirstie Hawkey,et al.  It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls , 2010, SafeConfig '10.

[8]  Sara Eriksén,et al.  Citizen-Driven Design: Leveraging Participatory Design of E-Government 2.0 Through Local and Global Collaborations , 2015 .

[9]  Manfred Tscheligi,et al.  Making Devices Trustworthy : Security and Trust Feedback in the Internet of Things , 2012 .

[10]  Tone Bratteteig,et al.  User Participation and Democracy: A Discussion of Scandinavian Research on System Development , 1995, Scand. J. Inf. Syst..

[11]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[12]  Morten Kyng,et al.  Cardboard Computers: Mocking-it-up or Hands-on the Future , 1992 .

[13]  T. Sumner,et al.  Evolution, not revolution: participatory design in the toolbelt era , 1997 .

[14]  Douglas Schuler,et al.  Participatory Design: Principles and Practices , 1993 .

[15]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[16]  Stephen Lindsay,et al.  Engaging older people using participatory design , 2012, CHI.

[17]  Matthew Smith,et al.  Sorry, I Don't Get It: An Analysis of Warning Message Texts , 2013, Financial Cryptography Workshops.

[18]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[19]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.