Improving Mental Models of Computer Security Through Information Graphics

Many users have difficulties making effective security decisions. Education is one way to improve users' mental models of computer security, but a common challenge is that users are not motivated to learn about security. We propose that a visual approach to education can improve comprehension and engagement with security information. This thesis examines whether information graphics form an effective, memorable, and persuasive method of communication to increase computer security understanding and improve user behaviour. Guided by visual-textual strategies developed in education literature, we designed seven pieces of instructional materials that help end-users learn about password guessing attacks and antivirus protection. These include five infographics and two interactive comics. Five one-week user studies with a total of 145 participants show that information graphics led to superior learning outcomes and a better user experience than existing text-alone approaches. Participants showed an increase of comprehension, retention, and improved behaviour after one week.

[1]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[2]  Stefan Gorling,et al.  The Myth of User Education , 2006 .

[3]  Takahide Omori・Takeharu Igaki Eye catchers in comics: Controlling eye movements in reading pictorial and textual media , 2005 .

[4]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[5]  R. Biddle,et al.  A Review of Humor for Computer Games: Play, Laugh and More , 2009 .

[6]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[7]  Mary Beth Rosson,et al.  Looking for trouble: understanding end-user security management , 2007, CHIMIT '07.

[8]  R. Garner Humor in Pedagogy: How Ha-Ha can Lead to Aha! , 2006 .

[9]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[10]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[11]  Jorge Frascara,et al.  Communication Design: Principles, Methods, and Practice , 2004 .

[12]  Stephanie Forrest,et al.  Principles of a computer immune system , 1998, NSPW '97.

[13]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[14]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[15]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[16]  Ben Shneiderman,et al.  Readings in information visualization - using vision to think , 1999 .

[17]  Lih-Juan ChanLin,et al.  The Effects of Verbal Elaboration and Visual Elaboration on Student Learning , 1997 .

[18]  Jeroen J. G. van Merriënboer,et al.  The Transfer Paradox: Effects of Contextual Interference on Retention and Transfer Performance of a Complex Cognitive Skill , 1997 .

[19]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[20]  B. Marx The Visual Display of Quantitative Information , 1985 .

[21]  Mark Johnson,et al.  The Metaphorical Structure of the Human Conceptual System , 1980, Cogn. Sci..

[22]  R. Nisbett,et al.  Immediate and delayed transfer of training effects in statistical reasoning. , 1991, Journal of experimental psychology. General.

[23]  R. Young Surrogates and mappings: two kinds of conceptual models for interactive , 1983 .

[24]  Richard E. Mayer,et al.  When less is more: Meaningful learning from visual and verbal summaries of science textbook lessons. , 1996 .

[25]  J. G. Snodgrass,et al.  The picture superiority effect: support for the distinctiveness model. , 1999, The American journal of psychology.

[26]  Robert Biddle,et al.  Auction Hero: The Design of a Game to Learn and Teach about Computer Security , 2011 .

[27]  Ian Bogost,et al.  Persuasive Games: The Expressive Power of Videogames , 2007 .

[28]  John M. Carroll,et al.  The Minimal Manual , 1987, SGCH.

[29]  Stephen M. Fiore,et al.  Scaffolding cognitive and metacognitive processes in low verbal ability learners: Use of diagrams in computer-based training environments , 2002 .

[30]  A. Paivio Dual coding theory: Retrospect and current status. , 1991 .

[31]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[32]  Martin M. A. Devillers Analyzing Password Strength , 2010 .

[33]  Tadayoshi Kohno,et al.  Control-Alt-Hack™: a card game for computer security outreach and education (abstract only) , 2013, SIGCSE '13.

[34]  A. Paivio,et al.  Why are pictures easier to recall than words? , 1968 .

[35]  S. Wade Research on Importance and Interest: Implications for Curriculum Development and Future Research , 2001 .

[36]  Jeffrey O. Kephart,et al.  Biologically Inspired Defenses Against Computer Viruses , 1995, IJCAI.

[37]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[38]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[39]  L. Jean Camp,et al.  Mental models of privacy and security , 2009, IEEE Technology and Society Magazine.

[40]  Barbara S. Chaparro,et al.  Password Security: What Users Know and What They Actually Do , 2006 .

[41]  W. Bradford Reaching the Visual Learner: Teaching Property Through Art , 2011 .

[42]  Nathaniel Good,et al.  Usability and privacy: a study of Kazaa P2P file-sharing , 2003, CHI '03.

[43]  Alessandro Vespignani,et al.  Epidemic spreading in scale-free networks. , 2000, Physical review letters.

[44]  Aaron Marcus Metaphor design for user interfaces , 1998, CHI Conference Summary.

[45]  Jeffrey O. Kephart,et al.  A biologically inspired immune system for computers , 1994 .

[46]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[47]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[48]  L. Jean Camp,et al.  Mental Models of Security Risks , 2007, Financial Cryptography.

[49]  A. Nijholt Embodied Agents: A New Impetus to Humor Research , 2002 .

[50]  Steven Hsu,et al.  A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings , 2011, SOUPS.

[51]  Richard E. Boyatzis,et al.  Transforming Qualitative Information: Thematic Analysis and Code Development , 1998 .

[52]  W. H. F. Barnes The Nature of Explanation , 1944, Nature.

[53]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[54]  Mark W. Newman,et al.  The Work to Make a Home Network Work , 2005, ECSCW.

[55]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[56]  Robert K Branson,et al.  Interservice Procedures for Instructional Systems Development. Phase 3. Develop , 1975 .

[57]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[58]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[59]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[60]  Yaser Sheikh,et al.  Inferring artistic intention in comic art through viewer gaze , 2012, SAP.

[61]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[62]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[63]  Katharina Scheiter,et al.  Eye tracking as a tool to study and enhance multimedia learning , 2010 .

[64]  R. Schmidt,et al.  New Conceptualizations of Practice: Common Principles in Three Paradigms Suggest New Concepts for Training , 1992 .

[65]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[66]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[67]  Michael Emmison,et al.  Researching the visual : images, objects, contexts and interactions in social and cultural inquiry , 2000 .

[68]  Daniel J. Sanok An analysis of how antivirus methodologies are utilized in protecting computers from malicious code , 2005, InfoSecCD '05.

[69]  Ruth Colvin Clark,et al.  Graphics for Learning: Proven Guidelines for Planning, Designing, and Evaluating Visuals in Training Materials , 2010 .

[70]  Charles M. Reigeluth,et al.  What Is Instructional-Design Theory and How Is It Changing? , 1999 .

[71]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.

[72]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[73]  C. Lartigue,et al.  Learning from education to communicate science as a good story. , 2004, Endeavour.

[74]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[75]  Valérie Gyselinck,et al.  The role of illustrations in text comprehension: What, when, for whom, and why? , 1999 .