Security Warning Life Cycle: Challenges and Panacea
Keywords:Security, Security Dialogues, Security Warning, Usability, Usable Security,
AbstractSecurity warning is a very important aspect in computer security. Security warning is a form of message conveyed to inform user on the risk of allowing an application to run on the computer system. Security warning plays an important role in notify, warn and advise user about the potential result of an action beforehand. However, security warnings are often being ignored due to various reasons such as poor design of security warnings and too many technical terms used in security warnings. This research highlights insights into the discovery of problems and difficulties encountered by the users, approaches in improving security warnings and future direction of the security warning improvement process. We proposed to utilise the hybrid approach of iterative design and mental model in the effort to enhance the current implementation of security warning. Iterative design is a cyclic design process where prototyping, testing and refining are done repeatedly. A mental model is a person’s psychological representation of how they perceive and understand something. It is expected that this paper would benefit the researchers to comprehend approches and challenges to improve security warnings.
Microsoft “Warning Messages”, [Online]. Available from: https://msdn.microsoft.com/en-us/library/dn742473.aspx (Accessed: 13 January 2016) (2015).
Bravo-Lillo, C. Cranor, L. F., Downs, J. S. and Komanduri, S.,“POSTER: What is still wrong with security warnings: A mental models approach”, Proceedings of the Sixth Symposium on Usable Privacy and Security. New York, USA. (2010), 1-2.
Wogalter, M.S., Purposes and Scope of Warnings, In Handbook of Warnings. (Human Factors /Ergonomics) (Assoc LE, Ed), (2006), 3-9, ISBN 0805847243.
Rogers, W. A., Lamson, N., and Rousseau, G. K., “Warning Research: An Integrative Perspective”, Human Factors: The Journal of the Human Factors and Ergonomics Society, vol. 42, no. 1, (2000), 102-139.
Zaaba, Z. F., Furnell, S. M. and Dowland, P. S., “A Study on Improving Security Warnings”, Proceedings of the Fifth International Conference on Information and Communication Technology for The Muslim World (ICT4M). Kuching, Malaysia, (2014), 1-5.
ISO, “ISO 9241-11: Guidance on usability (1998)”, International standards for HCI and Usability, Available from: http://www.usabilitynet.org/tools/r_international.htm#9241x.(Accessed: 6 October 2015)(1998).
Nielsen, J., Usability Engineering. Academic Press. ISBN 0-12-518405-0, (1993).
Redmond-Pyle, D. and Moore, A., GUIDE – Graphical User Interface Design and Evaluation – A Practical Process, Prentice Hall Europe, (1995).
Scheiderman, B. and Plaisant, C, Designing the user interface: Strategies for effective Human-Computer Interaction, 4thed, AddisonWesley, USA, (2005).
Hewett, T. T., Baecker, R. M., Card, S., Carrey, T., Gasen, J., Mantei, M., Perlman, G., Strong, G. and Verplank, W., “Curricula for HumanComputer Interaction”, Available from: http://old.sigchi.org/cdg/cdg2.html. (Accessed 6 November 2015), (1996).
Johnston, J., Eloff, J. H. P. and Labuschagne, L., “Security and human computer interfaces”, Computers & Security, vol. 22, no. 8, (2003), 675-684.
Nielsen, J., “10 Usability Heuristics for User Interface Design”, Nielsen Norman Group, Available from: http://www.nngroup.com/articles/ten-usability-heuristics/. Accessed 30 September 2015), (1995).
Whitten, A. and Tygar, J. D., “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0”. in USENIX Security Symposium, (1999).
Anderson, B. B., Kirwan, C.B., Jenkins, J.L., Eargle, D., Howard, S. and Vance, A., “How polymorphic warnings reduce habituation in the brain: Insights from fMRI study”, Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, (2015), 2883-2892.
Kalsher, M. J. and Williams, K. J., “Behavioral Compliance: Theory, Methodology, and Result,” In Handbook of Warnings, Mahwah, New Jersey, (2006), 313-329.
Wash, R., “Folk Models of Home Computer Security”, Symposium on Usable Privacy and Security (SOUPS) 2010, Redmond, WA, US, (2010).
Wogalter, M. S., Dejoy, D. M. and Laughrey, K. R., “Organizing Theoretical Framework: A Consolidated Communication-Human Information Processing (C-HIP) Model”, Warning and Risk Communication, Taylor & Francis, (1999), 13-21. ISBN 0-7484-0266-7.
Cranor, L. F., “A framework for reasoning about the human in the loop”, Proceedings of the 1st Conference on Usability, Psychology, and Security, Berkeley, CA, USA, (2008), 1–15.
Maurer, M-E, Luca, A. D. and Kempe, Sylvia, “Using Data Type Based Security alert Dialogs to Raise Online Security Awareness”, Proceedings of the 7th Symposium on Usable Privacy and Security, Washington, US, (2011), 1-13.
Iterative Design, Available from:http://www.instructionaldesign.org/models/iterative_design.html.(Accessed: 15 October 2015), (2013).
Craik, K. J. W., “The Nature of Explanation”, Cambridge University Press, (1967), ISBN 0521094453.
Johnson-Laird, P. N., Girotto, V. and Legrenzi, P., “Mental Models: A Gentle Approach for Outsiders”, Sistemi Intelligenti, vol. 9, no. 68,(1998), 1-13.
Fischhoff, B., Riley, D., Kovacs, D. C., and Small, M. “What information belongs in a warning? A mental models approach.”Psychology & Marketing, vol. 15, (1998), 663-686.
Salehi, S., Taghiyareh. F., Saffar. M. and Badie, K., “A context-aware architecture for mental model sharing through sematic movement in intelligent agents”, International Jouenal of Engineering TRANSACTIONS B: Applications Vol. 25, No. 3, (2012), 233-248.
Kauer, M., Pfeiffer, T., Volkamer, M., Theuerling, H. and Bruder, R., “It is not about the design - it is about the content! Making warnings more efficient by communicating risks appropriately”, GI SICHERHEIT 2012 Sicherheit – Schutz und Zuverlassigkeit, (2012).
Bravo-Lillo, C., Cranor, L. F., Downs, J. S. and Komanduri, S. “Bridging the Gap in computer Security Warnings: A Mental Model Approach”. Security & Privacy, vol.9, no. 2, (2011), 18-26.
Keukelaere D. F., Yoshihama, S., Trent, S., Zhang, Y., Luo, L. and Zurko, M., “Adaptive Security Dialogs for Improved Security Behavior of Users Human-Computer Interaction – INTERACT 2009”. Springer Berlin / Heidelberg, (2009), 510-523.
Ahmad, R., “Improving Computer Security Warnings: A Mental Model Approach in Higher Education” MSc Thesis, Universiti Sains Malaysia, (2011).
Camp, L. J., Asgharpour, F. and Liu, D., Mental Models of Computer Security Risks, Workshop on the Economics of Information Security, Pittsburgh, PA (USA), (2007).
Liu, D., Asgharpour, F., and Camp, L., “Risk Communication in Security Using Mental Models”. Usable Security, vol. 7, (2009).
Zhang-Kennedy, L., Chiasson, S., and Biddle, R., “The Role of Instructional Design in Persuasion: A Comic Approach for Improving Cyber Security”, International Journal of Human-Computer Interaction, (2016), 302-322.
Raja, F., Hawkey, K., Hsu, S., Wang, K. L. C., and Beznosov, K., “A brick wall, a locked door, and a bandit: A physical security metaphor for firewall warnings”, Proceedings of the Seventh Symposium on Usable Privacy and Security. Pittsburgh, USA, (2011), 1-20.
How to Cite
TRANSFER OF COPYRIGHT AGREEMENT
The manuscript is herewith submitted for publication in the Journal of Telecommunication, Electronic and Computer Engineering (JTEC). It has not been published before, and it is not under consideration for publication in any other journals. It contains no material that is scandalous, obscene, libelous or otherwise contrary to law. When the manuscript is accepted for publication, I, as the author, hereby agree to transfer to JTEC, all rights including those pertaining to electronic forms and transmissions, under existing copyright laws, except for the following, which the author(s) specifically retain(s):
- All proprietary right other than copyright, such as patent rights
- The right to make further copies of all or part of the published article for my use in classroom teaching
- The right to reuse all or part of this manuscript in a compilation of my own works or in a textbook of which I am the author; and
- The right to make copies of the published work for internal distribution within the institution that employs me
I agree that copies made under these circumstances will continue to carry the copyright notice that appears in the original published work. I agree to inform my co-authors, if any, of the above terms. I certify that I have obtained written permission for the use of text, tables, and/or illustrations from any copyrighted source(s), and I agree to supply such written permission(s) to JTEC upon request.