Bridging the Gap in Computer Security Warnings: A Mental Model Approach

@article{BravoLillo2011BridgingTG,
  title={Bridging the Gap in Computer Security Warnings: A Mental Model Approach},
  author={Cristian Bravo-Lillo and Lorrie Faith Cranor and Julie S. Downs and Saranga Komanduri},
  journal={IEEE Security \& Privacy},
  year={2011},
  volume={9},
  pages={18-26}
}
Computer security warnings are intended to protect users and their computers. However, research suggests that these warnings might be largely ineffective because they're frequently ignored. The authors describe a mental model interview study designed to gain insight into how advanced and novice computer users perceive and respond to computer warnings. Developers can leverage the approaches of advanced users to design more effective warnings for novice users. 

Figures from this paper

Improving Computer Security Dialogs
TLDR
In some cases the authors' redesigned warnings significantly increased participants' understanding and motivation to take the safest action; however, it was not able to show that participants' responses were differentiated between low and high risk conditions.
Security Warning Life Cycle: Challenges and Panacea
TLDR
This research highlights insights into the discovery of problems and difficulties encountered by the users, approaches in improving security warnings and future direction of the security warning improvement process.
Improving Mental Models of Computer Security Through Information Graphics
TLDR
Seven pieces of instructional materials are designed that help end-users learn about password guessing attacks and antivirus protection and show that information graphics led to superior learning outcomes and a better user experience than existing text-alone approaches.
That’s how I feel: A Study of User’s Security Mental Model
TLDR
To elicit and depict users’ security and usability mental models, crowd-sourcing techniques and a cognitive map method are utilized and an experiment to evaluate the findings using Amazon Mechanical Turk is performed.
"Should I Worry?" A Cross-Cultural Examination of Account Security Incident Response
TLDR
This work conducts a series of qualitative interviews with users who had recently experienced suspicious login incidents on their real Facebook accounts in order to explore this process of account security incident response, finding a common process across participants from five countries.
Habituation effects in computer security warning
TLDR
The main objective of this paper is to describe and summarize the related studies on users’ habituation to the security warnings to contribute to a more complete understanding of the habituation effects in security warnings.
Habituation effects in computer security warning
TLDR
The main objective of this article is to describe and summarize the related studies on users’ habituation to the security warnings and explore the current key issues, challenges, and the possible solutions related to habituation effects in security warnings.
Effectively Communicate Risks for Diverse Users: A Mental-Models Approach for Individualized Security Interventions
TLDR
A qualitative card-sorting study how lay and expert users assess risks connected to Web sites indicates the diversity of mental models, both between the two groups and between individuals, particularly related to their preferences.
...
...

References

SHOWING 1-10 OF 15 REFERENCES
Mental models of privacy and security
  • L. J. Camp
  • Medicine
    IEEE Technology and Society Magazine
  • 2009
TLDR
The strongest conclusion is that mental models can be used to improve risk communication and the best model may be the medical model.
Do security toolbars actually prevent phishing attacks?
TLDR
It is found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be, and security toolbars are found to be ineffective at preventingPhishing attacks.
Purposes and Scope of Warnings,
  • Handbook of Warnings (Human Factors/Ergonomics), M.S. Wogalter, ed., Lawrence Erlbaum Assoc.,
  • 2006
Risk Communication: A Mental Models Approach
An Empirical Analysis of Phishing Blacklists
TLDR
This paper used 191 fresh phish that were less than 30 minutes old to conduct two tests on eight anti-phishing toolbars and found that two tools using heuristics to complement blacklists caught signicantly more phish initially than those using only blacklists.
Shieh
  • Shieh
Models Approach
  • Models Approach
  • 2001
Egilman, “A Brief History of Warnings,
  • Handbook of Warnings (Human Factors/ Ergonomics),
  • 2006
A Brief History of Warnings Handbook of Warnings
  • Human Factors Lawrence Erlbaum Assoc
  • 2006
A Brief History of Warnings
  • Handbook of Warnings ( Human Factors / Ergonomics )
...
...