Advertisement

Appraisal on User’s Comprehension in Security Warning Dialogs: Browsers Usability Perspective

  • Christine Lim Xin Yi
  • Zarul Fitri ZaabaEmail author
  • Mohamad Amar Irsyad Mohd Aminuddin
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1132)

Abstract

End-user encounters security warnings on a daily basis in different web browsers. Effective security warning is critical to provide a secure environment to end-users to against attack. However, users always encounter problems and challenges when they encounter security warnings due to the poor warning dialogue interface. Element used in the warning interface is important to support users to make an effective decision. A poor warning design will lead a user to become a fraud victim. Hence, there is a need to design an effective warning dialogue by providing useful security features. Although the efficacy of security warning is depending on the interface of security feature, but also highly dependent on the user’s perception and understanding. This paper determine to investigates further from the end-user’s experience whilst encountering security warnings (i.e. Chrome browser context). An exploratory interview study with 65 participants was conducted to pursue in-depth information about the perceptiveness of users towards current security warnings in three different scenarios. The results show that elements such as icon, colour, wording used in the warning can impact the efficacy of the warning. All the user feedback indicated that there is still room for improvement on the current security warning.

Keywords

Security warning Browser security Warning dialogue Usability Usable security 

References

  1. 1.
  2. 2.
    Laughery, K.R., Wogalter, M.S.: Designing effective warnings. Rev. Hum. Factors Ergon. 2(1), 241–271 (2006)CrossRefGoogle Scholar
  3. 3.
    Zaaba, Z.F., Furnell, S.M., Dowland, P.S.: A study on improving security warnings. In: The 5th International Conference on Information and Communication Technology for The Muslim World (ICT4 M), pp. 1–5 (2014)Google Scholar
  4. 4.
    Borger, W., Iacono, L.L.: User perception and response to computer security warnings. In: Workshop on Usable Security and Privacy, Mensch and Computer, pp. 621–646 (2015)Google Scholar
  5. 5.
  6. 6.
    Ng, A.W., Chan, A.H.: Common design elements and strategies in participatory safety sign redesign among construction workers. In: Proceedings of the International Multi Conference of Engineers and Computer Scientists, Hong Kong (2015)Google Scholar
  7. 7.
    Al-Hamdani, M., Smith, S.: Alcohol warning label perceptions: emerging evidence for alcohol policy. Can. J. Public Health 6, 395–400 (2015)CrossRefGoogle Scholar
  8. 8.
    Krol, K., Moroz, M., Sasse, M.A.: Don’t work. Can’t work? Why it’s time to rethink security warnings. In: 7th International Conference 2012 Risk and Security of Internet and Systems (CRiSIS), pp. 1–8 (2012)Google Scholar
  9. 9.
    Bravo-Lillo, C., Cranor, L., Komanduri, S., Schechter, S., Sleeper, M.: Harder to ignore. Revisiting pop-up fatigue and approaches to prevent it, USENIX Association, pp. 105–111 (2014)Google Scholar
  10. 10.
    Amran, A., Zaaba, Z., Mahinderjit Singh, M.: Habituation effects in computer security warning. Inf. Secur. J. Glob. Perspect. 27(2), 119–131 (2018)CrossRefGoogle Scholar
  11. 11.
    Reeder, R.W., Felt, A.P., Consolvo, S., Malkin, N., Thompson, C., Egelman, S: An experience sampling study of user reactions to browser warnings in the field. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, p. 512 (2018)Google Scholar
  12. 12.
    Zammouri, A., Moussa, A.A.: Safebrowse: a new tool for strengthening and monitoring the security configuration of web browsers. In: 2016 International Conference on Information Technology for Organizations Development (IT4OD), pp. 1–5 (2016)Google Scholar
  13. 13.
    Biddle, R., Van Oorschot, P.C., Patrick, A.S., Sobey, J., Whalen, T.: Browser interfaces and extended validation SSL certificates: an empirical study. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, pp. 19–30 (2009)Google Scholar
  14. 14.
    Raja, F., Hawkey, K., Hsu, S., Wang, K.L.C., Beznosov, K.: A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, p. 1 (2011)Google Scholar
  15. 15.
    Harbach, M., Fahl, S., Yakovleva, P., Smith, M.: Sorry, i don’t get it: an analysis of warning message texts. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 94–111. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-41320-9_7CrossRefGoogle Scholar
  16. 16.
    Zaaba, Z.F., Boon, T.K.: Examination on usability issues of security warning dialogs. J. Multi. Eng. Sci. Technol. 2(6), 1337–1345 (2015)Google Scholar
  17. 17.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610 (2006)Google Scholar
  18. 18.
    Whalen, T., Inkpen, K.M.: Gathering evidence: use of visual security cues in web browsers. In: Proceedings of Graphics Interface, pp. 137–144 (2005)Google Scholar
  19. 19.
    Seifert, C., Welch, I., Komisarczuk, P.: Effectiveness of security by admonition: a case study of security warnings in a web browser setting. Secure Mag. 9, 1–9 (2006)Google Scholar
  20. 20.
    Sobey, J., Biddle, R., van Oorschot, P.C., Patrick, A.S.: Exploring user reactions to new browser cues for extended validation certificates. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 411–427. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-88313-5_27CrossRefGoogle Scholar
  21. 21.
    Anderson, B.B., Vance, A., Kirwan, C.B., Eargle, D., Jenkins, J.L.: How users perceive and respond to security messages: a NeuroIS research agenda and empirical study. Eur. J. Inf. Syst. 25(4), 364–390 (2016)CrossRefGoogle Scholar
  22. 22.
    Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 79–90 (2006)Google Scholar
  23. 23.
    Egelman, S., Cranor, L.F., Hong, J.I.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074 (2008)Google Scholar
  24. 24.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, LF.: Crying wolf: an empirical study of SSL warning effectiveness, pp. 399–416 (2009)Google Scholar
  25. 25.
    Egelman, S., Schechter, S.: The importance of being earnest [In Security Warnings]. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 52–59. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-39884-1_5CrossRefGoogle Scholar
  26. 26.
    Althobaiti, M.M., Mayhew, P.: Users’ awareness of visible security design flaws. Int. J. Innov. Manag. Technol. 7(3), 96 (2016)CrossRefGoogle Scholar
  27. 27.
    Kauer, M., Pfeiffer, T., Volkamer, M., Theuerling, H., Bruder, R.: It is not about the design-it is about the content! Making warnings more efficient by communicating risks appropriately (2012)Google Scholar
  28. 28.
    Asgharpour, F., Liu, D., Camp, L.J.: Mental models of security risks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 367–377. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-77366-5_34CrossRefGoogle Scholar
  29. 29.
    Wash, R., Rader, E.: Influencing mental models of security: a research agenda. In: Proceedings of the 2011 New Security Paradigms Workshop, pp. 57–66 (2011)Google Scholar
  30. 30.
    Bravo-Lillo, C., Cranor, L., Downs, J., Komanduri, S.: Poster: what is still wrong with security warnings: a mental models approach. In: SOUPS’10: Proceedings of the 6th Symposium on Usable Privacy and Security (2010)Google Scholar
  31. 31.
    West, R.: The psychology of security’. Commun. ACM 51(4), 34–40 (2008)CrossRefGoogle Scholar
  32. 32.
    Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, pp. 133–144 (2009)Google Scholar
  33. 33.
    Shi, P., Xu, H., Zhang, X.L.: Informing security indicator design in web browsers. In: Proceedings of the 2011 iConference, pp. 569–575 (2011)Google Scholar
  34. 34.
    Mesbah, S.: Internet science-creating better browser warnings. Seminar Future Internet WS1415, Network Architecture and Services (2015)Google Scholar
  35. 35.
    Brustoloni, J.C., Villamarín-Salomón, R.: Improving security decisions with polymorphic and audited dialogs. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, pp. 76–85 (2007)Google Scholar
  36. 36.
    Akhawe, D., Felt, A.P.: Alice in Warningland: a large-scale field study of browser security warning effectiveness. In: USENIX Security Symposium, pp. 257–272 (2013)Google Scholar
  37. 37.
    Bravo-Lillo, C., et al.: Your attention please: designing security-decision UIs to make genuine risks harder to ignore. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 6 (2013)Google Scholar
  38. 38.
    Anderson, B.B., Kirwan, C.B., Jenkins, J.L., Eargle, D., Howard, S., Vance, A.: How polymorphic warnings reduce habituation in the brain: insights from an fMRI study. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 2883–2892 (2015a)Google Scholar
  39. 39.
    Sharek, D., Swofford, C., Wogalter, M.: Failure to recognize fake internet popup warning messages. Proc. Hum. Factors Ergon. Soc. Annu. Meet. 52(6), 557–560 (2008)CrossRefGoogle Scholar
  40. 40.
    Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)CrossRefGoogle Scholar
  41. 41.
    Cranor, L.F.: A framework for reasoning about the human in the loop. In: UPSEC’08 Proceedings of the 1st Conference on Usability, Psychology, and Security, pp. 1–15 (2008)Google Scholar
  42. 42.
    Bravo-Lillo, C., Cranor, L., Downs, J., Komanduri, S., Sleeper, M.: Improving computer security dialogs. In: 13th International Conference on Human-Computer Interaction (INTERACT), pp. 18–35 (2011)CrossRefGoogle Scholar
  43. 43.
    Anderson, B.B., Vance, T., Kirwan, B., Eargle, D., Howard, S.: Users aren’t (necessarily) lazy: using NeuroIS to explain habituation to security warnings (2014)Google Scholar
  44. 44.
    Alshenqeeti, H.: Intervewing as a data collection method: a critical review. Engl. Linguist. Res. 3(1), 39–45 (2014)Google Scholar
  45. 45.
    Krol, K., Moroz, M., Sasse, M.A.: Don’t work. Can’t work? Why it’s time to rethink security warnings. In: 2012 7th International Conference Risk and Security of Internet and Systems (CRiSIS), pp. 1–8 (2012)Google Scholar
  46. 46.
    Baker, S.E., Edwards, R., Doidge, M.: How many qualitative interviews is enough? Expert voices and early career reflections on sampling and cases in qualitative research (2012)Google Scholar
  47. 47.
    Williams, W., Parkes, E.L., Davies, P.: Wordle: a method for analysing MBA student induction experience. Int. J. Manag. Educ. 11(1), 44–53 (2013)CrossRefGoogle Scholar
  48. 48.
    Silic, M., Cyr, D.: Colour arousal effect on users’ decision-making processes in the warning message context. In: Nah, F.F.-H.F.-H., Tan, C.-H. (eds.) HCIBGO 2016. LNCS, vol. 9752, pp. 99–109. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-39399-5_10CrossRefGoogle Scholar
  49. 49.
    Samsudin, N.F., Zaaba, Z.F., Singh, M.M., Samsudin, A.: Symbolism in computer security warnings: Signal icons and signal words. Int. J. Adv. Comput. Sci. Appl. (IJACSA) 7(10), 148–153 (2016)Google Scholar
  50. 50.
    Amer, T.S., Maris, J.M.B.: Signal words and signal icons in application control and information technology exception messages—Hazard matching and habituation effects. J. Inf. Syst. 21(2), 1–25 (2007)Google Scholar
  51. 51.
    Zaaba, Z.F., Furnell, S., Dowland, P.: End-user perception and usability of information security. In: HAISA, pp. 97–107 (2011)Google Scholar
  52. 52.
    Zaaba, Z.F., Furnell, S.M., Dowland, P.S.: Literature studies on security warnings development. Int. J. Perceptive Cogn. Comput. (IIUM) 2(1), 8–18 (2016).  https://doi.org/10.31436/ijpcc.v2i1.22Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Christine Lim Xin Yi
    • 1
  • Zarul Fitri Zaaba
    • 1
    Email author
  • Mohamad Amar Irsyad Mohd Aminuddin
    • 1
  1. 1.School of Computer SciencesUniversiti Sains MalaysiaMindenMalaysia

Personalised recommendations