Sign In

Communications of the ACM


Designing Effective Security Warnings

View as: Print Mobile App Share:
Carnegie Mellon Associate Professor Jason Hong

Following up on my last post on security education, the other PhD dissertation committee I served on last week was for Serge Egelman. Serge has been exploring another fascinating topic in usable privacy and security, namely, how do we create effective security warnings?

Serge started out his talk by showing a bunch of security warnings that didn't work. I think we can all relate to those annoying dialog boxes that are incomprehensible and we just swat away.

Serge incorporated some work from human factors looking at how people process warnings, or more specifically, the Communication-Human Information (C-HIP) Model. Roughly, imagine a pipeline that models whether a person sees a warning, can understand a warning, believes a warning, and is motivated to act on a warning. Serge used C-HIP to analyze the results of several user studies, and proposed some design patterns for how to design better warnings.

One of his studies looked at the effectiveness of anti-phishing warnings in modern web browsers (PDF). The surprising result here is that users who used Mozilla Firefox all heeded the security warning, but about half the users who saw the warning in Microsoft's Internet Explorer ignored it and went on to be phished (not really phished, just phished in the context of our study). Fortunately, Serge also did an internship at Microsoft last year and helped design the interface for IE's new anti-phishing warnings.

I think Serge's most lasting contribution, however, will be the design patterns he is creating for helping people create better security warnings. Serge is polishing his patterns even as I write, so I can't link to them yet, but I think that these design patterns will bridge the gap between research and practice, a gap that is oftentimes far too wide. His patterns look at the various stages of the C-HIP model, proposing better ways of helping people see and notice warnings, understanding warnings, believing the warnings, motivating people to act, and having people act on those warnings.




No entries found