To Download or Not to Download: An Examination of Computer Security Decision Making Jefferson B. Hardee | North Carolina State University |
[email protected] Ryan West | SAS Institute |
[email protected] Christopher B. Mayhorn | North Carolina State University |
[email protected]
Imagine you are in the middle of studying
usability of security mechanisms over the
for tomorrow’s test when your antivirus
past few years. Some authors suggest
software prompts you with a message
that regardless of how good security
indicating new virus definitions are avail-
technology is, it is the “people problem”
able. Would you update the antivirus
that must be overcome for successful
software now or later or not at all?
security [4]. Previous studies have shown
Imagine now that you’re browsing
that security mechanisms for encryption,
online and you receive an instant message
authorization, and authentication are dif-
(IM) with a friendly greeting and a Web
ficult for users to understand or use.
page link from one of your IM buddies.
Most of the attention in this work has
She asks that you follow the link to see an
been on the interaction between the user
amusing picture. You’re not busy at the
and the system.
moment but would you click on the link? These vignettes illustrate the kinds of computer-security situations that people encounter on a daily basis. They are often mundane, seemingly small decisions that hide the potential for a security incident. While new authentication mechanisms can replace passwords to offer more secure and user-friendly security, any computer security situation that involves an action or decision from the user is open to risk. Therefore, understanding how users perceive and make security decisions is
SPECIAL SECTION HCI & SECURITY
fundamental to designing security features that users will use and use well.
PUTTING THE “HUMAN” BACK INTO THE HUMAN-COMPUTER SECURITY INTERACTION There have been fewer articles that focus entirely on the human side of the usersecurity interaction of late. Schultz, Proctor, Lien, and Salvendy [5] offer a taxonomy of human error in user-security interaction. In addition, several authors have explored perceived risks and safety behaviors in online shopping as they relate to Internet usage and various demographic variables [2]. Most of this work focuses on general perceptions or behaviors rather than specific security
USABILITY OF SECURITY MECHANISMS
decisions and how they are made. Thus,
There has been a growing focus on the
research that bridges the gap between
there is a critical need for empirical security decision making and the factors that influence likely action. Thus, to complement much of the existing research in the area of computer security, the present study was designed to focus on the “human problem” by
: / 32
i n t e r a c t i o n s
/
m a y
+
j u n e
2 0 0 6
experimentally manipulating a number of
was constructed such that 12 scenarios
factors that might influence computer
were within the computer domain and
security decisions. A series of decision-
12 were composed of non-computer-
making scenarios were designed to sys-
related decisions. In addition, the scenar-
tematically vary by decision domain, risk,
ios were equally divided within those two
and gain-to-loss ratio in an effort to
categories as being high or low risk. Risk
determine how computer users might
was defined as the likelihood of suffering
respond to potential security decisions.
harm or loss; thus high-risk scenarios
One question that motivates this research
were associated with a greater probabili-
is whether users differ when they make
ty of harm or loss. Conversely, low-risk
computer versus non-computer deci-
scenarios contained a minimal probability
sions. For this reason, the current study
of harm or loss. Finally, scenarios were
included both decision domains for the
equally divided to represent the three
purpose of contrasting computer-based
gain-to-loss ratios where some scenarios
decisions with the baseline of non-com-
contained more gains than losses and
puter decision making. Thus, if no differ-
others contained more losses than gains,
ences arise, the large behavioral literature
or equal gains and losses. Two scenarios
on non-computer decision making can
were developed to represent each of the
be used to inform security practitioners
six risk and gain-to-loss ratio combina-
about potential user behavior. Armed
tions for a total of 12 computer and 12
with this knowledge, practitioners may
non-computer scenarios.
be able to develop more usable security
DECISION MAKING AND TECHNOLOGY USAGE
software mechanisms.
A TEST OF DECISION MAKING WITHIN COMPUTER AND NONCOMPUTER DOMAINS
The study used performance on a sce-
Fifty-six students enrolled at a public uni-
ratio might affect decision-making within
versity volunteered to participate in a
the domains of computing and non-
study that used a 2x2x3 repeated meas-
computing security decisions. Each sce-
ures factorial design. The variables
nario presented a problem, and each par-
manipulated were decision domain
ticipant was asked to choose between
(computer vs. non-computer), risk (high
two decision-making options. For exam-
vs. low), and gain-to-loss ratio (high
ple, should one open an unfamiliar email
gains/low losses, equal gains/losses, low
attachment from an unfamiliar sender or
gains/high losses). A decision-making
delete the email? Following this ques-
task composed of 24 decision scenarios
tion, participants were asked to assume
nario-based decision task to draw conclusions about how risk and gain-to-loss
i n t e r a c t i o n s
/
m a y
+
j u n e
2 0 0 6
: / 33
Overall Gains Time/Convenience Protecting Information Protecting Money/Property Social/Emotional Protecting Self or Others Other
# 66 293 397 42 48 5
Comments 7.8% 34.4% 46.7% 4.9% 5.6% 0.6%
Losses Time/Inconvenience Money/Property Loss Social/Emotional Unsatisfied Need Information loss Other
# 303 111 54 65 58 9
Comments 50.5% 18.5% 9.0% 10.8% 9.7% 1.5%
# 41 232 162 9 0 3
Comments 9.2% 51.9% 36.2% 2.0% 0.0% 6.0%
Losses Time/Inconvenience Money/Property Loss Social/Emotional Unsatisfied Need Information loss Other
# 146 37 34 50 49 3
Comments 45.8% 11.6% 10.7% 15.7% 15.4% 0.9%
# 25
Comments 6.2%
Losses Time/Inconvenience
# 157
Comments 55.9%
61 235 33 48 2
15.1% 58.2% 8.2% 11.9% 0.5%
74 20 15 9 6
26.3% 7.1% 5.3% 3.2% 2.1%
Computer Decisions Gains Time/Convenience Protecting Information Protecting Money/Property Social/Emotional Protecting Self or Others Other Non-Computer Decisions Gains Time/Convenience Protecting Information Protecting Money/Property Social/Emotional Protecting Self or Others Other
Money/Property Loss Social/Emotional Unsatisfied Need Information loss Other
Table 1: Coding Scheme and Descriptive Data for Qualitative Comments
that they had made the more conserva-
SPECIAL SECTION HCI & SECURITY
: / 34
ing the decision task.
tive of the two decisions. Under this
To determine how participants
assumption, they were asked to make
assessed the relationship between gains
comments about the gains and losses of
and losses, their comments associated
the decision.
with the most conservative decision
A survey was constructed to assess the
option were examined. Table 1 reflects
participant’s behavior, knowledge, or
the coding scheme that was developed
experience with respect to certain
to categorize how participants conceptu-
domains (available from the first author
alized gains and losses overall, then with-
upon request). Analyses revealed that all
in the computer and non-computer deci-
participants were relatively frequent users
sion domains. Two independent raters
of technology and that they had ade-
used the coding scheme to evaluate each
quate experience to make informed deci-
of the 1,451 open-ended responses
sions on the scenario-based decision task.
given by the participants and inter-rater reliability was 94.8 percent.
FINDINGS
Overall, participants made 851 com-
While performance on the quantitative
ments to describe general gains and 600
decision-making task and the survey data
comments to describe general losses. As
is described elsewhere [1], this article
reflected in Table 1, the most frequent
focuses on participants’ qualitative com-
gains cited included protecting money
ments to determine what variables were
and property (46.6 percent) followed by
considered as either gains or losses dur-
protecting information (34.4 percent). By
i n t e r a c t i o n s
/
m a y
+
j u n e
2 0 0 6
contrast, the most frequent perceived
participant descriptions of loss associated
losses included inconvenience associated
with conservative actions. Consistent
with lost time (50.5 percent) and money/
with the overall and non-computer deci-
property loss (18.5 percent).
sions, the most frequent gains for com-
When responses were divided by deci-
puter decisions were protecting personal
sion domain, a slightly different pattern
information (51.9 percent) and protect-
of gain/loss responses emerged between
ing money and property (36.2 percent).
non-computer and computer decisions.
For the losses, however, participants
For the non-computer decisions, the
seemed to focus on personal inconven-
most frequent gains included protecting
iences due to loss of time (45.7 percent),
money/property (58.1 percent) and per-
unsatisfied needs such as loss of service
sonal information (15.0 percent), where-
(15.6 percent), and information loss
as losses included inconvenience (55.8
(15.3 percent) but seemed relatively
percent) and money/property loss (26.35
unaware
percent). Thus, the conceptualization of
money/property loss (11.6 percent).
of
the
potential
for
the gains and losses within the non-com-
Collectively, the results from the cur-
puter decisions was consistent with the
rent experiment illustrate that people are
overall gains and losses described above.
sensitive to a number of decision factors
When these same gain/loss categories
such as risk, gain-to-loss ratio, and deci-
were examined for the computer deci-
sion domain when making security deci-
sions, differences between decision
sions. Given the quantitative findings
domains were most striking within the
reported elsewhere in Hardee et al. [1],
i n t e r a c t i o n s
/
m a y
+
j u n e
2 0 0 6
: / 35
the most conservative decisions occurred
ers will be limited to factors that can eas-
when it was apparent that risk was high.
ily be manipulated to improve the likeli-
Moreover, participants’ perceptions of
hood that users will make secure deci-
the gain-to-loss ratio was important in
sions by altering the wording or decision
driving the decision process such that
frame of their product.
more conservative decisions occurred
• Explicit text should be used to identify
when losses were perceived as being
the highly risky nature of the decision
greater or equal to gains. Also, there was
and the consequences of the outcome.
no difference between computer and non-computer decisions when risk and gain-to-loss ratio were held constant. Perception of risk greatly impacted com-
• Efforts to highlight the greater potential for losses should be made. • To facilitate conservative decision making, the severity of the loss and
puter decisions. The current results are informative
the likelihood of the incident should
because they supplement the results of
be made available simultaneously to
Hardee et al. by revealing that partici-
the user.
pants consistently conceptualized the
• In computer-security tasks, users need
nature of gains across decision domains
to be reminded of the potential to
in terms of protecting information,
lose money and property.
money, and property; however, concep-
• Emphasize potential losses and
tualization of loss information varied by
directly contrast these with an esti-
decision domain. While non-computer
mate of time investment to mitigate
decision losses were described in terms
user’s perceptions of time loss as an
of inconvenience and money/property
inconvenience.
loss, losses within the computer domain appeared to focus more on personal inconvenience such that decision-makers were relatively unaware of risks to money
APPLYING THE RECOMMENDATIONS TO SECURITY WARNINGS These recommendations might prove
and property loss.
useful in developing more effective secu-
SPECIAL SECTION HCI & SECURITY
: / 36
SOFTWARE DESIGN RECOMMENDATIONS
rity software by honing the attributes of
Drawing on the present results and past
main purpose of warnings is to decrease
research [1], a number of general recom-
harm from hazards to people and prop-
mendations can be made to assist securi-
erty. Because technology-based warning-
ty software designers in making their
delivery systems have received attention
warning messages received by users. The
products more usable. Given the nature
as a possible outlet for improving safety
of the text-based scenarios developed for
in a number of domains [6], the applica-
this study, recommendations for design-
tion of this knowledge to security warn-
i n t e r a c t i o n s
/
m a y
+
j u n e
2 0 0 6
ings seems to be a natural extension of
usability should improve. Much work
previous work in the area of risk commu-
remains, however. Empirical investiga-
nication. Given the recommendations for
tions into the effectiveness of the new
altering the wording of computer securi-
security warning messages based on the
ABOUT THE
ty warnings listed above, the following
design recommendations described
AUTHORS
examples might be easily implemented to
above are essential to assisting security
resolve the security dilemmas represent-
practitioners to design usable software to
ed by the opening vignettes that illustrat-
protect online safety. Moreover, future
ed everyday computer decision making.
research in this area might focus on
Psychology program at North
For the vignette that described an inter-
whether user characteristics such as per-
Carolina State University in
action with antivirus updating, a warning
sonal computing experience or situation-
message that simply alerts the user to the
al factors such as stress and time pressure
presence of an update may not be effec-
influence the likelihood of making con-
tive. A more effective warning might
servative computer security decisions.
Jefferson B. Hardee is a graduate student pursuing his MS in the Ergonomics/Experimental
Raleigh, North Carolina. He received his BS in computer science from North Carolina State University in 2003.
explicitly describe the potential for loss (e.g., a tangible financial figure for the cost of one’s computer system) should a virus be contracted and contrast this with an estimate of time investment necessary to update the software. For the vignette that described a potentially harmful Web-page link nested within an instant message, a warning message that pops up to inform the user of the likelihood of virus transmission via this mode of communication might be more effective than the minimal warnings that users currently receive.
CONCLUSIONS Combining the evaluation approach
REFERENCES 1. Hardee, J. B., Mayhorn, C. B., & West, R. T. (submitted). You downloaded WHAT?: Computer-based security decisions. 50th Annual Meeting of the Human Factors and Ergonomics Society. Santa Monica, CA: HFES. 2. Milne, G. R., Rohm, A. J., & Bahl, S. (2004). Consumers’ protection of online privacy and identity. The Journal of Consumer Affairs, 38(2), 217-232. 3. Miyazaki, A. D., & Fernandez, A. (2001). Consumer perceptions of privacy and security risks for online shopping. The Journal of Consumer Affairs, 35(1), 27-44. 4. Schneier, B. (2000). Secrets and Lies: Digital Security in a Networked World. New York: Wiley & Sons. 5. Schultz, E. E., Proctor, R. W., Lien, M. C., & Salvendy, G. (2001). Usability and security: An appraisal of security issues in information security methods. Computers and Security, 20 (7), 620-634. 6. Wogalter, M. S., & Mayhorn, C. B. (2005). Providing cognitive support with technology-based warning systems. Ergonomics, 48(5), 522-533.
Ryan T. West is a user experience researcher who has studied enterprise-class systems administration at Microsoft and now SAS Institute. Ryan has a PhD in cognitive psychology from the University of Florida.
Christopher B. Mayhorn is an assistant professor in the Ergonomics/Experimental
© ACM 1072-5220/06/0500 $5.00
Psychology Program at North
described in this article with potential
Carolina State University in
alterations of security warnings should
Raleigh, North Carolina. He
allow designers to improve security sys-
received his PhD in cognitive/
tems. By supplementing preexisting
experimental psychology from the
knowledge from the literature with sug-
University of Georgia in 1999.
gestions from the people who are actually using these security programs, the likelihood of successful application and
i n t e r a c t i o n s
/
m a y
+
j u n e
2 0 0 6
: / 37