There is evidence that the communication of security risks to home computer users has been unsuccessful. Prior research has found that users do not heed risk communications, that they do not read security warning texts, and that they ignore them. Risk communication should convey the basic facts relevant to the warning recipient’s decision. In the warning science literature, one successful technique for characterizing and designing risk communication is to employ the mental models approach, which is a decision-analytic framework. With this approach, the design of risk communication is based on the recipients’ mental model(s). The goal of the framework is to help people make decisions by providing risk communication that improves the recipients’ mental models in one of three ways: (1) adding missing knowledge, (2) restructuring the person’s knowledge when it inappropriately focussed (i.e., too general or too narrow), and (3) removing misconceptions.
The mental models approach has been successfully applied in such areas as medical and environmental risk communications, but not in computer security. Risk communications in computer security have been based on experts’ mental models, which are not good models for typical users. An expert’s mental model of security is different from that of a non-expert. This difference could lead to ineffective risk communications to non-experts. Similarly, Asgharpour et al. (2007) proposed that risk communication methods such as security warnings should be designed based on non-expert mental models and metaphors from the real world, emphasizing that:
“the purpose of risk communication is not conveying the perfect truth, but rather prompting the users to take an appropriate action to defend their system against a certain threat. While mitigation of a risk requires knowledge of the general nature of the risk, efficacy of the risk communication requires communication that is aligned with the mental model of the target group.”
While employing a mental models approach has been previously proposed for computer security warnings, it was not evaluated. The goal of the research led by my Masters student Fahimeh Raja was to do exactly this. This work has been recently presented at SOUPS.
In this paper, we present our iterative design of a firewall warning using a physical security metaphor, and we present our study of the effectiveness of this approach. In the warnings, the functionality of a personal firewall is visualized based on a physical security metaphor, which includes the metaphor of a firewall, a fireproof wall that “separates the parts of a building most likely to have a fire from the rest of a structure”. The goals of our study were to determine the degree to which the warnings are understandable for our participants and the degree to which they convey the risks and encourage safe behavior. We used an open-ended test to evaluate the initial clarity of the warnings, and we used Likert-type scales, followed by an interview, to evaluate participants’ risk perceptions. We also used the self-reported likelihood of choosing any action as the intention for performing that action.
We compared our warnings with warnings based on those from the Comodo personal firewall. The Comodo firewall is the most popular personal firewall, and is the top one in online reviews not only for its protection, but also for its “warning features that make it easy for novices to understand how to respond to those warnings”. Our results show that our proposed warnings facilitate comprehension of warning information.
They also better communicated the risk; with our warnings, participants had a better estimation of the level of hazard, likelihood of damage or loss, and the severity of potential damage or loss. Participants could also better describe the potential consequences of their intended actions. More importantly, our warnings increased the likelihood of safe behavior in response to the warnings. These findings suggest that our use of a physical security metaphor in the warnings has altered the participants mental model(s) of the functionality of a personal firewall as it relates to their security and risk. Our warnings were also preferred by the majority of participants.
See more details in the paper.