CMU Usable Privacy and Security Laboratory
http://cups.cs.cmu.edu/
Your attention please:
Designing security-decision UIs ...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
22
Motivation
 We (technologists) have habituated ...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
33
Research question
How can we get people to pay a...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
44
Baseline dialog
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
55
Thesis
It is possible to improve attention to sa...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
66
Animated Connector (AC)
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
77
Reveal
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
88
Swipe
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
99
Type
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1010
ANSI
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1111
11
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1212
12
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1313
13
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1414
14
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1515
15
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1616
16
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1717
17
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1818
18
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1919
19
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2020
20
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2121
21
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2222
22
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2323
23
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2424
24
Benign condition:
“Microsoft Corporation”
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2525
25
Suspicious condition:
“Miicr0s0ft Corporati...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2626
Experimental design
“Give us your opinion
abou...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2727
Experimental design
 For each treatment (attr...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2828
Metric and Hypothesis
 Metric: Installation R...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2929
Results
N=2,227 participants, 28.6 years old (...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3030
Experiment 2 with permission-granting dialog
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3131
What happens when users become
habituated to o...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3232
Experiment 3: habituation
 Research question:...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3333
33
Those who perform well may be rewarded with...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3434
34
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3535
35
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3636
36
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3737
37
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3838
38
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3939
39
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4040
40
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4141
Experimental design: Phases
 Habituation phas...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4242
Experimental conditions
 Fixed time: 2.5 minu...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4343
Immediate detection rate after 2.5 min/22
repe...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4444
Median delay time imposed by attractors
2.5 mi...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4545
Conclusions
 Inhibitive attractors:
• Are eff...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4646
CMU Usable Privacy and Security
Laboratory
htt...
Upcoming SlideShare
Loading in...5
×

Your attention please: designing security-decision UIs to make genuine risks harder to ignore

168

Published on

Presented at SOUPS 2013, at Newcastle, UK.

We designed and tested attractors for computer security dialogs: user-interface modifications used to draw users’ attention to the most important information for making decisions. Some of these modifications were purely visual, while others temporarily inhibited potentially-dangerous behaviors to redirect users’ attention to salient information. We conducted three between-subjects experiments to test the effectiveness of the attractors. In the first two experiments, we sent participants to perform a task on what appeared to be a third-party site that required installation of a browser plugin. We presented them with what appeared to be an installation dialog from their operating system. Participants who saw dialogs that employed inhibitive attractors were significantly less likely than those in the control group to ignore clues that installing this software might be harmful.

In the third experiment, we attempted to habituate participants to dialogs that they knew were part of the experiment. We used attractors to highlight a field that was of no value during habituation trials and contained critical information after the habituation period. Participants exposed to inhibitive attractors were two to three times more likely to make an informed decision than those in the control condition.

Get this paper at http://cups.cs.cmu.edu/soups/2013/program.html.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
168
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Your attention please: designing security-decision UIs to make genuine risks harder to ignore

  1. 1. CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Your attention please: Designing security-decision UIs to make genuine risks harder to ignore Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs, Saranga Komanduri, Robert W. Reeder, Stuart Schechter, Manya Sleeper SOUPS 2013, July 25, Newcastle, UK
  2. 2. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 22 Motivation  We (technologists) have habituated users to ignore security warnings/decisions by flooding them with too many  Many security dialogs are impossible to understand  Not all security dialogs can be eliminated
  3. 3. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 33 Research question How can we get people to pay attention to the salient information in security decisions that really matter?
  4. 4. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 44 Baseline dialog
  5. 5. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 55 Thesis It is possible to improve attention to salient information, even under habituation
  6. 6. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 66 Animated Connector (AC)
  7. 7. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 77 Reveal
  8. 8. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 88 Swipe
  9. 9. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 99 Type
  10. 10. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1010 ANSI
  11. 11. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1111 11
  12. 12. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1212 12
  13. 13. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1313 13
  14. 14. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1414 14
  15. 15. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1515 15
  16. 16. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1616 16
  17. 17. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1717 17
  18. 18. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1818 18
  19. 19. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1919 19
  20. 20. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2020 20
  21. 21. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2121 21
  22. 22. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2222 22
  23. 23. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2323 23
  24. 24. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2424 24 Benign condition: “Microsoft Corporation”
  25. 25. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2525 25 Suspicious condition: “Miicr0s0ft Corporation”
  26. 26. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2626 Experimental design “Give us your opinion about online games” Exit survey
  27. 27. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2727 Experimental design  For each treatment (attractor), we ran two conditions: benign and suspicious  Each subject saw only one warning  Each subject either installed or not
  28. 28. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2828 Metric and Hypothesis  Metric: Installation Rate • Benign condition most people will install→ • Suspicious condition most people will not install→  Hypothesis: • An attractor will increase the difference in installation rate between the benign condition and the suspicious condition
  29. 29. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2929 Results N=2,227 participants, 28.6 years old (σ=9.3), 54% male, 75% caucasian. Top two reported occupations: ‘student’ (27%), ‘unemployed’ (17%). 23% reported having knowledge of computer programming. Benign install rate Suspicious install rate (lower is better)
  30. 30. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3030 Experiment 2 with permission-granting dialog
  31. 31. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3131 What happens when users become habituated to our attractors?
  32. 32. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3232 Experiment 3: habituation  Research question: are attractors resilient to repeated exposure to dialogs?  Idea: • Show a dialog repeatedly to participants with field X • Ask to click on “Yes” for 5 minutes • Change the field X to Y in the middle • Check if participants notice the change
  33. 33. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3333 33 Those who perform well may be rewarded with opportunities to finish the study early while still receiving their full payment.
  34. 34. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3434 34
  35. 35. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3535 35
  36. 36. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3636 36
  37. 37. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3737 37
  38. 38. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3838 38
  39. 39. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3939 39
  40. 40. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4040 40
  41. 41. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4141 Experimental design: Phases  Habituation phase: “You have dismissed N dialogs”  Test dialogs: “Press the No option below to finish this study early”
  42. 42. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4242 Experimental conditions  Fixed time: 2.5 minutes  Fixed exposures: 22 times Condition Fixed time Fixed exposures Control   ANSI   AC+Delay  AC+Reveal  AC+Swipe  Swipe  Type 
  43. 43. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4343 Immediate detection rate after 2.5 min/22 repetitions N=872 participants, 30.8 years old (σ=11.7), 60% male, 77% caucasian 2.5 minutes 22 repetitions
  44. 44. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4444 Median delay time imposed by attractors 2.5 minutes 22 repetitions
  45. 45. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4545 Conclusions  Inhibitive attractors: • Are effective at driving users' attention to dialogs • Are resilient to heavy, repeated exposure  Recent progress: • Study performance of attractors under different levels of habituation.
  46. 46. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4646 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×