SlideShare a Scribd company logo

Your attention please: designing security-decision UIs to make genuine risks harder to ignore

C
Cristian Bravo-Lillo

Presented at SOUPS 2013, at Newcastle, UK. We designed and tested attractors for computer security dialogs: user-interface modifications used to draw users’ attention to the most important information for making decisions. Some of these modifications were purely visual, while others temporarily inhibited potentially-dangerous behaviors to redirect users’ attention to salient information. We conducted three between-subjects experiments to test the effectiveness of the attractors. In the first two experiments, we sent participants to perform a task on what appeared to be a third-party site that required installation of a browser plugin. We presented them with what appeared to be an installation dialog from their operating system. Participants who saw dialogs that employed inhibitive attractors were significantly less likely than those in the control group to ignore clues that installing this software might be harmful. In the third experiment, we attempted to habituate participants to dialogs that they knew were part of the experiment. We used attractors to highlight a field that was of no value during habituation trials and contained critical information after the habituation period. Participants exposed to inhibitive attractors were two to three times more likely to make an informed decision than those in the control condition. Get this paper at http://cups.cs.cmu.edu/soups/2013/program.html.

TechnologyNews & Politics
1 of 46
Download to read offline
CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Your attention please: Designing security-decision UIs to make genuine risks harder to ignore Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs, Saranga Komanduri, Robert W. Reeder, Stuart Schechter, Manya Sleeper SOUPS 2013, July 25, Newcastle, UK
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 22 Motivation  We (technologists) have habituated users to ignore security warnings/decisions by flooding them with too many  Many security dialogs are impossible to understand  Not all security dialogs can be eliminated
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 33 Research question How can we get people to pay attention to the salient information in security decisions that really matter?
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 44 Baseline dialog
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 55 Thesis It is possible to improve attention to salient information, even under habituation
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 66 Animated Connector (AC)
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 77 Reveal
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 88 Swipe
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 99 Type
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1010 ANSI
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1111 11
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1212 12
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1313 13
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1414 14
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1515 15
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1616 16
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1717 17
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1818 18
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1919 19
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2020 20
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2121 21
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2222 22
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2323 23
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2424 24 Benign condition: “Microsoft Corporation”
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2525 25 Suspicious condition: “Miicr0s0ft Corporation”
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2626 Experimental design “Give us your opinion about online games” Exit survey
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2727 Experimental design  For each treatment (attractor), we ran two conditions: benign and suspicious  Each subject saw only one warning  Each subject either installed or not
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2828 Metric and Hypothesis  Metric: Installation Rate • Benign condition most people will install→ • Suspicious condition most people will not install→  Hypothesis: • An attractor will increase the difference in installation rate between the benign condition and the suspicious condition
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2929 Results N=2,227 participants, 28.6 years old (σ=9.3), 54% male, 75% caucasian. Top two reported occupations: ‘student’ (27%), ‘unemployed’ (17%). 23% reported having knowledge of computer programming. Benign install rate Suspicious install rate (lower is better)
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3030 Experiment 2 with permission-granting dialog
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3131 What happens when users become habituated to our attractors?
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3232 Experiment 3: habituation  Research question: are attractors resilient to repeated exposure to dialogs?  Idea: • Show a dialog repeatedly to participants with field X • Ask to click on “Yes” for 5 minutes • Change the field X to Y in the middle • Check if participants notice the change
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3333 33 Those who perform well may be rewarded with opportunities to finish the study early while still receiving their full payment.
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3434 34
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3535 35
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3636 36
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3737 37
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3838 38
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3939 39
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4040 40
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4141 Experimental design: Phases  Habituation phase: “You have dismissed N dialogs”  Test dialogs: “Press the No option below to finish this study early”
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4242 Experimental conditions  Fixed time: 2.5 minutes  Fixed exposures: 22 times Condition Fixed time Fixed exposures Control   ANSI   AC+Delay  AC+Reveal  AC+Swipe  Swipe  Type 
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4343 Immediate detection rate after 2.5 min/22 repetitions N=872 participants, 30.8 years old (σ=11.7), 60% male, 77% caucasian 2.5 minutes 22 repetitions
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4444 Median delay time imposed by attractors 2.5 minutes 22 repetitions
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4545 Conclusions  Inhibitive attractors: • Are effective at driving users' attention to dialogs • Are resilient to heavy, repeated exposure  Recent progress: • Study performance of attractors under different levels of habituation.
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4646 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/

Recommended

Operating system framed in case of mistaken identity
Operating system framed in case of mistaken identityOperating system framed in case of mistaken identity
Operating system framed in case of mistaken identityCristian Bravo-Lillo
 
Research assumption
Research assumptionResearch assumption
Research assumptionNursing Path
 
security and usable.ppt
security and usable.pptsecurity and usable.ppt
security and usable.pptSaba651353
 
Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People N...
Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People N...Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People N...
Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People N...Jason Hong
 
Privacy And Copyrights
Privacy And CopyrightsPrivacy And Copyrights
Privacy And Copyrightsmuhammad-Sulaiman
 
Creativity and design 2016 day 05
Creativity and design 2016 day 05Creativity and design 2016 day 05
Creativity and design 2016 day 05R. Sosa
 
Privacy. Winter School on “Topics in Digital Trust”. IIT Bombay
Privacy. Winter School on “Topics in Digital Trust”. IIT BombayPrivacy. Winter School on “Topics in Digital Trust”. IIT Bombay
Privacy. Winter School on “Topics in Digital Trust”. IIT BombayIIIT Hyderabad
 
Cloud-Based Solutions for Clinical Data Management
Cloud-Based Solutions for Clinical Data ManagementCloud-Based Solutions for Clinical Data Management
Cloud-Based Solutions for Clinical Data ManagementClinosolIndia
 

Recommended

Operating system framed in case of mistaken identity
Operating system framed in case of mistaken identityOperating system framed in case of mistaken identity
Operating system framed in case of mistaken identityCristian Bravo-Lillo
 
Research assumption
Research assumptionResearch assumption
Research assumptionNursing Path
 
security and usable.ppt
security and usable.pptsecurity and usable.ppt
security and usable.pptSaba651353
 
Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People N...
Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People N...Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People N...
Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People N...Jason Hong
 
Privacy And Copyrights
Privacy And CopyrightsPrivacy And Copyrights
Privacy And Copyrightsmuhammad-Sulaiman
 
Creativity and design 2016 day 05
Creativity and design 2016 day 05Creativity and design 2016 day 05
Creativity and design 2016 day 05R. Sosa
 
Privacy. Winter School on “Topics in Digital Trust”. IIT Bombay
Privacy. Winter School on “Topics in Digital Trust”. IIT BombayPrivacy. Winter School on “Topics in Digital Trust”. IIT Bombay
Privacy. Winter School on “Topics in Digital Trust”. IIT BombayIIIT Hyderabad
 
Cloud-Based Solutions for Clinical Data Management
Cloud-Based Solutions for Clinical Data ManagementCloud-Based Solutions for Clinical Data Management
Cloud-Based Solutions for Clinical Data ManagementClinosolIndia
 
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007Jason Hong
 
Deep learning - Part I
Deep learning - Part IDeep learning - Part I
Deep learning - Part IQuantUniversity
 
2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introductionUsha Mehta
 
Leveraging the Potential of Social Media for School Public Relations
Leveraging the Potential of Social Media for School Public RelationsLeveraging the Potential of Social Media for School Public Relations
Leveraging the Potential of Social Media for School Public RelationsWesley Fryer
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Kabul Education University
 
Embracing AI for student and staff productivity.pptx
Embracing AI for student and staff productivity.pptxEmbracing AI for student and staff productivity.pptx
Embracing AI for student and staff productivity.pptxCharles Darwin University
 
Caveon Webinar Series - Conducting Test Security Investigations in School Di...
Caveon Webinar Series - Conducting Test Security Investigations in School Di...Caveon Webinar Series - Conducting Test Security Investigations in School Di...
Caveon Webinar Series - Conducting Test Security Investigations in School Di...Caveon Test Security
 
Preparing Data for (Open) Publication
Preparing Data for (Open) PublicationPreparing Data for (Open) Publication
Preparing Data for (Open) PublicationBrian Hole
 
UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9
UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9
UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9Carol Smith
 
A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...
A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...
A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...Mark Brown
 
Using Multi-User Virtual Worlds for Research and Education
Using Multi-User Virtual Worlds for Research and Education Using Multi-User Virtual Worlds for Research and Education
Using Multi-User Virtual Worlds for Research and Education Simon Bignell
 
Sgci nasa-esds-10-29-18
Sgci nasa-esds-10-29-18Sgci nasa-esds-10-29-18
Sgci nasa-esds-10-29-18Nancy Wilkins-Diehr
 
Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222KevinAlt1
 
Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...
Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...
Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...Caveon Test Security
 
An evaluation of Docker’s security
An evaluation of Docker’s securityAn evaluation of Docker’s security
An evaluation of Docker’s securityAde Ajasa
 
Remote Proctor: Software Secure MSCHE 2013 Annual Conference Booth Presentation
Remote Proctor: Software Secure MSCHE 2013 Annual Conference Booth PresentationRemote Proctor: Software Secure MSCHE 2013 Annual Conference Booth Presentation
Remote Proctor: Software Secure MSCHE 2013 Annual Conference Booth PresentationSoftware Secure, Inc.
 
Remote Proctor: Software Secure Sloan-C 2013 Booth Presentation
Remote Proctor: Software Secure Sloan-C 2013 Booth PresentationRemote Proctor: Software Secure Sloan-C 2013 Booth Presentation
Remote Proctor: Software Secure Sloan-C 2013 Booth PresentationSoftware Secure, Inc.
 
Remote Proctor: Software Secure SACSCOC Conference 2013
Remote Proctor: Software Secure SACSCOC Conference 2013Remote Proctor: Software Secure SACSCOC Conference 2013
Remote Proctor: Software Secure SACSCOC Conference 2013Software Secure, Inc.
 
Quality Assurance of Micro-credentials: An International Review of Current Pr...
Quality Assurance of Micro-credentials: An International Review of Current Pr...Quality Assurance of Micro-credentials: An International Review of Current Pr...
Quality Assurance of Micro-credentials: An International Review of Current Pr...Mark Brown
 
Emerging Web Technologies October 2013
Emerging Web Technologies October 2013Emerging Web Technologies October 2013
Emerging Web Technologies October 2013bthat
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

More Related Content

Similar to Your attention please: designing security-decision UIs to make genuine risks harder to ignore

Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007Jason Hong
 
2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introductionUsha Mehta
 
Leveraging the Potential of Social Media for School Public Relations
Leveraging the Potential of Social Media for School Public RelationsLeveraging the Potential of Social Media for School Public Relations
Leveraging the Potential of Social Media for School Public RelationsWesley Fryer
 
Embracing AI for student and staff productivity.pptx
Embracing AI for student and staff productivity.pptxEmbracing AI for student and staff productivity.pptx
Embracing AI for student and staff productivity.pptxCharles Darwin University
 
Caveon Webinar Series - Conducting Test Security Investigations in School Di...
Caveon Webinar Series - Conducting Test Security Investigations in School Di...Caveon Webinar Series - Conducting Test Security Investigations in School Di...
Caveon Webinar Series - Conducting Test Security Investigations in School Di...Caveon Test Security
 
Preparing Data for (Open) Publication
Preparing Data for (Open) PublicationPreparing Data for (Open) Publication
Preparing Data for (Open) PublicationBrian Hole
 
UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9
UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9
UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9Carol Smith
 
A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...
A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...
A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...Mark Brown
 
Using Multi-User Virtual Worlds for Research and Education
Using Multi-User Virtual Worlds for Research and Education Using Multi-User Virtual Worlds for Research and Education
Using Multi-User Virtual Worlds for Research and Education Simon Bignell
 
Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222KevinAlt1
 
Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...
Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...
Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...Caveon Test Security
 
An evaluation of Docker’s security
An evaluation of Docker’s securityAn evaluation of Docker’s security
An evaluation of Docker’s securityAde Ajasa
 
Remote Proctor: Software Secure MSCHE 2013 Annual Conference Booth Presentation
Remote Proctor: Software Secure MSCHE 2013 Annual Conference Booth PresentationRemote Proctor: Software Secure MSCHE 2013 Annual Conference Booth Presentation
Remote Proctor: Software Secure MSCHE 2013 Annual Conference Booth PresentationSoftware Secure, Inc.
 
Remote Proctor: Software Secure Sloan-C 2013 Booth Presentation
Remote Proctor: Software Secure Sloan-C 2013 Booth PresentationRemote Proctor: Software Secure Sloan-C 2013 Booth Presentation
Remote Proctor: Software Secure Sloan-C 2013 Booth PresentationSoftware Secure, Inc.
 
Remote Proctor: Software Secure SACSCOC Conference 2013
Remote Proctor: Software Secure SACSCOC Conference 2013Remote Proctor: Software Secure SACSCOC Conference 2013
Remote Proctor: Software Secure SACSCOC Conference 2013Software Secure, Inc.
 
Quality Assurance of Micro-credentials: An International Review of Current Pr...
Quality Assurance of Micro-credentials: An International Review of Current Pr...Quality Assurance of Micro-credentials: An International Review of Current Pr...
Quality Assurance of Micro-credentials: An International Review of Current Pr...Mark Brown
 
Emerging Web Technologies October 2013
Emerging Web Technologies October 2013Emerging Web Technologies October 2013
Emerging Web Technologies October 2013bthat
 

Similar to Your attention please: designing security-decision UIs to make genuine risks harder to ignore (20)

Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
 
Deep learning - Part I
Deep learning - Part IDeep learning - Part I
Deep learning - Part I
 
2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction
 
Leveraging the Potential of Social Media for School Public Relations
Leveraging the Potential of Social Media for School Public RelationsLeveraging the Potential of Social Media for School Public Relations
Leveraging the Potential of Social Media for School Public Relations
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2
 
Embracing AI for student and staff productivity.pptx
Embracing AI for student and staff productivity.pptxEmbracing AI for student and staff productivity.pptx
Embracing AI for student and staff productivity.pptx
 
Caveon Webinar Series - Conducting Test Security Investigations in School Di...
Caveon Webinar Series - Conducting Test Security Investigations in School Di...Caveon Webinar Series - Conducting Test Security Investigations in School Di...
Caveon Webinar Series - Conducting Test Security Investigations in School Di...
 
Preparing Data for (Open) Publication
Preparing Data for (Open) PublicationPreparing Data for (Open) Publication
Preparing Data for (Open) Publication
 
UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9
UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9
UX 101: Making Great Human Experiences at Pittsburgh PodCamp 9
 
A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...
A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...
A Digitally Enabled Ecosystem of Micro-credentials: A Complex Ecosystem With ...
 
Using Multi-User Virtual Worlds for Research and Education
Using Multi-User Virtual Worlds for Research and Education Using Multi-User Virtual Worlds for Research and Education
Using Multi-User Virtual Worlds for Research and Education
 
Sgci nasa-esds-10-29-18
Sgci nasa-esds-10-29-18Sgci nasa-esds-10-29-18
Sgci nasa-esds-10-29-18
 
Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222
 
Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...
Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...
Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...
 
An evaluation of Docker’s security
An evaluation of Docker’s securityAn evaluation of Docker’s security
An evaluation of Docker’s security
 
Remote Proctor: Software Secure MSCHE 2013 Annual Conference Booth Presentation
Remote Proctor: Software Secure MSCHE 2013 Annual Conference Booth PresentationRemote Proctor: Software Secure MSCHE 2013 Annual Conference Booth Presentation
Remote Proctor: Software Secure MSCHE 2013 Annual Conference Booth Presentation
 
Remote Proctor: Software Secure Sloan-C 2013 Booth Presentation
Remote Proctor: Software Secure Sloan-C 2013 Booth PresentationRemote Proctor: Software Secure Sloan-C 2013 Booth Presentation
Remote Proctor: Software Secure Sloan-C 2013 Booth Presentation
 
Remote Proctor: Software Secure SACSCOC Conference 2013
Remote Proctor: Software Secure SACSCOC Conference 2013Remote Proctor: Software Secure SACSCOC Conference 2013
Remote Proctor: Software Secure SACSCOC Conference 2013
 
Quality Assurance of Micro-credentials: An International Review of Current Pr...
Quality Assurance of Micro-credentials: An International Review of Current Pr...Quality Assurance of Micro-credentials: An International Review of Current Pr...
Quality Assurance of Micro-credentials: An International Review of Current Pr...
 
Emerging Web Technologies October 2013
Emerging Web Technologies October 2013Emerging Web Technologies October 2013
Emerging Web Technologies October 2013
 

Recently uploaded

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Recently uploaded (20)

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Your attention please: designing security-decision UIs to make genuine risks harder to ignore

  • 1. CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Your attention please: Designing security-decision UIs to make genuine risks harder to ignore Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs, Saranga Komanduri, Robert W. Reeder, Stuart Schechter, Manya Sleeper SOUPS 2013, July 25, Newcastle, UK
  • 2. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 22 Motivation  We (technologists) have habituated users to ignore security warnings/decisions by flooding them with too many  Many security dialogs are impossible to understand  Not all security dialogs can be eliminated
  • 3. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 33 Research question How can we get people to pay attention to the salient information in security decisions that really matter?
  • 4. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 44 Baseline dialog
  • 5. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 55 Thesis It is possible to improve attention to salient information, even under habituation
  • 6. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 66 Animated Connector (AC)
  • 7. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 77 Reveal
  • 8. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 88 Swipe
  • 9. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 99 Type
  • 10. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1010 ANSI
  • 11. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1111 11
  • 12. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1212 12
  • 13. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1313 13
  • 14. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1414 14
  • 15. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1515 15
  • 16. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1616 16
  • 17. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1717 17
  • 18. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1818 18
  • 19. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1919 19
  • 20. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2020 20
  • 21. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2121 21
  • 22. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2222 22
  • 23. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2323 23
  • 24. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2424 24 Benign condition: “Microsoft Corporation”
  • 25. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2525 25 Suspicious condition: “Miicr0s0ft Corporation”
  • 26. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2626 Experimental design “Give us your opinion about online games” Exit survey
  • 27. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2727 Experimental design  For each treatment (attractor), we ran two conditions: benign and suspicious  Each subject saw only one warning  Each subject either installed or not
  • 28. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2828 Metric and Hypothesis  Metric: Installation Rate • Benign condition most people will install→ • Suspicious condition most people will not install→  Hypothesis: • An attractor will increase the difference in installation rate between the benign condition and the suspicious condition
  • 29. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2929 Results N=2,227 participants, 28.6 years old (σ=9.3), 54% male, 75% caucasian. Top two reported occupations: ‘student’ (27%), ‘unemployed’ (17%). 23% reported having knowledge of computer programming. Benign install rate Suspicious install rate (lower is better)
  • 30. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3030 Experiment 2 with permission-granting dialog
  • 31. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3131 What happens when users become habituated to our attractors?
  • 32. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3232 Experiment 3: habituation  Research question: are attractors resilient to repeated exposure to dialogs?  Idea: • Show a dialog repeatedly to participants with field X • Ask to click on “Yes” for 5 minutes • Change the field X to Y in the middle • Check if participants notice the change
  • 33. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3333 33 Those who perform well may be rewarded with opportunities to finish the study early while still receiving their full payment.
  • 34. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3434 34
  • 35. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3535 35
  • 36. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3636 36
  • 37. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3737 37
  • 38. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3838 38
  • 39. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3939 39
  • 40. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4040 40
  • 41. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4141 Experimental design: Phases  Habituation phase: “You have dismissed N dialogs”  Test dialogs: “Press the No option below to finish this study early”
  • 42. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4242 Experimental conditions  Fixed time: 2.5 minutes  Fixed exposures: 22 times Condition Fixed time Fixed exposures Control   ANSI   AC+Delay  AC+Reveal  AC+Swipe  Swipe  Type 
  • 43. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4343 Immediate detection rate after 2.5 min/22 repetitions N=872 participants, 30.8 years old (σ=11.7), 60% male, 77% caucasian 2.5 minutes 22 repetitions
  • 44. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4444 Median delay time imposed by attractors 2.5 minutes 22 repetitions
  • 45. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4545 Conclusions  Inhibitive attractors: • Are effective at driving users' attention to dialogs • Are resilient to heavy, repeated exposure  Recent progress: • Study performance of attractors under different levels of habituation.
  • 46. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4646 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/