Disaster is just a click away
A Kansas State University computer scientist and psychologist are developing improved security warning messages that prompt users to go with their gut when it comes to making a decision online.
Eugene Vasserman, assistant professor of computing and information sciences, and Gary Brase, associate professor of psychology, are researching how to help computer users who have little to no computer experience improve their Web browsing safety without security-specific education. The goal is to keep users from making mistakes that could compromise their online security and to inform them when a security failure has happened.
"Security systems are very difficult to use, and staying safe online is a growing challenge for everyone," Vasserman said. "It is especially devastating to inexperienced computer users, who may not spot risk indicators and may misinterpret currently implemented textual explanations and visual feedback of risk."
Vasserman, whose expertise is in building secure networked systems, and Brase, who studies decision-making and the rationality behind people's choices, are developing a simple visual messaging system that would show novice computer users an easily understandable, relatable warning regarding their security decisions. These could be a choice to visit a website with an expired security certificate, or a website that is know to contain malware, among other online dangers. The idea is to have users make a gut reaction decision based on the message.
"The challenge is to get people to make the right decision," Vasserman said. "For example, sometimes a browser will show a dialog box saying this website has an expired SSL certificate, and sometimes the safer behavior is for people to still proceed and accept the expired certificate. But sometimes a website can pose a serious threat. We want people to make good choices without having to understand the technical detail, but we don't want to make the choice for them; we want to show them the importance and danger level of that choice."
Their project, "Education-optional Security Usability on the Internet," was recently awarded nearly $150,000 by the National Science Foundation. Researchers are using the funding to develop, test and evaluate the effectiveness of new and existing educational tools to find which ones case users to make better online security choices.
This system should minimize the use of traditional text warnings and icons, according to Vasserman.
The messaging system created will also likely be used in a medical project that Vasserman and colleagues are developing. The researchers are designing a secure network for hospitals and doctors' offices so medical devices can communicate with each other to monitor and relay information about a patient's health. Having a system that shows instantaneously recognizable consequences could be helpful to physicians and hospital engineers, who are not familiar with cybersecurity, make a correct decision quickly about what to do with a medical device that has a security problem.
"Presenting bad things with some sort of visual image is tricky because you want to convey to the user that this is not good, but you also don't want to traumatize them," Vasserman said. "For example, some people are terrified of snakes so that may be too intense of an image to use. When this is applied to a medical environment you have to especially conscious, so there are more considerations."
Prior to collaborating with Brase, Vasserman and Sumeet Gujrati, a doctoral candidate in computing and information sciences, tested the effectiveness of textual and visual communication for security messages and workflows.
Researchers spent more than 90 hours collecting data by observing volunteers use a piece of popular software that encrypts files on a computer.
The on-screen instructions asked users to select a location to store the encrypted files, but users often selected an existing file due to the phrasing of the instructions. This prompted an on-screen warning message stating that the selected file would be erased and all of the information inside of it would be lost. Users then had to decide to continue and erase the file or cancel the process and start over.
"I sat in the room many times and watched as people read the warning message carefully, sometimes even re-reading it, and then watched as they clicked on 'yes' and destroyed the file," Vasserman said. "Because the information being conveyed to them in the message was not immediately clear, many users specifically deleted the file they wanted to protect. I see that as an indicator that a text warning is not effective at getting users to make the correct choice."