Usable privacy and security is not limited to authentication. The field is huge and any interaction that involves private, critical or sensitive data is a possible field of interest for researchers. Work- ing in this field, one cannot refrain from looking left and right. On both sides, there is amazing work to see and big gaps to fill. In this chapter, we will talk about one of these topics, one that currently raised our interest and will be amongst the major focuses of our future work.
One of the main lessons that can be learned from usable and secure authentication is that it does not matter how thorough and impeccable the security of an authentication mechanism is if users simply give away the data that was meant to be protected. Among the criteria, number 5 (security should not require an active user) can be considered the last line of defense against insecure behavior. That is, when properly implemented, it protects users from revealing their authentication token due to “inappropriate” behavior. However, there is no protection for users that voluntarily and actively give away their authentication tokens or any other private data in the believe that the receiving entity is trustworthy. This, in fact, is a very common problem of Internet use.
Securing Internet users from frauds is maybe the most attended to topic in usable privacy and security. Additionally, it has an extremely wide coverage in the media. We are almost daily confronted with news about new Phishing attacks or other frauds meant to steal credentials while using the Internet that can be used later on to cause significant (financial) damage. All approaches have one typical property in common: They try to gain the users’ trust by counterfeiting trusted services or creating trust by other means. For instance, a study by Fogg et al. [53] showed that the “look and feel”, meaning the design of a website, is more likely to create trust than any
1 The author of this thesis recently received a Google Research Award funding to conduct a project on implicit
Figure 7.3: Ambient security visualization using MoodyBoard [30, 31]. Left: The whole keyboard is glowing in red to signalize dangerous behavior like inputting a credit card num- ber on a website without SSL certificate. Right: The return key can be lit separately to enrich the feedback with a deeper meaning like “if you submit this data, it might be stolen”.
other factor. Objectively and technically, this is a property that does not have any influence on the security of a system. That is that in a subjectively trusted situation, users easily think that providing their personal data, like credit card information, is not risky.
Current solutions for protecting Internet users from frauds are either blocking – forcing the users to decide upon one out of a set of given actions [46] – or non-blocking. The latter leave it to the user to check warnings or not [138]. SSL-certificate visualizations of current browsers fall into this category. The third and final approach is using teaching mechanism to train the users to behave more securely and how to identify threats [80, 119]. Reasons why such mechanisms fail are manifold. Habituation effects are an often cited problem that describe a situation in which users mix up important warnings with unimportant warnings they are often confronted with [3]. Overlooking warnings [138], plain lack of interest in security [133], lack of required knowledge [123] and wrong mental models [41] are another few that have to be mentioned. With ambient security visualization, we are currently conducting work on a fourth approach which can be seen as a non-blocking system. As opposed to them, by using ambient information rather than graphical user interfaces, such a system does not occupy any screen real estate. At the same time, very strong (or intense) notifications can be used that are less likely to be overseen by a user. We are not aware of any related work that employs ambient information to transport privacy and security relevant information or warnings to a user. Therefore, this can be considered a new subfield of Internet security research. First results indicate that ambient visualization has various advantages compared to GUI-based security warnings.
We started the experiments in this area using a keyboard to transmit vibration and color-coded information to a user while browsing the web. First steps including field studies and theoretical analyses to figure out an optimal (or at least good) configuration for such a system [30]. We also conducted user studies conducted with a version of MoodyBoard that only warned users about problems using both, vibration and colors as shown in figure 7.3. These studies showed that the system achieved security awareness comparable to blocking warnings while keeping the advantages of non-blocking systems: not interrupting the current task of the user and occupying limited or no screen real estate [31].
Besides effectiveness, another big advantage of ambient security visualization can be seen in its consistency even when transferred to completely different contexts. While GUI-based ap-
proaches often have the problem that they have been designed for a specific physical setup (for instance a specific minimum screen resolution), ambient security visualization is completely in- dependent from such limitations. The metaphor of a red warning glowing works on a desktop environment as well as in a mobile setting without loosing any of its meaning. For instance in [93], Maurer discusses how ambient security visualization can be used in a mobile context.