skip to main content
10.1145/1572532.1572534acmotherconferencesArticle/Chapter ViewAbstractPublication PagessoupsConference Proceedingsconference-collections
research-article

Revealing hidden context: improving mental models of personal firewall users

Published: 15 July 2009 Publication History

Abstract

The Windows Vista personal firewall provides its diverse users with a basic interface that hides many operational details. However, concealing the impact of network context on the security state of the firewall may result in users developing an incorrect mental model of the protection provided by the firewall. We present a study of participants' mental models of Vista Firewall (VF). We investigated changes to those mental models and their understanding of the firewall's settings after working with both the VF basic interface and our prototype. Our prototype was designed to support development of a more contextually complete mental model through inclusion of network location and connection information. We found that participants produced richer mental models after using the prototype than when working with the VF basic interface; they were also significantly more accurate in their understanding of the configuration of the firewall. Based on our results, we discuss methods of improving user understanding of underlying system states by revealing hidden context, while considering the tension between complexity of the interface and security of the system.

References

[1]
P. Arjmandi, R. Boeck, F. Raja, and G. Viswanathan. Usability of Vista firewall: A labratory user study. EECE412 course project at the University of British Columbia, 2007.
[2]
A. Chebium, P. Jaferian, N. Kaviani, and F. Raja. Usability analysis of Vista firewall. CSCP544 course project at the University of British Columbia, 2008.
[3]
G. Chen and D. Kotz. A survey of context-aware mobile computing research. Technical Report TR2000-381, Dartmouth College, 2000.
[4]
S. Chiasson, P. C. van Oorschot, and R. Biddle. Even experts deserve usable security: Design guidelines for security management systems. In SOUPS Workshop on Usable IT Security Management (USM), pages 1--4, Pittsburgh, PA, July 2007.
[5]
J. Coutaz, J. L. Crowley, S. Dobson, and D. Garlan. Context is key. Commun. ACM, 48(3):49--53, 2005.
[6]
L. F. Cranor. Designing a privacy preference specification interface: A case study. In Proceedings of the Workshop on Human-Computer Interaction and Security Systems, page 4 pages, 2003.
[7]
L. F. Cranor. A framework for reasoning about the human in the loop. In UPSEC'08: Proceedings of the 1st Conference on Usability, Psychology, and Security, pages 1--15, Berkeley, CA, USA, 2008. USENIX Association.
[8]
R. de Paula, X. Ding, P. Dourish, K. Nies, B. Pillet, D. Redmiles, J. Ren, J. Rode, and R. S. Filho. Two experiences designing for effective security. In SOUPS '05: Proceedings of the 2005 Symposium On Usable Privacy and Security, pages 25--34, Pittsburgh, Pennsylvania, 2005. ACM.
[9]
P. Dourish, R. E. Grinter, J. D. de la Flor, and M. Joseph. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8(6):391--401, 2004.
[10]
W. K. Edwards, E. S. Poole, and J. Stoll. Security automation considered harmful? In NSPW'07: Proceedings of the New Security Paradigms Workshop, White Mountain, New Hampshire, 2007.
[11]
W. Geng, S. Flinn, and J. DeDourek. Usable firewall configuration. In PST '05: Proceedings of the 3rd Annual Conference on Privacy, Security and Trust, page 11 pages, 2005.
[12]
A. Herzog and N. Shahmehri. Usability and security of personal firewalls. New Approaches for Security, Privacy and Trust in Complex Environments, pages 37--48, 2007.
[13]
A. Herzog and N. Shahmehri. User help techniques for usable security. In CHIMIT '07: Proceedings of the 2007 symposium on Computer Human Interaction for the Management of Information Technology, pages 93--102, Cambridge, Massachusetts, 2007. ACM.
[14]
S. Hohn. Bringing the user back into control: A new paradigm for usability in highly dynamic systems. Lecture notes in computer science, pages 114--122, 2006.
[15]
P. Jaferian. Usability study of Windows Vista's firewall. EECE512 course project at the University of British Columbia, 2008.
[16]
J. Johnston, J. H. P. Eloffa, and L. Labuschagneb. Security and human computer interfaces. Computers and Security, 22:675--684, 2003.
[17]
D. Jonassen and Y. H. Cho. Understanding Models for Learning and Instruction, chapter Externalizing Mental Models with Mindtools, pages 145--159. Springer US, 2008.
[18]
W. Karwowski. International Encyclopedia of Ergonomics and Human Factors, Second Edition - 3 Volume Set. CRC Press, Inc., Boca Raton, FL, USA, 2006.
[19]
P. Klasnja, S. Consolvo, J. Jung, B. M. Greenstein, L. LeGrand, P. Powledge, and D. Wetherall. "when i am on wi-fi, i am fearless": privacy concerns&practices in eeryday wi-fi use. In CHI '09: Proceedings of the 27th international conference on Human factors in computing systems, pages 1993--2002, New York, NY, USA, 2009. ACM.
[20]
R. A. Maxion and R. W. Reeder. Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies, 63:25--50, 2005.
[21]
J. McGrenere, R. M. Baecker, and K. S. Booth. An evaluation of a multiple interface design solution for bloated software. In CHI '02: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 164--170, New York, NY, USA, 2002. ACM.
[22]
Microsoft. Windows Vista Help: Choosing a network location.
[23]
Microsoft. Windows Vista Help: What is a firewall.
[24]
Microsoft. Microsoft's annual revenue reaches $60 billion. http://www.microsoft.com, 2008.
[25]
Microsoft. Windows firewall with advanced security - content roadmap. http://technet.microsoft.com, 2008.
[26]
R. W. Reeder, L. Bauer, L. F. Cranor, M. K. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. In CHI '08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 1473--1482, New York, NY, USA, 2008. ACM.
[27]
J. Rode, C. Johansson, P. DiGioia, R. S. Filho, K. Nies, D. H. Nguyen, J. Ren, P. Dourish, and D. Redmiles. Seeing further: extending visualization as a basis for usable security. In SOUPS '06: Proceedings of the second symposium on Usable privacy and security, pages 145--155, New York, NY, USA, 2006. ACM.
[28]
S. Smith. Humans in the loop: human-computer interaction and security. Security&Privacy, IEEE, 1(3):75--79, May--June 2003.
[29]
J. Stoll, C. S. Tashman, W. K. Edwards, and K. Spafford. Sesame: informing user security decisions with system visualization. In CHI '08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 1045--1054, New York, NY, USA, 2008. ACM.
[30]
M. Tungare and M. Pérez-Quinones. Thinking outside the (beige) box: Personal information management beyond the desktop. In Proceedings of the 3rd Invitational Workshop on Personal Information Management, page 8 pages, 2008.
[31]
A. Whitten and J. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In The 9th USENIX Security Symposium, pages 169--183, 1999.
[32]
A. Whitten and J. Tygar. Safe staging for computer security. In the Workshop on Human-Computer Interaction and security Systems, page 4 pages, Ft. Lauderdale, FL, 2003.
[33]
A. Wool. The use and usability of direction based filtering in firewalls. Computers and Security, 37:459--468, 2004.
[34]
K.-P. Yee. User interaction design for secure systems. In ICICS '02: Proceedings of the 4th International Conference on Information and Communications Security, pages 278--290, London, UK, 2002. Springer-Verlag.
[35]
K.-P. Yee. Aligning security and usability. Security&Privacy, IEEE, 2(5):48--55, Sept.--Oct. 2004.

Cited By

View all
  • (2024)Mental Model-Based Designs: The Study in Privacy Policy LandscapeInternational Journal of Human–Computer Interaction10.1080/10447318.2024.2392064(1-20)Online publication date: 2-Oct-2024
  • (2024)Formal Mental Models for Human-Centered CybersecurityInternational Journal of Human–Computer Interaction10.1080/10447318.2024.231435341:2(1414-1430)Online publication date: 6-Mar-2024
  • (2023)A Decade of Development of Mental Models in Cybersecurity and Lessons for the FutureProceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media10.1007/978-981-19-6414-5_7(105-132)Online publication date: 8-Mar-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security
July 2009
205 pages
ISBN:9781605587363
DOI:10.1145/1572532

Sponsors

  • Carnegie Mellon CyLab
  • Google Inc.

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 July 2009

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. configuration
  2. firewall
  3. mental model
  4. usable security

Qualifiers

  • Research-article

Conference

SOUPS '09
Sponsor:
SOUPS '09: Symposium on Usable Privacy and Security
July 15 - 17, 2009
California, Mountain View, USA

Acceptance Rates

SOUPS '09 Paper Acceptance Rate 15 of 49 submissions, 31%;
Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)26
  • Downloads (Last 6 weeks)2
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Mental Model-Based Designs: The Study in Privacy Policy LandscapeInternational Journal of Human–Computer Interaction10.1080/10447318.2024.2392064(1-20)Online publication date: 2-Oct-2024
  • (2024)Formal Mental Models for Human-Centered CybersecurityInternational Journal of Human–Computer Interaction10.1080/10447318.2024.231435341:2(1414-1430)Online publication date: 6-Mar-2024
  • (2023)A Decade of Development of Mental Models in Cybersecurity and Lessons for the FutureProceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media10.1007/978-981-19-6414-5_7(105-132)Online publication date: 8-Mar-2023
  • (2023)Achieving Usable Security and Privacy Through Human-Centered DesignHuman Factors in Privacy Research10.1007/978-3-031-28643-8_5(83-113)Online publication date: 10-Mar-2023
  • (2022)Users' Expectations, Experiences, and Concerns With COVID Alert, an Exposure-Notification AppProceedings of the ACM on Human-Computer Interaction10.1145/35557706:CSCW2(1-33)Online publication date: 11-Nov-2022
  • (2022)SoK: The Dual Nature of Technology in Sexual Abuse2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833663(2320-2343)Online publication date: May-2022
  • (2021)Exploring mental models of the right to informational self-determination of office workers in GermanyProceedings on Privacy Enhancing Technologies10.2478/popets-2021-00352021:3(5-27)Online publication date: 27-Apr-2021
  • (2021)On Smartphone Users’ Difficulty with Understanding Implicit AuthenticationProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445386(1-14)Online publication date: 6-May-2021
  • (2021)User Perception of Data BreachesIEEE Transactions on Professional Communication10.1109/TPC.2021.311054564:4(374-389)Online publication date: Dec-2021
  • (2020)Amazon vs. My Brother: How Users of Shared Smart Speakers Perceive and Cope with Privacy RisksProceedings of the 2020 CHI Conference on Human Factors in Computing Systems10.1145/3313831.3376529(1-13)Online publication date: 21-Apr-2020
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media