TC: Small: Effective Security Warning Dialogs

TC：小：有效的安全警告对话框

• 批准号: 1116934
• 负责人: Lorrie Cranor
• 金额: $ 50万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-09-01 至 2015-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1116934&HistoricalAwards=false
• 关键词: TC; Small; Effective; Security; Warning

This project focuses on improving the effectiveness of computer security warning dialogs ? on-screen prompts that warn users about a potential security risks and give users a choice between two or more courses of action. Security dialogs should help users avoid unsafe actions while allowing them to take safe actions by presenting information that allows users to make informed decisions that the system cannot make with user input. This research takes a novel approach to the design and rigorous evaluation of computer security warning dialogs, with the goal of developing generalizable guidelines for designing effective warning dialogs for software products. This has the potential to help end users make better security decisions that keep their information and computer systems safer, and improve the computer security ecosystem.Based on the Carnegie-Mellon team?s previous work, review of the literature, and discussions with collaborators, they have developed a set of candidate features that will have a significant impact on the effectiveness of security dialogs. For example, these features include: amount and placemen of text, severity of tone, how to help users decide, describing risks and consequences, use of recommended and default options, and more. They plan to systematically study each feature, applied to a variety of security dialogs, to determine the impact of each (individually and in combination) and to develop guidelines on how to use each feature to best effect. They will follow an iterative design and evaluation approach that will involve five types of studies: exploratory interviews, Mechanical Turk studies, laboratory studies, field studies, and interface designer studies. In the Mechanical Turk studies, participants will be provided with a scenario and a security dialog triggered by that scenario and asked how they would be most likely to respond. They will also be asked follow-up questions to learn why they made that decision, their perception of the risks associated with each warning dialog, their understanding of the warning dialog, their beliefs about how well they think they understand the warning dialog, and their knowledge of the concepts and vocabulary included in each dialog. We will measure the tendency for users to take the recommended action in risky scenarios and the non-recommended action in benign scenarios. The follow-up questions will help determine why users behave the way they do and how to most effectively design security warning dialogs to influence that behavior. It is important to determine how to communicate effectively about the risks and consequences, but also to determine how much users need to be able to understand before they make appropriate decisions. It is anticipated that of some aspects of the situation will be correlated with behavior, but that there will be some information that increases understanding with little or no impact on behavior. In addition, the features are likely to have varying impacts on understanding risks and consequences, motivation to take the safe course of action, and behavior. To test the generalizability of the guidelines, a large set of security dialogs from a wide range of software products will be collected. As candidate guidelines emerge, they will apply them to a variety of dialogs in their catalog and also observe which guidelines seem generally applicable and which seem to apply to only certain types of dialogs in our collection. Based on the final set of guidelines, the team will provide a number of example redesigns in a final project report and security dialog design tutorial that they will make publicly available.

这个项目的重点是提高计算机安全警告对话框的有效性？屏幕提示，警告用户潜在的安全风险，并让用户在两个或多个操作过程中进行选择。安全对话框应该帮助用户避免不安全的操作，同时通过提供信息，允许用户做出系统无法通过用户输入做出的明智决策，从而允许他们采取安全的操作。本研究采取了一种新的方法来设计和严格的评估计算机安全警告对话框，开发通用的指导方针，为软件产品设计有效的警告对话框的目标。这有可能帮助最终用户做出更好的安全决策，使他们的信息和计算机系统更安全，并改善计算机安全生态系统。的前期工作、文献回顾以及与合作者的讨论，他们开发了一组候选特性，这些特性将对安全对话的有效性产生重大影响。例如，这些功能包括：文本的数量和位置，语气的严重程度，如何帮助用户决定，描述风险和后果，使用推荐和默认选项等等。他们计划系统地研究应用于各种安全对话框的每个功能，以确定每个功能（单独或组合）的影响，并制定如何使用每个功能以达到最佳效果的指导方针。他们将遵循迭代设计和评估方法，涉及五种类型的研究：探索性访谈，土耳其机械研究，实验室研究，实地研究和界面设计师研究。在Mechanical Turk研究中，参与者将被提供一个场景和由该场景触发的安全对话框，并询问他们最有可能如何回应。他们还将被问到后续问题，以了解他们为什么做出这个决定，他们对每个警告对话框相关风险的看法，他们对警告对话框的理解，他们对自己理解警告对话框的程度的看法，以及他们对每个对话框中包含的概念和词汇的了解。我们将测量用户在风险场景中采取推荐操作和在良性场景中采取非推荐操作的趋势。后续问题将有助于确定用户行为的原因，以及如何最有效地设计安全警告对话框来影响这种行为。重要的是要确定如何就风险和后果进行有效沟通，还要确定用户在做出适当决定之前需要了解多少。预计情况的某些方面将与行为相关，但会有一些信息可以增加理解，而对行为影响很小或没有影响。此外，这些特征可能对理解风险和后果、采取安全行动的动机和行为产生不同的影响。为了测试准则的通用性，将从各种软件产品中收集大量安全对话框。随着候选准则的出现，他们将把它们应用到他们目录中的各种对话框中，并观察哪些准则似乎普遍适用，哪些准则似乎只适用于我们集合中的某些类型的对话框。根据最终的指导方针，该团队将在最终的项目报告和安全对话框设计教程中提供一些重新设计的示例，他们将公开提供。