Usable Cyber Trust Indicators

Опубликовано 17 августа 2016, 20:49

When systems rely on a 'human in the loop' to carry out a security-critical function, cyber trust indicators are often employed to communicate when and how to perform that function. Cyber trust indicators typically serve as warnings or status indicators that communicate information, remind users of information previously communicated, and influence user behavior. They include a variety of security- and privacy-related symbols in the operating system status bar or browser chrome, pop-up alerts, security control panels, or symbols embedded in web content. However, a growing body of literature has found the effectiveness of many of these indicators to be rather disappointing. It is becoming increasingly apparent that humans are a major cause of computer security failures and those security warnings and other cyber trust indicators are doing little to prevent humans from making security errors. Indeed, engineers often fail to consider human behavior as they design secure systems. In some cases, it may be possible to redesign systems to minimize the need for humans to perform security-critical functions, thus reducing or eliminating the need for security warnings. However, in many cases it may be too expensive or difficult to automate security-critical tasks, and systems may need to rely on human judgment. In these cases, it is important to situate cyber trust indicators both spatially and temporally to maximize their effectiveness, and to design them to communicate clearly to users. Our research has studied the effectiveness of cyber trust indicators and developed approaches to making these indicators most effective and usable. I will discuss our overall approach and describe our efforts to design and evaluate a better SSL certificate warning and a 'nutrition label' for privacy.