This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Bridging the Gap in Computer Security Warnings: A Mental Model Approach
March/April 2011 (vol. 9 no. 2)
pp. 18-26
Cristian Bravo-Lillo, Carnegie Mellon University
Lorrie Faith Cranor, Carnegie Mellon University
Julie Downs, Carnegie Mellon University
Saranga Komanduri, Carnegie Mellon University
Computer security warnings are intended to protect users and their computers. However, research suggests that these warnings might be largely ineffective because they're frequently ignored. The authors describe a mental model interview study designed to gain insight into how advanced and novice computer users perceive and respond to computer warnings. Developers can leverage the approaches of advanced users to design more effective warnings for novice users.

1. M.S. Wogalter, "Purposes and Scope of Warnings," Handbook of Warnings (Human Factors/Ergonomics), M.S. Wogalter ed., Lawrence Erlbaum Assoc., 2006, pp. 3–9.
2. S.R. Bohme, and D. Egilman, "A Brief History of Warnings," Handbook of Warnings (Human Factors/Ergonomics), M.S. Wogalter ed., Lawrence Erlbaum Assoc., 2006, pp. 11–20.
3. G.M. Morgan et al., Risk Communication: A Mental Models Approach, Cambridge Univ. Press, 2001.
4. S. Sheng et al., "An Empirical Analysis of Phishing Blacklists," , 6th Conf. Email and Anti-Spam, 2009; http://ceas.cc/2009/papersceas2009-paper-32.pdf .
5. M. Wu, R.C. Miller, and S.L. Garfinkel, "Do Security Toolbars Actually Prevent Phishing Attacks?" Proc. Conf. Human Factors in Computing Systems (CHI 06), ACM Press, 2006, pp. 601–610.
6. L.J. Camp, "Mental Models of Privacy and Security," Technology and Society Magazine, vol. 28, no. 3, 2009, pp. 37–46.
7. M.S. Wogalter, "Communication-Human Information Processing Model," Handbook of Warnings (Human Factors/Ergonomics), M.S. Wogalter ed., Lawrence Erlbaum Assoc., 2006, pp. 51–61.
1. K. Witte, "Putting the Fear Back into Fear Appeals: The Extended Parallel Process Model," Comm. Monographs, vol. 59, no. 4, 1992, pp. 329–349.
2. S. Egelman, L.F. Cranor, and J.I. Hong, "You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings," Proc. 2008 Conf. Human Factors in Computing Systems (CHI 08), ACM Press, 2008, pp. 1065–1074.
3. J. Sunshine et al., "Crying Wolf: An Empirical Study of SSL Warning Effectiveness," Proc. 18th Usenix Security Symp. (SSYM 09), Usenix Assoc., 2009; http://lorrie.cranor.org/pubssslwarnings.pdf .
4. J.S. Downs, M.B. Holbrook, and L.F. Cranor, "Decision Strategies and Susceptibility to Phishing," Proc. 2nd ACM Int'l Symp. Usable Privacy and Security, (SOUPS 06), vol. 149, ACM Press, 2006, pp. 79–90.
5. S.E. Schechter et al., "The Emperor's New Security Indicators," Proc. 2007 IEEE Symp. Security and Privacy (SP 07), IEEE CS Press, 2007, pp. 51–65.
6. C. Nodder, "Users and Trust: A Microsoft Case Study," Security and Usability: Designing Secure Systems that People Can Use, L.F. Cranor, and S.L. Garfinkel eds., O'Reilly Media, 2005, pp. 589–606.
7. L.F. Cranor, "A Framework for Reasoning about the Human in the Loop," , Proc. 1st Conf. Usability, Psychology, and Security (UPSEC 08), Usenix Assoc., 2008; www.usenix.org/event/upsec08/tech/full_papers/ cranorcranor.pdf.
8. M.S. Wogalter, "Communication-Human Information Processing Model," Handbook of Warnings (Human Factors/Ergonomics), M.S. Wogalter ed., Lawrence Erlbaum Associates, 2006, pp. 51–61.
9. J.C. Brustoloni, and R. Villamarín-Salomón, "Improving Security Decisions with Polymorphic and Audited Dialogs," Proc. 3rd ACM Int'l Symp. Usable Privacy and Security (SOUPS 07), vol. 229, ACM Press, 2007, pp. 76–85.
10. G.M. Morgan et al., Risk Communication: A Mental Models Approach, Cambridge Univ. Press, 2001.
11. L.J. Camp, "Mental Models of Privacy and Security," Technology and Society Magazine, vol. 28, no. 3, 2009, pp. 37–46.
12. R. Wash, "Folk Models of Home Computer Security," Proc. 6th Symp. Usable Privacy and Security (SOUPS 10), ACM Press, 2010, pp. 1–16.

Index Terms:
Computer security, User profiles and alert services, Human information processing, Human-centered computing,
Citation:
Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, "Bridging the Gap in Computer Security Warnings: A Mental Model Approach," IEEE Security & Privacy, vol. 9, no. 2, pp. 18-26, March-April 2011, doi:10.1109/MSP.2010.198
Usage of this product signifies your acceptance of the Terms of Use.