Paper published in a book (Scientific congresses, symposiums and conference proceedings)
Evaluating ambiguity of privacy indicators in a secure email app
Stojkovski, Borce; Lenzini, Gabriele
2020 • In Loreti, Michele; Spalazzi, Luca (Eds.) Proceedings of the Fourth Italian Conference on Cyber Security, Ancona Italy, February 4th to 7th, 2020
[en] Informing laymen of security situations is a notoriously hard problem. Users are usually not cognoscenti of all the various secure and insecure situations that may arise, and this can be further worsened by certain visual indicators that instead of helping users, fail to convey clear and unambiguous messages. Even in well-established and studied applications, like email clients providing end-to-end encryption, the problem seems far from being solved. Motivated to verify this claim, we studied the communication qualities of four privacy icons (in the form of coloured shapes) in conveying specific security messages, relevant for a particular secure emailing system called p≡p. We questioned 42 users in three different sessions, where we showed them 10 privacy ratings, along with their explanations, and asked them to match the rating and explanation with the four privacy icons. We compared the participants’ associations to those made by the p≡p developers.
The results, still preliminary, are not encouraging. Except for the two most extreme cases, Secure and trusted and Under attack, users almost entirely missed to get the indicators’ intended messages. In particular, they did not grasp certain concepts such as Unsecure email and Secure email, which in turn were fundamental for the engineers. Our work has certain limitations and further investigation is required, but already at this stage our research calls for a closer collaboration between app engineers and icon designers. In the context of p≡p, our work has triggered a deeper discussion on the icon design choices and a potential revamp is on the way.
Research center :
- Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Other
Disciplines :
Computer science
Author, co-author :
Stojkovski, Borce ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC)
Lenzini, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
External co-authors :
no
Language :
English
Title :
Evaluating ambiguity of privacy indicators in a secure email app
Publication date :
2020
Event name :
Fourth Italian Conference on Cyber Security (ITASEC 20)
Event place :
Ancona, Italy
Event date :
4-2-2020 to 7-2-2020
Main work title :
Proceedings of the Fourth Italian Conference on Cyber Security, Ancona Italy, February 4th to 7th, 2020
Erinn Atwater, Cecylia Bocovich, Urs Hengartner, Ed Lank, and Ian Goldberg. Leading Johnny to Water: Designing for Usability and Trust. pages 69–88. USENIX Association, 2015.
Steve Caplin. ICON Design: Graphic Icons in Computer Interface Design. Watson-Guptill Publications, Inc., USA, 2001.
Albese Demjaha, Jonathan Spring, Ingolf Becker, Simon Parkin, and M Angela Sasse. Metaphors considered harmful ? An exploratory study of the effectiveness of functional metaphors for end-to-end encryption. (February):1–12, 2018.
Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI’06, pages 581–590, New York, NY, USA, 2006. ACM.
Andrew J Elliot and Markus A Maier. Chapter two - Color-in-Context Theory. volume 45 of Advances in Experimental Social Psychology, pages 61–125. Academic Press, 2012.
Andrew J Elliot and Markus A Maier. Color Psychology: Effects of Perceiving Color on Psychological Functioning in Humans. Annual Review of Psychology, 65(1):95–120, jan 2014.
C. N. Enoch and L. Labuschagne. Project portfolio management: using fuzzy logic to determine the contribution of portfolio components to organizational objectives. Paper presented at PMI Research and Education Conference, Limerick, Munster, Ireland. Project Management Institute, Newtown Square, PA, 2012.
EU. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Union, L119:1–88, 2016.
EU. Regulation (EU) 2017/1369 of the European Parliament and of the Council of 4 July 2017 setting a framework for energy labelling and repealing Directive 2010/30/EU (Text with EEA relevance.). Official Journal of the European Union, L198:1–23, 2017.
Michael W Eysenck. Cognitive psychology: a student’s handbook, 2015.
Adrienne Porter Felt, Robert W Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Emre Acer, Elisabeth Morant, Sunny Consolvo, and U C Berkeley. Rethinking Connection Security Indicators. the Symposium On Usable Privacy and Security (SOUPS), (Soups):1–14, 2016.
Batya Friedman, David Hurley, Daniel C. Howe, Edward Felten, and Helen Nissenbaum. Users’ conceptions of web security: A comparative study. In CHI’02 Extended Abstracts on Human Factors in Computing Systems, CHI EA’02, pages 746–747, New York, NY, USA, 2002. ACM.
Simson L. Garfinkel. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. PhD thesis, Massachusetts Institute of Technology, 2005.
Ralph B Hupka, Zbigniew Zaleski, Jurgen Otto, Lucy Reidl, and Nadia V Tarabrina. The Colors of Anger, Envy, Fear, and Jealousy: A Cross-Cultural Study. Journal of Cross-Cultural Psychology, 28(2):156–171, 1997.
Joscha Lausch, Oliver Wiese, and Volker Roth. What is a Secure Email? EuroUSEC 2017, 2017.
Hernâni Marques and Bernie Hoeneisen. pretty Easy privacy (pEp): Mapping of Privacy Rating, 2019. IETF Internet-Draft, https://tools.ietf.org/html/draft-marques-pep-rating-01, Accessed: 30 June 2019.
United Nations. Globally harmonized system of classification and labelling of chemicals (GHS) - sixth revised edition. 2015. Accessed: 30 June 2019.
Michael I. Posner, Mary J. Nissen, and Raymond M. Klein. Visual dominance: An information-processing account of its origins and significance. Psychological Review, 83(2):157–171, 1976.
Karen Renaud, Melanie Volkamer, and Arne Renkema-Padmos. Why Doesn’t Jane Protect Her Privacy? In Emiliano De Cristofaro and Steven J Murdoch, editors, Privacy Enhancing Technologies, pages 244–262, Cham, 2014. Springer International Publishing.
Scott Ruoti, Jeff Andersen, Scott Heidbrink, Mark O’Neill, Elham Vaziripour, Justin Wu, Daniel Zappala, and Kent Seamons.”We’Re on the Same Page”: A Usability Study of Secure Email Using Pairs of Novice Users. CHI’16, pages 4298–4308. ACM, 2016.
Tonya L Smith-Jackson and Michael S Wogalter. Users’ hazard perceptions of warning components: An examination of colors and symbols. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 44(32):6–55–6–58, 2000.
UK Department of Health and Social Care. Guide to creating a front of pack (FoP) nutrition label for pre-packed products sold through retail outlets, 2013.
