Section 24.4. Informing Through Interaction Design: What Users Understand About Secure Connections Through Their Web Browsing

24.4. Informing Through Interaction Design: What Users Understand About Secure Connections Through Their Web Browsing

The process of informing the user can happen as the user interacts with the system instead of through simple, explicit text disclosure. That is, in addition to the user's existing knowledge about how the system functions, the visual cues during interaction and the text displayed on the interface (web pages, browser, etc.) may lead the user to develop an idea or mental model of how the system functions. An issue of concern arises when there is a mismatch between the disclosed text and the interaction cuesin particular, when the latter heavily influences the user's perception of how the system works. As a result, in a best-case scenario, the user could end up confused but not jeopardize any personal data; in a worst-case scenario, the user could construct inaccurate mental models about the security of the system and make poor decisions on what actions to take or not to take to protect personal information.

With the design strategy of informing through interaction in mind, in this section we describe a study by Friedman, Hurley, Howe, Felten, and Nissenbaum^[24] on how users across diverse communities conceptualize web security.

^[24] Batya Friedman, David Hurley, Daniel C. Howe, Edward Felten, and Helen Nissenbaum, "Users' Conceptions of Web Security: A Comparative Study," in Extended Abstracts of CHI (2002), 746747.

24.4.1. Participants

Seventy-two individuals, 24 each from a rural community in Maine, a suburban professional community in New Jersey, and a high-technology community in California, participated in an extensive (two-hour) semistructured interview concerning users' conceptions, views, and values about web security. Equal numbers of men and women participated from each community. We report here on one section of the interview that focused on users' mental models of web security. Both verbal and nonverbal techniques were used to assess users' understandings.

24.4.2. Users' Conceptions of Secure Connections

Participants were asked to define and portray secure connections in various ways, as we describe in the following subsections.

24.4.2.1 Definition of a secure connection

Participants were first asked to define a secure connection. Participants' definitions of a secure connection encompassed one of the following concepts:

Transit. Protecting the confidentiality of information while it moves between machines on the Web
Encryption. The specific mechanism of encoding and decoding information
Remote site. Protecting information once it has arrived at its destination on the Web

High-technology participants (83%) provided correct definitions of a secure connection more frequently than rural participants (52%) (p < .05) did. Statistically, there was no difference in responses between the high-technology (83%) and suburban (68%) participants.

24.4.2.2 Recognition of a connection as secure or not secure

Next, participants were shown four screenshots of a browser connecting to a web site and were asked to recognize a secure connection. For each screenshot, participants were asked to state whether the web connection was secure or not secure, as well as to provide the rationale for their evaluation.

Table 24-1 shows the types of evidence participants used to evaluate a connection. As shown, participants depended primarily upon six types of evidence.

HTTPS protocolfor example, "usually, it says http for nonsecure or standard and https for secure, the s meaning secure".
Iconfor example, "[the site is secure] just because the key is there".
Point in transactionfor example, "it looks like one of the main pages on the site and usually main pages are nonsecured connections".
Type of informationfor example, "that at least has the indication of a secure connection; I mean, it's obviously asking for a Social Security number and a password".
Type of web sitefor example, "I can't imagine a bank would be online and not have security measures in there".
General distrustfor example, "I'm wary of the computer itself...I basically don't think any of the sites are secure".

Table 24-1. Percentage of types of evidence participants used to evaluate a connection as secure or not secure
Type of evidence^a	Correct evaluation		Incorrect evaluation
	Not secure	Secure	Not secure	Secure
1. HTTPS protocol	16	20	0	9
2. Icon (lock or key)	45	53	45	18
3. Point in transaction	11	2	0	9
4. Type of information	2	18	27	27
5. Type of web site	2	0	27	0
6. General distrust	5	0	0	18
7. Blue line	3	4	0	0
8. Amount/presence of Information	1	0	0	0
9. Accessibility of site	2	0	0	9
10. Text from web site	6	0	0	9
11. Alerts on screen	2	2	0	0
12. Security conventions	1	0	0	0
13. Transaction completed	1	2	0	0
14. Unspecified	3	0	0	0
15. Uncodeable	2	0	0	0
^a Some participants provided multiple types of evidence. All types of evidence were coded for each participant.

Secure connections were recognized by roughly half the participants evenly across the three communities. In contrast, nonsecure connections were correctly recognized more frequently by high-technology participants (92%) than by either rural (59%) or suburban (50%) participants (p < .05).

24.4.2.3 Visual portrayal of a secure connection

Finally, to elicit participants' models about web security, participants were asked to revise a drawing of the Web that they had made earlier in the interview to reflect a secure connection. Participants sketched primarily five different representations:

Screenshot (12%), a symbol on the screen such as the key icon
Direct connection (12%), a direct line between the user's computer and the target web site
Secure boundary (14%), a barrier, such as a firewall, that surrounds or protects the user's computer, a server, or the target web site
Encryption (40%), scrambling the information while it is in transit, including both message encoding and decoding in more sophisticated drawings
No difference (11%), drawings that remained unchanged from the participant's initial drawing

Participants' drawings were then analyzed for their representation of a secure connection as something that applies to information while it is in transit from one machine to another (a correct understanding) (see Figure 24-2), or as something that applies to a specific "place" on the Web (an incorrect understanding) (see Figure 24-3).

Figure 24-2. Participant drawing showing security as transit; the drawing shows a secure connection in terms of encryption while the information is in "transit"; the darker solid lines represent the secure connection

High-technology participants (74%) provided transit (i.e., correct) representations more frequently than did either rural (33%) or suburban (46%) participants (p < .05).

24.4.3. Reflections

Based on empirically derived typologies, results (Table 24-1) suggest that many users across diverse communities inaccurately evaluated a connection as secure when it was not, and vice versa. In addition, users who correctly recognized connections as secure or not secure sometimes did so for incorrect reasons. Furthermore, the high-technology participants did not always have more accurate or sophisticated conceptions of web security than did their rural and suburban counterparts.

Through this study, we highlighted two main points: that informing can happen through interaction, and that users develop mental models that shape their understanding about the system and about its security.

Figure 24-3. Participant drawing showing security as a place; the drawing shows a secure connection in terms of a secure boundary around a specific "place" on the Web; the darker solid lines represent the secure connection

We also mentioned that poor, inadequate, or misguided mental models about security may lead to poor privacy behaviorbelieving personal information is adequately protected when it is not, or not taking the appropriate actions to protect personal information. These negative consequences could be reduced through web browser design that helps users construct more accurate understandings of a secure connection. Such design work can profit from this study's typologies. For example, the most frequently used icons to represent the security status of a connectionthe key or padlockconvey the idea of a "place" that can be made secure. Such a conception runs counter to the more accurate meaning of a secure connection (referring to the security of the information in transit). More generally, well-designed interactionsconceptualized to match the underlying security model and validated empirically with userscan lead users to construct reasonable models for system security. In so doing, the interaction design can go a good distance toward tacitly informing users of potential privacy and security risks.