Section 29.2. Consent Dialogs

29.2. Consent Dialogs

The name of this much maligned interface element suggests something that isn't always apparent in the designdialog boxes are supposed to be a conversation ("dialog") between the computer and the user. The consent dialog has a specific conversation topic: "Do you want this thing to happen?" Frequently, consent dialogs ask trust questions. If the question is well phrased, users should have little difficulty making a decision, completing the dialog, and continuing on their way. However, well-phrased dialogs seem to be difficult to design.

After observing many users working with dialogs in the lab, I would suggest the hierarchy of decision points shown in Figure 29-1 that users follow in order to continue with what they perceive as their real taskthe one that the dialog box interrupted.

Figure 29-1. Decision points users make in evaluating a (hypothetical) consent dialog

Note that before users even start to evaluate the information provided in the dialog, they have already engaged their emotional feelings about the situation (1, in the figure). If these feelings are strong and positive (a friend or someone the user trusts recommended the application, for instance), then his desire to continue down this path may overrule his usual caution. In this situation, the user has made an emotional decision that is unlikely to be changed by any logical information or warning on the screen.

Users also gravitate toward the buttons and other controls (checkboxes, radio buttons) on the screenthey realize that these are the elements that will propel them toward their desired outcome, so they start by reading the text on and next to controls (2 and 3, in the figure) to see if these provide enough clues to let them continue. The wording of the buttons, and even which one is highlighted by default, are clues that users can employ in their trust decisions.

If they are unsuccessful after reading the button labels, users typically proceed to read the text on the screen. The primary statement is read first, normally because it is first on the main page area and in a larger or bold font (4, in the figure).

Dialogs with graphical elements also assist users with the trust decisionhave they seen that graphic before? Is it from a company they trust? Obviously, if the only graphics are system elements such as the icon of the program that launched the dialog box, then users may gain a false sense of security (5, in the figure).

Now users are really scraping around for clues and cues to help with their trust decision. Body text in the dialog box, the title bar, and potentially help links from the dialog box are all read with increasing levels of irritation and desperation, if at all (6, 7, and 8, in the figure).

29.2.1. Consent Dialog Redesign

There is very little that a computer can do to counter an emotional decision by the user. Unfortunately, this is the place where social engineering attacks (e.g., so-called "phishing" attacks) happenbefore the computer interface has a chance to influence the decision.

However, there are user interface design elements that can assist users with making trust decisions if they choose to make use of the information presented by the consent dialog. Figure 29-2 shows these elements laid out in a figurative consent dialog. For an example of how these elements are used in a real consent dialog, see Figure 29-8.

Figure 29-2. Figurative elements of a more informative (hypothetical) consent dialog

Considering that users tend to gravitate to the buttons on the dialog, the default button (which will be clicked if the user simply presses Enter) should always follow the path recommended by the computer. This may not necessarily be the most secure path ultimately, but instead may be the best tradeoff of security and convenience.

The button labels should also be verbose enough to allow users to make an informed decision. For instance, consider the difference in meaning between the button pair Install and Cancel and the button pair Install Anyway and Cancel. In the second instance, the button label itself contains a caution that something may require further investigation before installation. Of course, in conjunction with the button labels, the dialog text needs to make it clear what the issue is that requires investigation, and suggest a path of resolution.

The dialog should contain a summary statement or focused question placed in the primary area of the dialog box. This statement or question should provide users with an understanding of the decision they are being asked to make (what they are "consenting" to).

If further text is required, it should follow the summary statement, but what appears from testing to be more useful to users at this point is evidence that they can use to evaluate their response to the question being asked. In an ideal world, this information would probably contain recommendations from trusted sources; in reality, with today's software and certification mechanisms, the best that can be done is often to provide what information the application knows about the situation to the user in the form of clues he can use to help him arrive at a decision (the Property: Value pairs in Figure 29-2). Typically, this means items such as the filename, publisher, and download location of a file, the name of an application or user who is requesting something, or other such short strings. The computer can often also assign some degree of confidence to these clues by letting the user know whether the statement is corroborated by a certificate. Although users often have totally erroneous concepts of what certification entails or guarantees, this can be abstracted to an extent within the dialog.

For users who still do not have sufficient information to make a decision, there is space to provide additional assistance text and even a link to a help article. Note that this information is placed in a separate area at the bottom of the dialog that does not interfere with the primary dialog controls. User testing has shown that people who are seeking out this information will still find it in this location, whereas if it is placed above the action buttons, it interferes with the task for users who do not require the additional, often generic, text. This information is accompanied by an icon that rates the severity of the decision outcomeinformational, warning, or danger/stop.