Design principles and guidelines for targeted security awareness
ECU Security Research Institute / School of Science
Key aspects that weaken users’ ability to use security are often related to the difficulty of comprehending the features/notifications within the interfaces of applications, inconsistency in the interfaces, and not receiving appropriate guidance or adequate security information. This often leads to confusion, limiting a users’ ability to comprehend the risk, thus leaving them to make uninformed decisions that may lead to compromise of their IT system or abandoning attempts to address security altogether. This research has consequently focused upon supporting the user by ensuring that security guidance and feedback is available during the task in hand, providing effective information to help them make the right decision at the right time. This has led to introducing a targeted security awareness raising approach. A series of proposed design principles for security features are considered to enhance the users’ experience and can be implemented to maximize the users’ awareness of the security threats. In addition, they can be used to provide the necessary security information and security recommendations without directing the user to make a specific choice. To study the effectiveness of the proposed design principles and guidelines, existing applications have been examined in order to evaluate their consistency with these recommendations and have identified scope for improvement, which would in turn assist user awareness via a more targeted approach. This is illustrated through an example where the design principles and guidelines are applied to the appearance of email notifications that aim to assist users in spotting phishing threats. The results of the experimental work conducted during this research suggest that user behaviour can be positively influenced purely through the provision of additional information, and better choices can be made even if the system does not provide any further enforcement. In addition, the findings demonstrate that the abstraction of design principles and guidelines allows the lessons to be transferred to other contexts. Furthermore, following and applying the guidelines enables subtle but relevant refinements to the user interface. Considering the application of this security lesson more broadly, guidance and feedback/nudges should be provided by default.