Jun 01 2017
General Project
The overall project objective is to improve web security by better usability of web interaction design based on website certificates. We suggest that certificates have a unique role to play in Internet security because they attest to the completion of an evidence-based process for identification of website providers. However, many studies have shown that users do not take full advantage of this information (Egelman et al., 2008; Akhawe & Felt, 2013). We suspect that the interaction design does not make the nature of certificates clear to users. In particular, we speculate that users are unaware of certificates and what they represent, and therefore typically do not look for them, do not understand them, and so do not trust them. Instead, too many users will make decisions on trustworthiness based on simple processes susceptible to deception, such as visual appeal of the websites themselves. We suggest that website certificates should become as expected and understood as house inspection: looked for, clear, and relied upon.
Our project differs from other work in several respects. Firstly, we will focus specifically on issues and interaction based on certificates, rather than a range of browser warnings. We investigate the understanding of different certificate types, and especially on Extended Validation (EV) certificates. We also study the effect of browsers having different interaction design for certificates, and explore the effect that standardization might have. Second, our theoretical direction is be based on empowering users and involving them in the process of decision making, rather than bypassing them. This builds on earlier mental models approaches (Bravo-Lillo, 2011), but also takes heed of recent work highlighting the importance of respecting user attention and interaction effort (Akhawe and Felt, 2013). Finally, we approach the project from a strong Human-Computer Interaction (HCI) perspective, and apply a broad range of established techniques.