Out of Sight, Out of Mind: UI Design and the Inhibition of Mental Models of Security

Out of Sight, Out of Mind: UI Design and the Inhibition of Mental Models of Security

연구 분야: Strategies

학회: NSPW '20: Proceedings of the New Security Paradigms Workshop 2020

In this paper we make the case that UI design inhibits mental models of security by concealing most of the security-relevant aspects of software functionality. Users are frequently required to make decisions that have important security implications, that requires a mental model of software infrastructure to know what actions are ‘safe’ versus ‘unsafe’. People build internal causal models of what they experience that have explanatory and predictive power, and therefore form the basis of the decision-making faculty. By concealing security information, user interfaces hinder the user from building the kinds of models that will keep them safer, and only the small minority who are willing to go beyond the interface will acquire this knowledge. We suggest increasing the visibility of some essential information about the security-relevant aspects of software functionality in a way that ordinary users will be able to make sense of, so that through normal interactions with software everyone develops the kind of knowledge needed to better support security. We review the cognitive science and cybersecurity literature on mental models, present three ‘case studies’ which embody the security concealment problem, and present preliminary suggestions for how UI design might amend this problem.