"If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS
- 1 May 2019
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE) in 2019 IEEE Symposium on Security and Privacy (SP)
- p. 246-263
- https://doi.org/10.1109/sp.2019.00060
Abstract
HTTPS is one of the most important protocols used to secure communication and is, fortunately, becoming more pervasive. However, especially the long tail of websites is still not sufficiently secured. HTTPS involves different types of users, e.g., end users who are forced to make critical security decisions when faced with warnings or administrators who are required to deal with cryptographic fundamentals and complex decisions concerning compatibility. In this work, we present the first qualitative study of both end user and administrator mental models of HTTPS. We interviewed 18 end users and 12 administrators; our findings reveal misconceptions about security benefits and threat models from both groups. We identify protocol components that interfere with secure configurations and usage behavior and reveal differences between administrator and end user mental models. Our results suggest that end user mental models are more conceptual while administrator models are more protocol-based. We also found that end users often confuse encryption with authentication, significantly underestimate the security benefits of HTTPS, and ignore and distrust security indicators while administrators often do not understand the interplay of functional protocol components. Based on the different mental models, we discuss implications and provide actionable recommendations for future designs of user interfaces and protocols.Keywords
This publication has 30 references indexed in Scilit:
- Improving SSL WarningsPublished by Association for Computing Machinery (ACM) ,2015
- Participatory Design for Security-Related User InterfacesPublished by Internet Society ,2015
- Why Doesn’t Jane Protect Her Privacy?Published by Springer Science and Business Media LLC ,2014
- Sorry, I Don’t Get It: An Analysis of Warning Message TextsLecture Notes in Computer Science, 2013
- Influencing mental models of securityPublished by Association for Computing Machinery (ACM) ,2011
- Structure, behavior, and function of complex systems: The structure, behavior, and function modeling languageArtificial Intelligence for Engineering Design, Analysis and Manufacturing, 2008
- How Many Interviews Are Enough?Field Methods, 2006
- Comparing expert and novice understanding of a complex system from the perspective of structures, behaviors, and functionsCognitive Science, 2004
- Toward a Methodology for the Measurement of Knowledge Structures of Ordinary PeopleEnvironment and Behavior, 1997
- Verbal reports as data.Psychological Review, 1980