1 Encouraging Second Thoughts: Obstructive User Interfaces for Raising Security Awareness Tim Storer ∗ , Stephen Marsh † , Sylvie No¨ el ‡ , Babak Esfandiari § , Khalil El-Khatib † , Pam Briggs ¶ , Karen Renaud ∗ and Mehmet Vefa Bicakci § ∗ University of Glasgow † University of Ontario Institute of Technology ‡ University of Trento § Carleton University ¶ Northumbria University Abstract—We propose a suite of user interface widgets to intuitively inform a user of a mobile device’s sense of comfort at the user’s proposed actions. I. I NTRODUCTION We previously introduced the concept of Device Comfort as a means for a computational device, such as a smartphone, to reason about its context and its current user’s behaviour [1], [2]. We believe that such a sense of comfort in a device provides a measure of the health of the relationship between the phone and its known owner. If the comfort level is high, the device is at ease with the current user and her behaviour. If it is no longer sure of the user’s behaviour in a specific context, the sense of comfort declines and it becomes increasingly uneasy. We contend that this relationship enables a more sophisti- cated, flexible and adaptable approach to device security than of ered by, for example, explicit authentication mechanisms such as passcodes. These explicit mechanisms provide an all- or-nothing approach to enabling access to a device’s services and data, typically based on activity timeout. Consequently, the device may require a user to authenticate when it is inconvenient (they are browsing publicly available news web- sites, for example) or not demand authentication when a user accesses particularly sensitive services (a banking or e-health application for example). Explicit authentication mechanisms are also unable to lever- age activity context when a decision is made to authenticate a user. For example, it may be appropriate to authenticate a user who wishes to access personal documents or photographs on a device if they do so in a public place, but this may be less of an imperative when done at the device owner’s home. In addition, the recent trend toward “Bring Your Own Device” (BYOD) policies in organisations mean that the division between personal and work related information technology is becoming increasingly blurred. Mechanisms are needed that assist a user in determining what activities are appropriate with a device in dif erent contexts, to ensure that a flexible balance is struck between usability and security. Our approach is to allow a device to continuously compute and reason about its comfort based on a variety of contextual factors, including user behaviour, executing applications, ge- ographic location, time, nearby devices, available networks, services accessed and so on. The factors that influence a device’s comfort may also evolve over time, as the device becomes accustomed to its user’s normal patterns of behaviour. This sense of comfort then informs the device’s response to user actions. Actions that enhance the device’s sense of comfort are permitted transparently. Conversely, actions that make the device ‘feel’ uncomfortable in particular contexts are resisted, although rarely actively prevented. Consider the following scenario. Alice travels regularly on the train between her home and place of work. Since humans are often creatures of habit, Alice normally catches the 8.00am train to work and the 5.45pm train home. During the 30 minute journey she uses her device for e-mail, perhaps to work on some internal company documents, or to chat with her friends on facebook. She may also tweet her observations of the day, do some banking, and file an expense report. Note here that the distinction between work, personal busi- ness and play is purely conceptual – Alice performs the dif erent tasks, as she has for years, seamlessly accessing dif erent kinds of information, interacting with dif erent people and dif erent information systems. The key is that the device itself has a relationship with Alice, nurtured over years of continuous use – it ‘knows’ her patterns of activity, the way she gets to work, the time she takes, and the places she passes through. As such, it can anticipate her actions, authenticate on her behalf when dealing with external information entities and act as a guardian against unexpected behaviours. There are naturally concerns here, some of which we ad- dress elsewhere [1]. In this paper, we address a dif erent con- cern – how to allow the device to communicate its ‘comfort’ level to its user, in order to allow them better to understand the ef ects of what they are doing on their own security, the device’s security, or the security of the information they are working with. To complete the relationship between the device and its user, it is necessary for the device to have some means of expressing the ef ect of dif erent actions on its comfort. In this work, we explore designs that extend conventional user interface components with a means of expressing the de- vice’s sense of comfort as an integrated part of the completion of a user’s task. User interface design research has largely been concerned with investigating the interaction methods that support a user to complete their desired tasks in an intuitive and convenient manner [3]. By contrast, the designs proposed here actively obstruct the user when necessary, in order to express the device’s discomfort at a proposed action, in the hope of giving the user enough time to have ‘second thoughts’. The designs are intended to convey the device’s discomfort as a warning concerning the proposed action. However, the obstruction will not normally prevent the user from completing