the cups blog


A Brick Wall, a Locked Door, and a Bandit: Promoting A Physical Security Metaphor For Firewall Warnings (Paper 1)

Fahimeh Raja, University of British Columbia
Kirstie Hawkey, Dalhousie University
Steven Hsu, University of British Columbia
Kai-Le Clement Wang, University of British Columbia
Konstantin Beznosov, University of British Columbia

“A Brick Wall” aims to design firewall warnings that will accurately communicate risk to users.

The authors designed graphical warnings using a physical security mental-model of a person trying to gain access to a secured door in a brick wall surrounding the users computer room. The user is presented with a security dialog with a color-coded title bar, a short text description of the reason for the warning, the graphical security cartoon illustrating the risk, and a series of actions (allow, deny, etc.) to take depicted by padlocks being opened or remaining secure.

The security cartoon varies based on the severity of the warning:

  • The most severe warning for known-malicious access features a red title bar and depicts a robber approaching the door carrying a knife and a bag labeled “data.”
  • The modest warning for unknown access features a yellow title bar and depicts a grey human-silhouette approaching the door.
  • The safe warning for identified-safe access features a green title bar and depicts a friendly figure approaching the door.

A study was conducted to compare the effectiveness of graphical warnings with text warnings from the Comodo Personal Firewall in conveying risk associated with a given warning. Graphical warnings increased subjects understanding of the protection offered by the firewall over the text-only warnings and increased subjects assessment of risk. Two-thirds of subjects preferred the graphical warnings. The remaining third of the subjects that preferred textual warnings correlated strongly with increased technical capability and held that opinion for interesting reasons (more professional, graphical looks childish).

Read the full paper at