This research project will enable nontechnical individuals to easily manage their online risks. The current information infrastructure is profoundly insecure in no small part due to the oblivious risk-seeking behaviors of nontechnical individuals online. The methods in this research are a combination of risk communication with intelligent interaction design. While the theory of risk communication has been embraced in computer security, its use is embryonic. The tools of intelligent interaction have not been adopted to assist individuals in making risk decisions appropriate to their contexts. By combining these approaches to specific online risks the research will enable individuals to make informed security choices. Note that this work specifically focuses work on the identified human individual as opposed to the commonly abstracted rational self-optimizing user. The core elements of the research are: 1) understanding the individual?s risk perception, 2) using that perception for effective risk communication, 3) ensuring the interruptions and communications are appropriate to the workflow at hand, and 4) providing risk mitigation that is automated and seamless. The innovative methods carry a high risk, but also a high payoff in potentially enabling the wide use of many discrete security tools. In this research, the knowledge-based approach to identification of technical risk will be integrated with a human-centered approach to the perception of risk to enable mitigation that is automated and contextually aware.
Using the results of our research, individuals will choose to take informed risks based on their on tasks, workflows and context. In contrast, today individuals are interrupted with decontextualized, narrative-free, inappropriately timed, and often technologically incomprehensible suggestions for risk mitigation. Consequently, people innocently take risks they have no way of knowing how to avoid. To enable the nontechnical individual, this research project will embed a novel approach to simplifying the use of security measures. The proposed translucent design is enabled by this combination of reasoning about risk to interrupt the individual only when necessary, using workflow to build a coherent narrative that focuses on the risks and how to mitigate them in context, and combining the appropriate mitigating actions into simple customized macros.