Spidey Sense: Designing Wrist-Mounted Haptics to Improve Awareness of Cybersecurity Warnings

Sauvik Das, Gregory Abowd
Youngwook Do, Linh Hoang

Cybersecurity warnings remain an essential component of human-in-the-loop secure systems, yet they often fail to capture people's attention and motivate action. In reviewing prior work in the security warning space, we identified two key underlying problems that help explain why: (i) the channels used to communicate cybersecurity warnings are overloaded, and (ii) cybersecurity warnings are communicated only intellectually, not viscerally.

First, existing security warnings are communicated through the same overloaded channel as all other interruptions, warnings and notifications, i.e., via primarily visual modals, occasionally accompanied by a short audio and/or vibrotactile cue. Therefore, people often ignore cybersecurity warnings: with every ubiquitous notification, they are implicitly trained,  ironically, to ignore the behavioral cues that are designed to bring their attention to critical security warnings. Second, unlike threats in the physical world, cyber threats are communicated intellectually but not viscerally --- people might be able to \textit{see} that they are navigating to a website with an expired SSL/TLS certificate the way they might see cars barreling down a trafficked street, but they may not \textit{feel} that they should not proceed to that website when they see a warning the way they would if a friend grabbed their wrist before they attempted to jaywalk.

One way of addressing this problem, then, is to have a secondary notification channel that: (i) is used only to communicate important cybersecurity warnings --- so that users learn to differentiate alerts for urgent cybersecurity warnings versus other types of alerts, and (ii) can communicate threats not just visually but haptically --- so that users can ``feel'' the presence of a potential threat in addition to seeing pertinent information about the threat. More generally, what is needed is a mechanism of delivering cybersecurity warnings that helps bridge the gap between the presence of a cyber threat and the physical perception of that threat. Tangible interfaces can help bridge that gap \cite{Ishii:2008:TBB:1347390.1347392}. Accordingly, in this paper, we present Spidey Sense, a  smartwatch wristband that alerts people to especially important cybersecurity warnings by squeezing their wrist in a pattern specifically designed to capture their attention.

Historically, deploying a wearable device specifically for cybersecurity has been challenging. Cybersecurity is, for most people, a secondary concern \cite{dourish2004security,1306384, MOORE2010103}, and it is unlikely that a typical end-user would purchase and wear a tangible apparatus specifically for the purposes of improving their cybersecurity behaviors. However, smartwatches are increasingly popular and many, like the Apple Watch, have switchable wristbands. Our key insight is that by developing a simple smartwatch wristband that can produce a noticeable haptic effect independent of the standard vibrotactile cues, we should be able to improve perception of cybersecurity warnings in a manner that is both practical and deployable.

In designing Spidey Sense, we explored a wide spectrum of haptics, e.g., providing electrical impulses and producing prickling sensations using a robotic finger. Ultimately, we settled on "squeezing" for three reasons. First, we drew inspiration from prior work in psychology, which identified that people protectively grasp another person's wrist when they feel scared or surprised \cite{doi:10.1098/rsos.170265}. Second, squeezing sensations are generally painless. Third, the mechanical and electrical components used to produce a squeezing sensation can be easily fit into a smartwatch wristband.

To explore the design space of squeeze notifications and converge on one that is empirically effective for critical cybersecurity warnings, we introduce a study methodology -"Find-Rank-Verify" -adapted from the "Find-Fix-Verify" methodology that was introduced by and utilized in prior work in HCI and haptics. For the "Find'" phase, we recruited a small set of participants to independently create a unqiue squeeze notification using a design GUI that we constructed for manipulating the Spidey Sense wristband. For the "Rank"phase, we recruited an additional 30 participants to rank the initial set of squeeze notifications created in the previous phase, through a randomly-bracketed tournament where they made a series of pairwise comparisons. Finally, for the "Verify" phase, we ran a within-subjects experiment comparing the winning squeeze notification vis-a-vis a vibrotactile baseline control condition. Through this three-part study, we found a winning squeeze notification --- one with many large, rapid pressure pulses --- that was considered more appropriate than a vibrotactile baseline for alerting users to critical cybersecurity warnings.

Concretely, we offer the following contributions in this paper:

  •  We design and develop a smartwatch wristband that produces expressive squeezing sensations to alert people to critical cybersecurity warnings. 
  • We introduce a study methodology, ``Find-Rank-Verify'', that can be used to systematically explore an open-ended haptic design space for cybersecurity warnings with the goal of converging on a single, effective pattern.
  • In applying ``Find-Rank-Verify'' to Spidey Sense, we empirically show that Spidey Sense is more appropriate for critical cybersecurity warnings than a vibrotactile baseline.
Sauvik Das
Sauvik Das
Youngwook Do

Security and privacy help realize the full potential of computing in society. Without authentication and encryption, for example, few would use digital wallets, social media or even e-mail. The struggle of security and privacy is to realize this potential without imposing too steep a cost. Yet, for the average non-expert, security and privacy are just that: costly, in terms of things like time, attention and social capital. More specifically, security and privacy tools are misaligned with core human drives: a pursuit of pleasure, social acceptance and hope, and a repudiation of pain, social rejection and fear. It is unsurprising, therefore, that for many people, security and privacy tools are begrudgingly tolerated if not altogether subverted. This cannot continue. As computing encompasses more of our lives, we are tasked with making increasingly more security and privacy decisions. Simultaneously, the cost of every breach is swelling. Today, a security breach might compromise sensitive data about our finances and schedules as well as deeply personal data about our health, communications, and interests. Tomorrow, as we enter the era of pervasive smart things, that breach might compromise access to our homes, vehicles and bodies.

We aim to empower end-users with novel security and privacy systems that connect core human drives with desired security outcomes. We do so by creating systems that mitigate pain, social rejection and fear, and that enhance feelings of hope, social acceptance and pleasure. Ultimately, the goal of the SPUD Lab is to design new, more user-friendly systems that encourage better end-user security and privacy behaviors.