Modeling the behavior of users who are confronted with security mechanisms

In this paper, we describe a new approach to analyze the trade-off between usability and security frequently found in security-related user interfaces. The approach involves the simulation of potential user interaction behavior by a mixed probabilistic and rule-driven state machine. On the basis of the simulations, user behavior in security-relevant situations can be predicted and user interfaces optimizing intended behavior can be designed. The approach is evaluated in an artificial microworld setting which provides good control over the experimental factors guiding the behavior. A comparison of empirical and simulated behavior in this microworld shows that the approach is already able to accurately predict important aspects of user behavior toward security interfaces, but also identifies future work necessary to better cover all relevant aspects guiding this behavior in a real-world setting.