Udostępnij za pośrednictwem


Evangelizing security in XP SP2

I spent a bit of time recently away from Longhorn evangelism, in order to help with some XP SP2 evangelism.  It sounds kind of funny to talk about evangelizing a service pack, I suppose, but SP2 has some pretty significant new security features in it.

I was asked to help evangelize the Attachment Execute Service.  I like how diplomatically they try to explain user reaction, noting that “users will fail to properly discriminate between viruses and safe attachments.”  The research I’ve seen is quite interesting – it suggests that, in general, most users actually can’t discriminate between the effects of the OK and Cancel buttons in a dialog box.  I saw a presentation on this once that was just like that old Far Side cartoon about what dogs hear – the author showed a real dialog that asked some question, and then showed how users perceived the text.  It was something like “Pick a random number between 1 and 10, if you pick correctly I’ll take one set of actions you won’t understand, otherwise I’ll do something else you won’t understand.  What did you pick?” and then the buttons were [OK] and [Cancel].

The inability of users to decipher the average message box is a failure on the part of software designers, of course, not users, but it has significant implications for security.  The first implication is that you should just avoid dialog boxen altogether if possible, because odds are users won’t read or process your message anyhow.  The second implication is that if you do show an alert, particularly for something serious like security and malicious attachments, you need to be clear on what’s going on.  That’s what Attachment Execute Service is about --  a centralized API that any app can call to determine whether a warning dialog is needed, and if so, show a common dialog that users will hopefully learn to read and trust.

Comments

  • Anonymous
    April 26, 2004
    The problem with MessageBox is that it is modal. Users don't like being forced into answering a question and just want to get rid of the thing. Windows programs are better when they are random access and not sequential.
  • Anonymous
    April 26, 2004
    Jupiter's MicrosoftMonitor
  • Anonymous
    April 26, 2004
    The comment has been removed
  • Anonymous
    April 26, 2004
    Raymond Chen had a similar topic about dialog boxes and complex questions (well in the eyes of less literate users).

    While I can understand that these users get frustrated by certain type of dialog boxes, you have to realize that advanced users will get frustrated when the system makes certain decisions on its own or makes you run through dumbed down wizards. Finding a balance will always tend towards the less literate folks. Implementing basic and expert modes in Windows to cater the different groups adds a lot of overhead. And I'm really curious how Longhorn will end up, one fear of mine is WizardMania(tm).
  • Anonymous
    May 05, 2004
    USE JAVA