2.4 Human Computer Interaction in Security
Human Computer Interaction (HCI) governs the methods in which we interact with technol-ogy. The discipline has undergone significant transformation as our dependency increases and technology advances, generating new problems and the necessity for new technological solutions.
Carroll [50] defines HCI as "one of the first examples of cognitive engineering", a term coined within cognitive science that presents "people, concepts, skills, and a vision for addressing such needs through an ambitious synthesis of science and engineering". The inter-dependencies and multi-disciplinary nature of the subject can be visualised below (see 2.7):
Fig. 2.7 The variety of disciplinary knowledge and skills involved in contemporary design of human-computer interactions [50].
The "original and abiding technical focus of HCI was and is the concept of usability"
[50]. Usability accounts for:
• well being
• collective efficacy
• aesthetic tension
• enhanced creativity
• support for human development
A more dynamic view of usability is one of "a programmatic objective that should and will continue to develop as our ability to reach further toward it improves" [50]. HCI has traditionally been associated with the ’desktop’ environment but in recent years has expanded to encapsulate many new areas of technology (smart devices, information systems) which are typically more mobile.
To design effective HCI solutions, a cyclical design process is adopted known as the
"task-artefact cycle" [51], 2.8.
Fig. 2.8 Task Artefact Model [51]
The Task-Artefact Cycle relates to the "co-evolution of the activities people engage in and experience, and the artefacts - such as interactive tools and environments - that mediate those activities" [50]. HCI is therefore a process of critically evaluating the interactive technologies people use and their user experience. It is also about understanding how those interactions evolve with the adoption of new technologies and also how users’ knowledge, expectations, skills and visions expand. It is this assessment of such variables that drives forward the realisation of new devices and systems.
Carroll [50] states that the "dialectic of theory and application has continued in HCI"
(approximating perhaps a dozen "currents of theory") that can be grouped into the following three eras:
• theories that view HCI as information processing,
2.4 Human Computer Interaction in Security 43
• theories that view interaction as the initiative of agents pursuing projects,
• theories that view interactions socially and materially embedded in rich contexts. [50]
The change in paradigms throughout these era is represented in 2.9:
Fig. 2.9 A Series of Theoretical Paradigms Addressing the Expanding Research Ambitions of HCI [50].
To design effective HCI one must follow a strict set of criteria (successful HCI design will require an iterative approach often requiring repeated steps). It is essential to:
• Establish the requirements [196]. This requires careful consideration as to how the users interact with the product and what it is they are trying to achieve.
• Determine the alternatives [196]. This denotes predicting what alternatives are present and why they may be suitable or indeed preferable to the user. Assimilation of features may be necessary.
• Prototype [196]. Any implementation requires a testing phase. This allows for a visualisation of the solution and user testing.
• Evaluate [196]. Analysing the prototype and user feedback is critical to assessing whether the user requirements have been met. If not, this requires the repetition of previous steps.
2.4.1 HCI and Behaviour Change
The role of HCI is important when one considers the effectiveness of a given program or technology device in influencing behavioural change. Numerous studies have focused on health behaviour change encouraging physical activity [[17], [57], [58]], healthy diet [[75], [97]], glycemic control in diabetes [[157], [209]] and self-regulation of emotions [165].
Based on extensive empirical research, Prochaska et al [185] conclude that "for behaviour change to truly stick, a person has to maintain the target behaviour for several years". The
problem associated with change is evident when one considers relapses or setbacks. For example, behaviours are often entrenched within an individual’s routine requiring significant effort to alter. Cycling to work may seem a healthy alternative but may require the person to arrange child care, shower on arrival, find somewhere to secure their bike and accommodate bad weather [142]. Neglecting these prerequisites often has a negative impact on the user (changing routine can often affect social and workplace relations) causing resistance and resulting in failure with respect to behaviour change. There is also a budget (similar to ego depletion), where a user has a limited capacity for change and after a point, a user will typically revert back to previous behaviours. This often occurs during unexpected disruptions;
catching a cold may dissuade a user from cycling to work.
It is therefore a complex process to ascertain the impact that technology plays on be-haviour change. To be able to rule out "renewed commitment, social pressures, the effect of participating in a study" one must adopt a control group of "hundreds or even thousands of people and a matching control group" [142].
Efficacy Trials
Randomized control trials (RCT), a technique traditionally adopted during medical drug trials, are increasingly being utilized within the assessment of technological interventions.
van der Berg et al [237] noted 10 cases where "internet-based interventions for promoting physical activity" had used RCTs exclusively as a method of trial. This process also featured heavily in testing mobile phone applications.
It is clear that RCTs play a vital role in the testing and evaluation of behaviour change systems but it is important to state their limitations. RCTs are often not feasible for smaller groups with early prototypes. Large trials require significant financial and time contributions which may not be viable at an early stage. RCTs often "reveal little about why the technology under evaluation is or is not effective" [142].
Hurling et al [119] recently adopted such a trial strategy to evaluate the effectiveness of a physical activity application that used accelerometers to assess physical movements.
The data was subsequently viewed on mobile and web-based systems. The approach itself involved numerous behaviour change strategies: "self-monitoring, identification of barriers to change, planning, problem-solving, public commitment, and customized feedback". This approach was cross-analysed with a control group that used the accelerometers but did not receive feedback (N=77).
The results showed that there was no significant difference between groups "in overall physical activity" but "indicated that the intervention group increased their amount of leisure time activity more than the control group" [142],[119]. Whilst these results seem compelling,
2.4 Human Computer Interaction in Security 45
Klasnja [142] aruges that there are 4 main issues that "limit the usefulness [of the study] and suggest why RCTs should not be seen as the only valid model for evaluating ... especially in the early stages of research".
1. Sample Size: Although Hurling et al’s [119] study was large by HCI standards, it was very small in relation to RCTs. For this reason it is impossible to rule out any outside changes that may have had an effect on the group. In addition, the results were deemed strongly suggestive and not the conclusive, a factor which can only be combated by a much larger RCT, something that typically involves hundreds if not thousands of participants.
2. Multiple Behaviour Strategies: As the study involved numerous behaviour changes, it is unclear to which had the most effect or indeed which changes affected which behaviour. To fully assess this, it would require an even larger RCT than the one previously mentioned for sample size.
3. Qualitative Data: The study lacked qualitative data that is needed to make "a thorough analysis of how participants perceived the system". Hurling [119] concluded that intervention was effective but did not know how or why. From a HCI perspective, this is highly significant as we cannot design a better system without knowing which parts of the system worked and which did not [142].
4. Time and Cost: Due to their size and cost, "efficacy trials typically evaluate complex systems that combine many intervention strategies to maximize effectiveness" [142].
Therefore, Hurling et al’s [119] study of N = 77 over a 3 month period are short compared to typical RCT studies. Klasnja [142] concludes that "the resources and effort required to run true efficacy trials make evaluations of innovative technologies that embody early-stage, high-risk ideas simply infeasible".
These limitations are important to acknowledge with respect to our bespoke studies that typically include similar small-scale samples. It is important that the design of our studies are sensitive to such limitations, specifically in relation to the effects of testing multiple behaviours simultaneously. We do, however, combat the lack of qualitative data that is highlighted as we specifically assess the impact of our interventions upon the user.
Klasnja [142] offers novel solutions to these problems. Based on over 40 years of research it has been shown that (with respect to self-monitoring) "simply keeping track of a behaviour changes the frequency of that behaviour in a desired direction" [143], [169]. In light of this, a self-monitoring intervention should therefore evaluate:
• The rates of the target behaviour increase from their baseline levels prior to the interventions [142].
• Whether after the intervention is stopped, the rates of behaviour begin to go down again [142].
It is therefore necessary to tailor evaluations to specific intervention strategies. This enables HCI researchers "to show that their systems are doing what they are supposed to be doing, without requiring a full-blown demonstration of behaviour change" [142]. Such a strategy is beneficial as it allows for direct comparisons of the same intervention strategies across different implementations. This leads to being able to determine how "the design of a technology for behaviour change affects the technology’s use by its target audience in situ"
[142].