Interactive Comics as Visual Narrativesin Computer Security Education

Leah Zhang-KennedyHuman-Computer Interaction

Carleton UniversityOttawa, Ontario

leah.zhang@carleton.ca

Sonia ChiassonSchool of Computer Science

Carleton UniversityOttawa, Ontario

chiasson@scs.carleton.ca

Robert BiddleSchool of Computer Science

Carleton UniversityOttawa, Ontario

robert_biddle@carleton.ca

ABSTRACTWe investigate whether an online interactive comic is ef-fective as a teaching medium to communicate to end-usersabout password guessing attacks and password security. Users’insecure password decisions make them susceptible to suchattacks. Our qualitative analysis reveals that users havemisconceptions about what constitutes “good” passwords,largely because they employ a Target mental model of pass-word guessing attacks. We present our educational proto-type and evaluate its effectiveness at correcting misconcep-tions about passwords. We conducted an eye-tracking exper-iment to evaluate how users learn and interact with such ma-terial. Our results suggest that the combination of text andgraphical devices encourage learnability and engagement ofsecurity topics. Lastly, we present the learning outcomesof the comic prototype based on comparisons of the initialinterviews with follow-up interviews. Our evaluation showspromising results indicating that this method helps to en-hance understanding and even change user behaviour.

1. INTRODUCTIONThe average user juggles 7 passwords across 25 accounts [5].

Creating short and easy to remember passwords, reusingpasswords, and mixing variations of the same password arecommon coping strategies [6]. These habits make users vul-nerable to three types of online password guessing attacks:brute-force, dictionary, and targeted attacks. While manywebsites offer password advice, these often do not includereasoning behind why users should follow the advice. Weargue that without a reasonable understanding of the risks,users are unprepared to make robust password decisions.

In our earlier work [2], we explored visual strategies tocommunicate to users about password guessing attacks andbuilt prototypes to test their effectiveness. This approach isinspired by integrated visual-verbal strategies established ineducation literature [8, 4], and prior work looking at visualstrategies to convey security information [7, 11].

In the current paper, we present a two-part follow-up/

Copyright is held by the author/owner(s).GRAND 2013, May 14-16, 2013, Toronto, ON, Canada

study of our interactive educational comic prototype. Ourfirst contribution is an analysis of users’ mental models ofpasswords and password guessing attacks. We follow thefootsteps of prior work in users’ security mental models [12,10], with a special emphasis on passwords. Our results showthat users’ perception of password guessing attacks is basedon a Target Model, leading to a number of implications forpassword creation, account prioritization, and context ofuse. Our second contribution is an eye-tracking evaluationof our comic as a tool to teach users about security risks.Lastly, our post-interview results show that our visualizationenhances understanding and even changes user behavior.

2. BACKGROUNDIn knowledge-based authentication, users are vulnerable

to online password guessing attacks when they set up“weak”passwords that can be easily predicted by attackers. Onlineguessing attacks consist of exhaustive brute-force, dictionaryand targeted attacks. Exhaustive brute-force attacks involveguessing every possible password in a theoretical passwordspace. All passwords can eventually be cracked by brute-force, but the size of the search space, time, and processingpower makes it unfeasible to crack strong passwords. Indictionary attacks, attackers use pre-compiled or computer-ized lists of high probability candidate passwords to guessthe target password, including slang, and common charac-ter substitutions. Targeted attacks are based on the highprobability that passwords are composed from personal in-formation which attackers harvest about specific users.

In our previous study [2], we evaluated metaphors for riskcommunication about password guessing attacks, and de-signed three infographics [1]. We found that “users as tar-gets” and “password as locks” are promising concepts thatcan help users understand how attacks work. We next de-signed a 14-page interactive comic [1] (Figure 1) with origi-nal characters, narrative, humour, and interactivity to giveusers a richer learning experience. To the best of our knowl-edge, the only exploration of comics in computer securityeducation is Security Cartoon [11] that uses a series of comicstrips to improve users’ understanding of various risks. Main-stream comics with security advice include Dilbert [3] andXKCD [9]. Our prototype takes a more comprehensive ap-proach. It teaches users about the threat of password guess-ing attacks, how the attacks work, and offers practical cop-ing strategies. In our earlier study, participants thought thecomic was appealing and engaging. Users especially wel-comed advice on creating passwords from a pass-phrase andresults showed positive learning outcomes one week later.

Figure 1: A page from our interactive comic [1]

3. INTERVIEW AND EYE-TRACKING STUDYWe designed a follow-up experiment to gain a more in-

depth understanding of users’ mental models for creatingpasswords. This study also allowed us to gather eye-trackingmeasurements on how users read and interact with the comic.

Thirteen people from the university community partici-pated in our study. Based on self-reported evaluations, nineparticipants had low level knowledge about how password-guessing attack work, three have intermediate level knowl-edge, and one had expert level of knowledge.

This two-part study included questionnaires, semi-structuredinterviews, and prototype viewing on an eye-tracking com-puter. To pre-assess current habits and knowledge, partic-ipants answered a pre-test questionnaire and a one-on-onesemi-structured interview. The questionnaire gave a generalassessment of participants’ demographic and current pass-word strengths and coping strategies, while the interviewprovided an in-depth look at users’ understanding of pass-words and guessing attacks. Next, participants viewed theprototype on an eye-tracking computer. The primary pur-pose of incorporating eye-tracking into our comic study is toevaluate how users read security information in comic for-mat, how they use the interactive elements, and how longthey spend on various visual elements.

We watched the eye-tracking videos and observed sequen-tial patterns of visual attention, and took note of the timespent looking at various display elements and spent on eachpage. Then, we consolidated results by looking for reoccur-ring visual patterns, and calculated average reading times.The interviews were audio recorded and transcribed verba-tim by the experimenter. Open coding was first used to lookfor emergent themes. We then modified and merged simi-lar themes into high-level categories. Lastly, we looked forcause-effect relationships and synthesized the results.

4. THE “TARGET” MENTAL MODELIn computer security, users rely on mental models [12] to

help them make security decisions. In the analysis of thepre-interviews and questionnaires, we uncovered the pres-ence of a Target mental model and that it impacts users’

perceptions, misconceptions, and understanding of “goodpasswords”. Users feel that attackers target specific usersand that they are not usually likely targets. Users’ under-standing of password guessing attacks was mostly restrictedto targeted attacks, with little knowledge of dictionary andbrute-force attacks. When mentioned, users mistakenly en-visioned attackers targeting specific users in brute-force anddictionary attacks. This misunderstanding may strongly in-fluence users’ ability to make the right password choices.

Users are more likely to create stronger passwords for ac-counts that they consider high value because these are biggertargets. Even the most cautious users reported sometimespracticing unsafe behaviours, such as password reuse. Par-ticipants emphasized that they make an extra effort to usestrong passwords for accounts that they consider important.Their passwords for these accounts are longer and more elab-orate, and are committed to memory. There is consensusthat financial information has top priority, followed by pri-mary email accounts. Interestingly, participants who con-sidered Facebook to be a form of email communication saidit was important. Those who saw Facebook as a social tooldeemed it unimportant. For those who had several emailaccounts, primary accounts used for formal communicationare perceived to contain more sensitive information than sec-ondary accounts used for personal messages. Participantsclassified “unimportant” accounts as sites that do not re-quest personal information and accounts that are accessedoccasionally. These types of accounts include entertainmentand gaming sites, and forums. Participants perceive theseaccounts to contain very little assets and therefore, unlikelytargets for hackers.

Users’ definition of a “good” password is a long passwordwith a mix of different types of characters. Users justifypasswords such as “P|a|s|s|w|0|r|d” as strong based on thelength and types of characters, and whether it would be easyfor humans to guess. Passwords associated with personalinformation are generally considered to be “bad” becauseattackers could target them and uncover this information.However, users included only the most obvious personal in-formation like birth date, place of birth, current phone num-bers, and information associated with immediate family andclose friends. Participants considered outdated informationto be personal secrets that are not available to the public,and therefore safe to use as passwords.

Some users created weak passwords because they felt thebenefit to attackers from breaking into their accounts is ex-tremely low. The belief that attackers only target wealthyand famous people coincides with Wash’s“big fish”model [12].In some instances, even high-value accounts are consideredless important when they have few assets. For example, aonline banking account is perceived as low value if it con-tains little money. There would be little motivation for userswith this mental model to make extra efforts to use strongpasswords because they feel they have nothing to lose.

5. INTERACTIVE COMIC PROTOTYPEAs mentioned in Section 2, we developed a 14-page in-

teractive comic [1] that incorporated characters, narrative,metaphors, humour, and interactivity to engage users whilelearning about password guessing attacks. The prototype(Figure 1) provided users with information about the risks,and gave practical password advice and coping strategies. Ituses original artwork drawn by us in Adobe Illustrator and

coded in Flash. The narrative has three original characters.Jack and Nina are agents of computer security who solvecomputer security crimes and protect users against Hack.As the name implies, Hack’s mysterious character embodiesall computer security crimes. Jack and Nina take on the roleof mentors to guide users through the lessons.

We choose online interactive comic media to communicatesecurity topics to end-users because it has greater potentialto reach non-technical users than traditional educational ef-forts. Comics have the ability to demonstrate complex topicsprogressively, through the use of narrative and characters.The reading format is lightweight, easy to consume, anddoes not appear intimidating to read. The media offers anenormous breadth of control to create customized content,through a full range of visual symbols and text-graphic pair-ings to aid comprehension, as well as rhetorical devices likehumour to enhance persuasion.

We explored interactivity as way of giving users additionalinsights and to enhance engagement. For example, in the“Types of Attacks” section of the comic, users can rolloversilhouettes of people to see whose password is vulnerable.At the end of the comic, a “Test your knowledge” game testsusers’ ability to identify weak passwords.

6. STUDY RESULTSWe were interested to investigate how users’ attentions

are spent, reading times, and ways users process the juxta-position of text and images in comic format. The resultswill inform design guidelines for future work in this area.

Path and pattern of fixations: In comics, graphicstake up much more space on the page than text. However,our data shows that text attracts attention before graphics.Headings and text blocks get eye fixations first. The onlyexception is when a graphic takes up most of the real-estateon the page. Interestingly, graphically rendered typographictext attracts the most eye fixation. For example, on page 10of the comic, the password “abc” is illustrated as personifiedcharacters with googly eyes holding hands. On this page,participants spent the most time looking at this graphic.

The path of fixation starts with headings, text blocks,and then graphics. After a text block is read, users’ eyemoves to the closest surrounding graphic. Images typicallyget eye fixation for ≤ 1 second between frames. Sometimesusers will look back and forth between text and images, andwill re-read small blocks of text after looking at the images.Figure 2 shows a gaze trace for page 6 of the comic.

Participants generally focused more on characters’ faces.Eyes especially drew attention. We noticed that on page10, the example password “abc” received longer eye fixationthan “Ae8%!”. Both typographic images have personifiedcharacteristics, but the “abc” graphic included eyes. We didnot find the sporadic use of colour affected users’ attention.However, circular objects draw eye fixation, especially whenit is highlighted with colour. We did not find any major dif-ference in reading patterns between non-comic readers andparticipants who read comics for leisure.

Time spent looking at display elements: Participantsspent an average of 9 minutes interacting with the comic.Average viewing times between pages varied from 34 secondsto 103 seconds. Three pages were interactive, showing addi-tional examples. Participants spent as much as 60% longer

Figure 2: Eye-tracking for one page of the comic.

on pages with interactivity. On occasions where the interac-tive elements reveal cause-effect relationships, participantsmoused over objects several times to make comparisons.

For static examples, participants also spent more timelooking at the graphics. For instance, page 11 teaches usershow to use the pass-phrase strategy. Participants spent asmuch as 6 seconds looking at the example “IL!3-cp” madefrom the pass-phrase “I love ! 3-cheese pizza”, and up to19 seconds looking at the example “A.MpN8mp” made fromthe pass-phrase “Aww...my partner Nina 8 my pizza”.

Limitations of the eye-tracking experiment: In ourexperiment, users gave us their full visual attention to readthe comic. We did not find users skimming or skipping con-tent. In fact, some users read certain sections more thanonce. However, there are several limitations to eye-trackingin the lab environment. The most obvious is that duringthe calibration stage, users are told that their gaze is be-ing tracked. This might put pressure on users to read thematerial in whole. In real life, users might not dedicate asmuch time to reading the comic. When asked about this,users suggested that it would be appropriate to present thecomic as a tutorial at the account sign-up stage, or includeit in the password advice sections of websites. Participantscommented that they would much rather read the informa-tion in comic format than from text documents, which is thetypical format available to users.

Learning Outcomes: Participants returned one weeklater for a short follow-up interview. We asked them whetherthey changed their passwords. We compared participants’responses based on their self-evaluated password strength.Our results show that 4 out of 5 participants with weakpasswords changed them at home after the initial learningsession. All 4 participants used the pass-phrase strategy tocreate their new passwords. 8 participants, who self-assessedtheir passwords as strong or moderately strong, did notchange their passwords. These respondents felt that theywere already maintaining good passwords for high-value ac-counts, and were not motivated to change other passwords.

Figure 3: Summary of learning outcomes

85% of our study participants said they would use the pass-phrase strategy in the future. Please see Figure 3 for a resultsummary. To assess information retention, we asked partic-ipants to recall and describe how password guessing attackswork. All participants were able to identify and describebrute-force, dictionary, and targeted attacks.

7. DISCUSSIONUsers commented that learning about password guess-

ing attacks brought the risks to the forefront and that thisprompted them to ask critical questions like “am I vulnera-ble?” Even though some people did not change their pass-words within the period of a week, they credited the ex-perience for making them aware of the risks. Interestingly,two participants shared information they learned with theirfamily and friends. One participant reportedly helped herteenage son change his password using advice from the study.

Participants found the comic to be visually appealing andenjoyable to read. Based on the feedback we received, themost memorable section of the comic was the advice on pass-phrases. Participants thought the advice could easily be in-corporated into securing their own passwords. Additionally,participants praised the section that taught them about howthe attacks work. Participants thought it was useful to beable to differentiate the different types of attacks, and tounderstand how to combat each one.

During the interview, all participants were able to recallthe three types of online guessing attacks. Our follow-up re-sults for targeted attacks were similarly positive. For brute-force attacks, participants grasped that long and complexpasswords take more time to crack. Participants were par-ticularly surprised and impressed by how quickly comput-ers can be used to guess short passwords. The fact thata single character added to a password can make guessingit exponentially harder has motivated users to make theirpasswords longer. Participants correctly identified dictio-nary attacks, which use a library of dictionary words, andeven understood that passwords using letter substitutions,slang, and alternative languages were also vulnerable to thisattack. However, some users still considered the use of dic-tionary words acceptable if they were combined with unre-lated words, or if they were particularly long.

8. CONCLUSIONSWe found that prior to interacting with our visualization,

users’ ability and motivation to create strong passwords waslimited by the presence of a “Target” model mindset. Whenusers believe most attacks are aimed at specific targets, theyseem to minimize their vulnerability based on the rationalethat ordinary people with ordinary assets are unlikely vic-tims. As a result, there is little motivation to protect ac-counts that users do not consider important.

Participants who viewed our comic prototype were ableto successfully describe brute-force, dictionary, and targetedattacks one week later. We believe that understanding howthe attacks work enabled participants to correct misconcep-tions about “good” password practices. Further, we believethe pass-phrase strategy provided practical and actionableadvice to help users create memorable, strong passwords. Infact, our results found that 80% of users with weak initialpasswords changed their passwords within days of interact-ing with the comic.

Our eye-tracking results provided insight on how securityinformation is read when presented in comic format. Thedata we collected showed that users often refer to accompa-nying graphics to help them understand textual information.When interactivity was incorporated, users spent more time“seeking” new information. We believe these results confirmthat comics are a promising method of deploying security-related education material.

9. ACKNOWLEDGEMENTSThis project has been funded by the Office of the Pri-

vacy Commissioner of Canada (OPC); the views expressedherein are those of the authors and do not necessarily reflectthose of the OPC. S. Chiasson acknowledges funding fromNSERC for her Canada Research Chair in Human OrientedComputer Security. This work was partially funded by theNSERC ISSNet Strategic Network and the GRAND Net-works of Centres of Excellence.

10. REFERENCES[1] Versipass. http://www.versipass.com/edusec/.

[2] Anonymized for review. 2012.

[3] Adams, S. Dilbert, Accessed December 2012.http://search.dilbert.com/comic/Security.

[4] L. Chanlin. Animation to teach students of differentknowledge levels. Jour. of Instructional Psych., 1998.

[5] D. Florencio and C. Herley. A large-scale study of webpassword habits. In WWW ‘07: Int. Conf. on WorldWide Web. ACM, 2007.

[6] S. Gaw and E. Felten. Password managementstrategies for online accounts. In SOUPS: Symp. onUsable Privacy and Security. ACM, 2006.

[7] P. Kelley, J. Bresee, L. Cranor, and R. Reeder. Anutrition label for privacy. In SOUPS: Symp. onUsable Privacy and Security. ACM, 2009.

[8] R. Mayer, W. Bove, A. Bryman, R. Mars, andL. Tapangco. When less is more: Meaningful learningfrom visual and verbal summaries of science textbooklessons. Jour. of Educational Psych., 88(1):64, 1996.

[9] Munroe, R. XKCD, Accessed December 2012.http://xkcd.com/936/.

[10] F. Raja, K. Hawkey, S. Hsu, K. Wang, andK. Beznosov. A brick wall, a locked door, and a

bandit: a physical security metaphor for firewallwarnings. In SOUPS: Symp. on Usable Privacy andSecurity. ACM, 2011.

[11] S. Srikwan and M. Jakobsson. Using cartoons to teachinternet security. Cryptologia, 32(2):137–154, 2008.

[12] R. Wash. Folk models of home computer security. InProceedings of the 6th Symposium on Usable Privacyand Security (SOUPS). ACM, 2010.