Patterns
- Active Warnings
- Attractive Options
- Complete Delete
- Conveying Threats & Consequences
- Create a Security Lexicon
- Create Keys When Needed
- Delayed Unrecoverable Action
- Detailed Notifications About Security
- Direct Access to UI Components
- Disable by Default
- Disable of Services
- Disclose Significant Deviations
- Distinguish Between Run and Open
- Distinguish Internal Senders
- Distinguish Security Levels
- Email-Based Identification and Authentication
- Explicit Item Delete
- Explicit User Audit
- Failing Safely
- General Notifications About Security
- Immediate Notifications
- Immediate Options
- Indirect Access to UI Components
- Informative Dialogues
- Install Before Execute
- Key Continuity Management
- Levels of Severity
- Leverage Existing Identification
- Localization of Specific Areas
- Migrate and Backup Keys
- Noticeable Contextual Indicators
- Providing Recommendations
- Quick Description of UI Components
- Redundant Notifications
- Reset to Installation
- Restricted Areas Notification
- Security Features Used by the System
- Security Features Used by the User
- Send S/MIME-Signed Email
- Separating Content
- Sequential Access to UI Components
- Suggestive Dialogues
- System’s Security Tasks
- The Absence of Indicators
- Track Received Keys
- Track Recipients
- Warn When Unsafe
Patterns are based on scientific sources.
Usable Security Pattern - Warn When Unsafe
Luigi Lo Iacono, Peter Nehren
December 21, 2015
Warn When Unsafe
| Name | Warn When Unsafe |
| Sources | (Garfinkel, 2005) |
| Synonyms | None |
| Context | Some systems arrive in an unsafe configuration and must be made safe. Sometimes a configuration is made intentionally unsafe in order to perform a specific operation. Warn When Unsafe periodically reminds the user to restore the safe configuration. |
| Problem | How to inform users about insecure system configurations? |
| Solution | Periodically warn of unsafe configurations or actions. |
| Examples | The Windows XP SP2 Security Center reminds users when antivirus has been disabled. Clicking on the reminder brings up the antivirus control panel. Intuit’s Quicken warns users when the database has not been backed in several days and provides a button which, if clicked, will perform the backup.  Source: (Garfinkel, 2005) |
| Implementation | Systems that currently implement Warn When Unsafe appear to have each unsafe condition specially coded and monitored. A more systematic approach would allow each subsystem to register unsafe conditions with a system-wide monitor that notifies the user in a systematic fashion. It is important to limit the frequency of warnings so that the user does not become habituated to them. |
| Consequences | Users who forget about unsafe conditions are reminded to correct them. |
| Dependencies | None |
| Relationships | [Attractive Options] [Immediate Notifications] [Conveying Threats & Consequences] [General Notifications About Security] [Immediate Options] [Separating Content] |
| Principles | [Provide Standardized Security Policies] [Clarity] |
| Guidelines | None |
| Check lists | None |
| Use cases | None |
| Tags | Warn When Unsafe, Attracticve Options, Immediate Notifications, Conveying Threats & Consequences, Immediate Options, Separating Content, General Notifications About Security, Warnings |
| Log history | [12/21/2015]: Added to repository |
References
Garfinkel, S.L., 2005. Design principles and patterns for computer systems that are simultaneously secure and usable (PhD thesis). Massachusetts Institute of Technology.