W3C home > Mailing lists > Public > public-wsc-wg@w3.org > August 2007

Re: New Use Case for W3C WSC

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 24 Aug 2007 08:25:31 -0400
Cc: public-wsc-wg@w3.org
Message-ID: <OFC6173328.AA8B7DB9-ON85257341.0042B454-85257341.00444121@LocalDomain>
To: dan.schutzer@fstc.org
We have two sections in wsc-usecasee that touch on education: 



The first says that experience shows that while users learn, education 
does not consistently produce the results desired. 

The second cites on study that shows that education does not impact 
susceptability to phishing. It's possible that Brustoloni's latest shows 
that as well: 

http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more 
hopeful, but shows no transfer to "realistic" behavior, in a study or in 
the wild. 

I gather from the discussions with the usability evaluation folks, they 
believe they can address education. 

Personally, I'm not a believer in direct education, mostly because no 
one's brought up a single data point where users were directly educated to 
do something, and did it, even when they had options that were more 
attrractive for some reason (e.g. more familiar, easier).  All the 
promising anti phishing research makes sure that the secure option is the 
most attractive (or at least comparably attractive). 

On the other hand, I do believe that in circumscribed oganizations, like 
the military and large companies, a system of education, reward, and 
punishment can be (and is) set up to change user behavior. I would again 
refer to http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper 
bound on how successful that can be with the option is not the most 
attractive (order of 30% of the overall population). 

I would be more comfortable with an education use case if we said more 
somewhere about how we'll come to terms with it. Do the usability 
evaluation folks know how we'll do that? 


New Use Case for W3C WSC

Dan Schutzer 
08/24/2007 07:52 AM

Sent by:
"'Dan Schutzer'"

I?d like to submit a new use case, shown below, that several of our 
members would like included. It looks for recommendations on how to 
educate customers who have fallen for a phishing email, and improve the 
type of response customers generally get today when they try to access a 
phishing site that has been taken down. I hope this is not too late for 
Use Case
Frank regularly reads his email in the morning. This morning he receives 
an email that claims it is from his bank asking him to verify a recent 
transaction by clicking on the link embedded in the email. The link does 
not display the usual URL that he types to get to his bank?s website, but 
it does have his bank?s name in it. He clicks on the link and is directed 
to a phishing site. The phishing site has been shut down as a known 
fraudulent site, so when Frank clicks on the link he receives the generic 
Error 404: File Not Found page. Frank is not sure what has occurred.
Destination site 
prior interaction, known organization
Intended interaction 
Actual interaction 
Was a phishing site that has been shut down
Frank is likely to fall for a similar phishing email. Is there some way to 
educate Frank this time, so that he is less likely to fail for the 
phishing email again? 

(image/gif attachment: 01-part)

Received on Friday, 24 August 2007 12:25:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:17 UTC