RE: New Use Case for W3C WSC

The idea that motivated the use case was that if the customer had fallen for
a phishing ploy, but was saved because the site had already been taken down,
that perhaps letting the customer know that they had fallen for a phishing
ploy, might make them more cautious the next time. Sort of the equivalent to
learning the hard way; e.g. you hear warnings not to leave your baby alone
on the bed because she might turn over and fall, but you do and the baby
falls. You are lucky that the floor was carpeted and the baby is not hurt,
but you become more cautious in the future.

 

  _____  

From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
Sent: Friday, August 24, 2007 8:26 AM
To: dan.schutzer@fstc.org
Cc: public-wsc-wg@w3.org
Subject: Re: New Use Case for W3C WSC

 


We have two sections in wsc-usecasee that touch on education: 

http://www.w3.org/TR/wsc-usecases/#learning-by-doing 

http://www.w3.org/TR/wsc-usecases/#uniformity 

The first says that experience shows that while users learn, education does
not consistently produce the results desired. 

The second cites on study that shows that education does not impact
susceptability to phishing. It's possible that Brustoloni's latest shows
that as well: 

http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more hopeful,
but shows no transfer to "realistic" behavior, in a study or in the wild. 

I gather from the discussions with the usability evaluation folks, they
believe they can address education. 

Personally, I'm not a believer in direct education, mostly because no one's
brought up a single data point where users were directly educated to do
something, and did it, even when they had options that were more attrractive
for some reason (e.g. more familiar, easier).  All the promising anti
phishing research makes sure that the secure option is the most attractive
(or at least comparably attractive). 

On the other hand, I do believe that in circumscribed oganizations, like the
military and large companies, a system of education, reward, and punishment
can be (and is) set up to change user behavior. I would again refer to
http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper bound on how
successful that can be with the option is not the most attractive (order of
30% of the overall population). 

I would be more comfortable with an education use case if we said more
somewhere about how we'll come to terms with it. Do the usability evaluation
folks know how we'll do that? 

          Mez









New Use Case for W3C WSC

 


Dan Schutzer 

to: 

public-wsc-wg 

08/24/2007 07:52 AM

 



Sent by: 

public-wsc-wg-request@w3.org 


Cc: 

"'Dan Schutzer'"

 

 

  _____  




I'd like to submit a new use case, shown below, that several of our members
would like included. It looks for recommendations on how to educate
customers who have fallen for a phishing email, and improve the type of
response customers generally get today when they try to access a phishing
site that has been taken down. I hope this is not too late for
consideration. 

Use Case 

Frank regularly reads his email in the morning. This morning he receives an
email that claims it is from his bank asking him to verify a recent
transaction by clicking on the link embedded in the email. The link does not
display the usual URL that he types to get to his bank's website, but it
does have his bank's name in it. He clicks on the link and is directed to a
phishing site. The phishing site has been shut down as a known fraudulent
site, so when Frank clicks on the link he receives the generic Error 404:
File Not Found page. Frank is not sure what has occurred. 
Destination site 

prior interaction, known organization 
Navigation 

none 
Intended interaction 

verification 
Actual interaction 

Was a phishing site that has been shut down 
Note 
  
Frank is likely to fall for a similar phishing email. Is there some way to
educate Frank this time, so that he is less likely to fail for the phishing
email again?