RE: New Use Case for W3C WSC from Audian Paxson on 2007-08-27 (public-wsc-wg@w3.org from August 2007)

From: Audian Paxson <Audian.Paxson@iconix.com>
Date: Mon, 27 Aug 2007 08:35:25 -0700
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Dan Schutzer" <dan.schutzer@fstc.org>
Cc: <public-wsc-wg@w3.org>
Message-ID: <906921C74E16C642A8EC610707635938017170A4@gallardo.iconix.com>
Specifically which area are you referencing? 10.?

 

________________________________

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Mary Ellen Zurko
Sent: Friday, August 24, 2007 9:42 AM
To: Dan Schutzer
Cc: public-wsc-wg@w3.org
Subject: RE: New Use Case for W3C WSC

 


Take another look at 

http://www.w3.org/TR/wsc-usecases/#uniformity

and its reference. This study indicates that "previous experience"
(having been phished) doesn't change the likelihood that you'll be
phished again. Unfortunately. And I haven't heard of any counter
balancing data points. 

          Mez







RE: New Use Case for W3C WSC

 

Dan Schutzer 

to:

'Mary Ellen Zurko'

08/24/2007 10:38 AM

 

Cc:

public-wsc-wg

 

 

________________________________




The idea that motivated the use case was that if the customer had fallen
for a phishing ploy, but was saved because the site had already been
taken down, that perhaps letting the customer know that they had fallen
for a phishing ploy, might make them more cautious the next time. Sort
of the equivalent to learning the hard way; e.g. you hear warnings not
to leave your baby alone on the bed because she might turn over and
fall, but you do and the baby falls. You are lucky that the floor was
carpeted and the baby is not hurt, but you become more cautious in the
future.
 

 

________________________________


From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
Sent: Friday, August 24, 2007 8:26 AM
To: dan.schutzer@fstc.org
Cc: public-wsc-wg@w3.org
Subject: Re: New Use Case for W3C WSC
 

We have two sections in wsc-usecasee that touch on education: 

http://www.w3.org/TR/wsc-usecases/#learning-by-doing

http://www.w3.org/TR/wsc-usecases/#uniformity

The first says that experience shows that while users learn, education
does not consistently produce the results desired. 

The second cites on study that shows that education does not impact
susceptability to phishing. It's possible that Brustoloni's latest shows
that as well: 

http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more
hopeful, but shows no transfer to "realistic" behavior, in a study or in
the wild. 

I gather from the discussions with the usability evaluation folks, they
believe they can address education. 

Personally, I'm not a believer in direct education, mostly because no
one's brought up a single data point where users were directly educated
to do something, and did it, even when they had options that were more
attrractive for some reason (e.g. more familiar, easier).  All the
promising anti phishing research makes sure that the secure option is
the most attractive (or at least comparably attractive). 

On the other hand, I do believe that in circumscribed oganizations, like
the military and large companies, a system of education, reward, and
punishment can be (and is) set up to change user behavior. I would again
refer to http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper
bound on how successful that can be with the option is not the most
attractive (order of 30% of the overall population). 

I would be more comfortable with an education use case if we said more
somewhere about how we'll come to terms with it. Do the usability
evaluation folks know how we'll do that? 

         Mez



 

 

New Use Case for W3C WSC


 

 

Dan Schutzer 

to:

public-wsc-wg

08/24/2007 07:52 AM


 

 

Sent by:

public-wsc-wg-request@w3.org

Cc:

"'Dan Schutzer'"

 


 

 

________________________________





I'd like to submit a new use case, shown below, that several of our
members would like included. It looks for recommendations on how to
educate customers who have fallen for a phishing email, and improve the
type of response customers generally get today when they try to access a
phishing site that has been taken down. I hope this is not too late for
consideration.

Use Case

Frank regularly reads his email in the morning. This morning he receives
an email that claims it is from his bank asking him to verify a recent
transaction by clicking on the link embedded in the email. The link does
not display the usual URL that he types to get to his bank's website,
but it does have his bank's name in it. He clicks on the link and is
directed to a phishing site. The phishing site has been shut down as a
known fraudulent site, so when Frank clicks on the link he receives the
generic Error 404: File Not Found page. Frank is not sure what has
occurred. 
Destination site 

prior interaction, known organization
Navigation 

none
Intended interaction 

verification
Actual interaction 

Was a phishing site that has been shut down
Note 
 
Frank is likely to fall for a similar phishing email. Is there some way
to educate Frank this time, so that he is less likely to fail for the
phishing email again?
Attachments

image/gif attachment: image001.gif
Received on Monday, 27 August 2007 15:35:46 UTC