Forwarded feedback on WSC FPWD from Don Norman

In another forum, I received feedback from Don Norman on the WSC FPWD. I
am forwarding it to our public feedback list with his permission.
There's a second email I'll be forwarding after this one. His comments
start below.

Tyler

--- Begin Don Norman's comments ----

I'd like to suggest three more use cases for your group's consideration.

All the use cases you provide are for potential rogue sites, which fool
the user into accepting them.

In my experience, there is also the problem of over-caution.

I have watched the incidents below happen.  People who have been warned
about all the mischief are now overcautious and refuse to accept
legitimate sites or actions.

Therefore, as your committee goes forth, it is important to consider not
only how to detect illegitimate sites, but how to make t possible for
the average, non-technical user to be reassured that something is
legitimate and proper?

3B, below, is one of the many problems because people do not understand
the architecture of compute and web applications and confuse the
messenger with the message.

If they use Internet Explorer for activities, they identify the activity
(mail, banking) with the browser and do not understand that the actual
service is hosted somewhere in the cloud, so any browser yields the same
result.

--
I myself have tried to tell banks that their legitimate emails look
identical to scams, and if the respond at al, it is to assure me that
they would never do anything wrong.   That wasn't my point. My point is,
illegitimate emails often look legitimate. Therefore, legitimate emails
look illegitimate.  How is the recipient to know?  Why do legitimate
emails still have clickable URLs?

====================

1. The legitimate financial institution sends out a legitimate note
stating that some action is required.  Jane, the recipient, knows not to
trust such legitimate-looking documents, and immediately deletes it,
without acting.

2. A window pops up on the screen stating that an important security
update is now available. The message is legitimate (e.g., it is a
Microsoft standard message). Henry wonders why his various malware
detectors didn't stop it, but immediately closes the window.  Over the
months, his system falls further and further behind in security updates.

3A. Helen proudly tells her spouse that using Microsoft tried to fool
her into using a bank site, so she isn't using Microsoft anymore but
instead is using Firefox to do her banking.  (Confusion between the
browser and the financial institution)

3B. Helen is concerned though. Microsoft is how she reads her mail, and
now she doesn't know what to do. She doesn't trust Microsoft mail
anymore. What should she do?  (Because she reads her web-based email
through a particular browser, she identifies the email service with the
browser)

Received on Friday, 16 March 2007 21:34:19 UTC