- From: Maritza Johnson <maritzaj@cs.columbia.edu>
- Date: Wed, 13 Dec 2006 20:23:40 -0500
- To: W3 Work Group <public-wsc-wg@w3.org>
- Message-Id: <7E854398-1DC6-4BBD-93D6-1E54D69FA875@cs.columbia.edu>
I came across an article that does a good job of presenting the questions that should be asked when evaluating the usability of security indicators in browsers. We've more or less touched on all of them, but I think it's helpful to see them all in one place. "What Do They Indicate? Evaluating Security and Privacy Indicators" - Lorrie Faith Cranor http://portal.acm.org/citation.cfm? id=1125890&jmp=cit&coll=portal&dl=ACM&CFID=514855545&CFTOKEN=514855545#C IT (The only copy I could find is on the ACM portal. I'm not sure how many of you have a subscription, luckily the article is only 3 pages, and this list of questions below is really the meat of the article.) Criteria for evaluating indicators: 1. Does the indicator behave correctly when not under attack? Does the correct indicator appear at the correct time without false positives or false negatives? 2. Does the indicator behave correctly when under attack? Is the indicator resistant to attacks designed to deceive the software into displaying an inappropriate indicator? 3. Can the indicator be spoofed, obscured, or otherwise manipulated so that users are deceived into relying on an indicator provided by an attacker rather than one provided by their system? 4. Do users notice the indicator? 5. Do the users know what the indicator means? 6. Do users know what they are supposed to do when they see the indicator? 7. Do they actually do it? 8. Do they keep doing it? 9. How does the indicator interact with other indicators that may be installed on a user's computer? (This list can also be found on the wiki: http://www.w3.org/2006/WSC/ wiki/SharedBookmarks) - Maritza http://www.cs.columbia.edu/~maritzaj/
Received on Thursday, 14 December 2006 01:24:01 UTC