- From: Dan Schutzer <dan.schutzer@fstc.org>
- Date: Fri, 24 Aug 2007 10:35:16 -0400
- To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: <public-wsc-wg@w3.org>
- Message-ID: <004101c7e65b$fdf9fde0$6500a8c0@dschutzer>
The idea that motivated the use case was that if the customer had fallen for a phishing ploy, but was saved because the site had already been taken down, that perhaps letting the customer know that they had fallen for a phishing ploy, might make them more cautious the next time. Sort of the equivalent to learning the hard way; e.g. you hear warnings not to leave your baby alone on the bed because she might turn over and fall, but you do and the baby falls. You are lucky that the floor was carpeted and the baby is not hurt, but you become more cautious in the future. _____ From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] Sent: Friday, August 24, 2007 8:26 AM To: dan.schutzer@fstc.org Cc: public-wsc-wg@w3.org Subject: Re: New Use Case for W3C WSC We have two sections in wsc-usecasee that touch on education: http://www.w3.org/TR/wsc-usecases/#learning-by-doing http://www.w3.org/TR/wsc-usecases/#uniformity The first says that experience shows that while users learn, education does not consistently produce the results desired. The second cites on study that shows that education does not impact susceptability to phishing. It's possible that Brustoloni's latest shows that as well: http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more hopeful, but shows no transfer to "realistic" behavior, in a study or in the wild. I gather from the discussions with the usability evaluation folks, they believe they can address education. Personally, I'm not a believer in direct education, mostly because no one's brought up a single data point where users were directly educated to do something, and did it, even when they had options that were more attrractive for some reason (e.g. more familiar, easier). All the promising anti phishing research makes sure that the secure option is the most attractive (or at least comparably attractive). On the other hand, I do believe that in circumscribed oganizations, like the military and large companies, a system of education, reward, and punishment can be (and is) set up to change user behavior. I would again refer to http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper bound on how successful that can be with the option is not the most attractive (order of 30% of the overall population). I would be more comfortable with an education use case if we said more somewhere about how we'll come to terms with it. Do the usability evaluation folks know how we'll do that? Mez New Use Case for W3C WSC Dan Schutzer to: public-wsc-wg 08/24/2007 07:52 AM Sent by: public-wsc-wg-request@w3.org Cc: "'Dan Schutzer'" _____ I'd like to submit a new use case, shown below, that several of our members would like included. It looks for recommendations on how to educate customers who have fallen for a phishing email, and improve the type of response customers generally get today when they try to access a phishing site that has been taken down. I hope this is not too late for consideration. Use Case Frank regularly reads his email in the morning. This morning he receives an email that claims it is from his bank asking him to verify a recent transaction by clicking on the link embedded in the email. The link does not display the usual URL that he types to get to his bank's website, but it does have his bank's name in it. He clicks on the link and is directed to a phishing site. The phishing site has been shut down as a known fraudulent site, so when Frank clicks on the link he receives the generic Error 404: File Not Found page. Frank is not sure what has occurred. Destination site prior interaction, known organization Navigation none Intended interaction verification Actual interaction Was a phishing site that has been shut down Note Frank is likely to fall for a similar phishing email. Is there some way to educate Frank this time, so that he is less likely to fail for the phishing email again?
Attachments
- image/gif attachment: image001.gif
Received on Friday, 24 August 2007 14:35:44 UTC