Re: New Use Case for W3C WSC

I think there may be a tie-in here with Safe Browsing Mode.  Suppose 
the user is educated enough to understand that SBM should be invoked 
before visiting any banking websites.  Then upon seeing the email, 
the user should invoke SBM before clicking on the apparent banking 
link.  If that is done, then instead of displaying the ERROR 404 
message, the user should see whatever is displayed by SBM when the 
user attempts to visit a non-safe website.

But if it is true that "education does not consistently produce the 
results desired", then there may be numerous times when even users 
who are aware of SBM do not actually invoke it when they should; that 
is, before visiting banking websites.  So a question worth asking 
might be: can a user's browser be made "smart" enough to sense that a 
website that the user wants to visit might possibly be a banking 
website?  The user can easily sense this because the Use Case says 
that the email claims to be from the user's bank.    If the user's 
computer can somehow "read" the email header, it might display a 
message saying "I sense that you are attempting to visit a possible 
banking website.  However, it is possible that this is a fraudulent 
website.  Would you like me to invoke Safe Browsing Mode to prevent 
you from visiting a fraudulent site?"  The user could respond, Yes or No.

Some sort of artificial intelligence that could read and interpret 
email headers might be needed, possibly triggered by certain 
banking-like keywords or phrases in an email header.  I don't know if 
such exists, or if it does, whether it is "ready for prime time" and 
would produce reliable results.  But it might be one possible answer 
to the dilemma of needing to educate users to do certain things to 
protect themselves online.

At 08:25 AM 8/24/2007, Mary Ellen Zurko wrote:

>We have two sections in wsc-usecasee that touch on education:
>
>http://www.w3.org/TR/wsc-usecases/#learning-by-doing
>
>http://www.w3.org/TR/wsc-usecases/#uniformity
>
>The first says that experience shows that while users learn, 
>education does not consistently produce the results desired.
>
>The second cites on study that shows that education does not impact 
>susceptability to phishing. It's possible that Brustoloni's latest 
>shows that as well:
>
>http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more 
>hopeful, but shows no transfer to "realistic" behavior, in a study 
>or in the wild.
>
>I gather from the discussions with the usability evaluation folks, 
>they believe they can address education.
>
>Personally, I'm not a believer in direct education, mostly because 
>no one's brought up a single data point where users were directly 
>educated to do something, and did it, even when they had options 
>that were more attrractive for some reason (e.g. more familiar, 
>easier).  All the promising anti phishing research makes sure that 
>the secure option is the most attractive (or at least comparably attractive).
>
>On the other hand, I do believe that in circumscribed oganizations, 
>like the military and large companies, a system of education, 
>reward, and punishment can be (and is) set up to change user 
>behavior. I would again refer to 
>http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper 
>bound on how successful that can be with the option is not the most 
>attractive (order of 30% of the overall population).
>
>I would be more comfortable with an education use case if we said 
>more somewhere about how we'll come to terms with it. Do the 
>usability evaluation folks know how we'll do that?
>
>           Mez
>
>
>
>
>[]
>
>New Use Case for W3C WSC
>Dan Schutzer to:public-wsc-wg
>08/24/2007 07:52 AM
>
>Sent by:public-wsc-wg-request@w3.org
>Cc:"'Dan Schutzer'"
>
>
>
>
>----------
>
>
>
>I'd like to submit a new use case, shown below, that several of our 
>members would like included. It looks for recommendations on how to 
>educate customers who have fallen for a phishing email, and improve 
>the type of response customers generally get today when they try to 
>access a phishing site that has been taken down. I hope this is not 
>too late for consideration.
>
>Use Case
>
>Frank regularly reads his email in the morning. This morning he 
>receives an email that claims it is from his bank asking him to 
>verify a recent transaction by clicking on the link embedded in the 
>email. The link does not display the usual URL that he types to get 
>to his bank's website, but it does have his bank's name in it. He 
>clicks on the link and is directed to a phishing site. The phishing 
>site has been shut down as a known fraudulent site, so when Frank 
>clicks on the link he receives the generic Error 404: File Not Found 
>page. Frank is not sure what has occurred.
>Destination site
>
>prior interaction, known organization
>Navigation
>
>none
>Intended interaction
>
>verification
>Actual interaction
>
>Was a phishing site that has been shut down
>Note
>
>Frank is likely to fall for a similar phishing email. Is there some 
>way to educate Frank this time, so that he is less likely to fail 
>for the phishing email again?
>
>
>