RE: New Use Case for W3C WSC from Mary Ellen Zurko on 2007-08-28 (public-wsc-wg@w3.org from August 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Tue, 28 Aug 2007 16:09:14 -0400
To: "Audian Paxson" <Audian.Paxson@iconix.com>
Cc: public-wsc-wg@w3.org
Message-ID: <OF0F830080.B80C4653-ON85257345.006EAECF-85257345.006EB5D0@LocalDomain>
In the current version linked to, 10.3.1. 

          Mez







RE: New Use Case for W3C WSC

Audian Paxson 
to:
Mary Ellen Zurko, Dan Schutzer
08/27/2007 11:39 AM


Cc:
public-wsc-wg







Specifically which area are you referencing? 10.?
 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Mary Ellen Zurko
Sent: Friday, August 24, 2007 9:42 AM
To: Dan Schutzer
Cc: public-wsc-wg@w3.org
Subject: RE: New Use Case for W3C WSC
 

Take another look at 

http://www.w3.org/TR/wsc-usecases/#uniformity

and its reference. This study indicates that "previous experience" (having 
been phished) doesn't change the likelihood that you'll be phished again. 
Unfortunately. And I haven't heard of any counter balancing data points. 

          Mez







RE: New Use Case for W3C WSC
 


Dan Schutzer 
to:
'Mary Ellen Zurko'
08/24/2007 10:38 AM
 



Cc:
public-wsc-wg

 

 




The idea that motivated the use case was that if the customer had fallen 
for a phishing ploy, but was saved because the site had already been taken 
down, that perhaps letting the customer know that they had fallen for a 
phishing ploy, might make them more cautious the next time. Sort of the 
equivalent to learning the hard way; e.g. you hear warnings not to leave 
your baby alone on the bed because she might turn over and fall, but you 
do and the baby falls. You are lucky that the floor was carpeted and the 
baby is not hurt, but you become more cautious in the future.
 
 


From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
Sent: Friday, August 24, 2007 8:26 AM
To: dan.schutzer@fstc.org
Cc: public-wsc-wg@w3.org
Subject: Re: New Use Case for W3C WSC
 

We have two sections in wsc-usecasee that touch on education: 

http://www.w3.org/TR/wsc-usecases/#learning-by-doing

http://www.w3.org/TR/wsc-usecases/#uniformity

The first says that experience shows that while users learn, education 
does not consistently produce the results desired. 

The second cites on study that shows that education does not impact 
susceptability to phishing. It's possible that Brustoloni's latest shows 
that as well: 

http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more 
hopeful, but shows no transfer to "realistic" behavior, in a study or in 
the wild. 

I gather from the discussions with the usability evaluation folks, they 
believe they can address education. 

Personally, I'm not a believer in direct education, mostly because no 
one's brought up a single data point where users were directly educated to 
do something, and did it, even when they had options that were more 
attrractive for some reason (e.g. more familiar, easier).  All the 
promising anti phishing research makes sure that the secure option is the 
most attractive (or at least comparably attractive). 

On the other hand, I do believe that in circumscribed oganizations, like 
the military and large companies, a system of education, reward, and 
punishment can be (and is) set up to change user behavior. I would again 
refer to http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper 
bound on how successful that can be with the option is not the most 
attractive (order of 30% of the overall population). 

I would be more comfortable with an education use case if we said more 
somewhere about how we'll come to terms with it. Do the usability 
evaluation folks know how we'll do that? 

         Mez



 


New Use Case for W3C WSC

 
 


Dan Schutzer 
to:
public-wsc-wg
08/24/2007 07:52 AM

 
 



Sent by:
public-wsc-wg-request@w3.org
Cc:
"'Dan Schutzer'"

 


 
 





I?d like to submit a new use case, shown below, that several of our 
members would like included. It looks for recommendations on how to 
educate customers who have fallen for a phishing email, and improve the 
type of response customers generally get today when they try to access a 
phishing site that has been taken down. I hope this is not too late for 
consideration.
Use Case
Frank regularly reads his email in the morning. This morning he receives 
an email that claims it is from his bank asking him to verify a recent 
transaction by clicking on the link embedded in the email. The link does 
not display the usual URL that he types to get to his bank?s website, but 
it does have his bank?s name in it. He clicks on the link and is directed 
to a phishing site. The phishing site has been shut down as a known 
fraudulent site, so when Frank clicks on the link he receives the generic 
Error 404: File Not Found page. Frank is not sure what has occurred. 
Destination site 
prior interaction, known organization
Navigation 
none
Intended interaction 
verification
Actual interaction 
Was a phishing site that has been shut down
Note 
 
Frank is likely to fall for a similar phishing email. Is there some way to 
educate Frank this time, so that he is less likely to fail for the 
phishing email again?
Attachments

image/gif attachment: 01-part
Received on Tuesday, 28 August 2007 20:09:28 UTC