- From: Brad Porter <brad@tellme.com>
- Date: Wed, 03 Jan 2007 13:54:50 -0800
- To: michael.mccormick@wellsfargo.com
- Cc: public-wsc-wg@w3.org
- Message-ID: <459C262A.8020308@tellme.com>
This article is terrific. We should still be careful about extrapolating an "average user" from this given their caveat: > Given this small and non-representative sample, we can't > extrapolate prevalence of beliefs to the general population. We > purposefully selected participants who were more naive than the > average, in order to understand how those without a good > understanding of security make sense of Internet risks. That said, the user demographic studied may be exactly our target audience. --Brad michael.mccormick@wellsfargo.com wrote: > > There's been recent discussion (most recently in the "Notes section - > Design Principles" thread) about how security savvy the "average" web > user" is. > > Simson Garfinkel of Harvard kindly drew my attention to some excellent > work done by Carnegie Mellon last year in this area. See > _http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdf_ for details. > > CMU used a pretty rigorous methodology to assess the web security > know-how of users drawn from a random cross section of the Pittsburg > PA population. Users were questioned & observed while responding to > various simulated possible phishing scenarios. Browsers used were > MSIE, Firefox, Netscape, & Safari. Their report will be very valuable > to the work of WSC -- I urge you all to take a look. > > Some relevant highlights: > > * Most participants [85%] had seen lock images on a web site, and > knew that this was meant to signify security, but most had only > a limited understanding of what how to interpret locks, e.g., "I > think that it means secured, it symbolizes some kind of > security, somehow." Few knew that the lock icon in the chrome > (i.e., in the browser's border rather than the page content) > indicated that the web site was using encryption or that they > could click on the lock to examine the certificate. Indeed, only > 40% of those who were aware of the lock realized that the lock > had to be within the chrome of the browser. > > * Only about a third [35%] had noticed a distinction between > "_http://_" and "_https://_" URLs. Of those some did not think > that the "s" indicated anything. But those who were aware of the > security connotation of this cue tended to take it as a fairly > reliable indication that it is safe to enter information. For > those people this extra security was often enough to get them > beyond their initial trepidations about sharing sensitive > information, e.g., "I feel funny about putting my credit card > number in, but they say it is a secure server and some of them > say 'https' and someone said that it means it's a secure server." > > * About half [55%] had noticed a URL that was not what they > expected or looked strange. For some, this was a reason to be > wary of the website. For others, it was an annoyance, but no > cause for suspicion. The other half [45%} appeared to > completely ignore the address bar and never noticed even the > most suspicious URLs. > > * Participants appeared to be especially uncertain what to make of > certificates. Many respondents specifically said that they did > not know what certificates were, and made inferences about how > to respond to any "mysterious message" mentioning certificates. > Some inferred that certificates were a "just a formality". Some > used previous experience as their basis for ignoring it, e.g., > "I have no idea [what it means], because it's saying something > about a trusted website or the certificate hasn't, but I think > I've seen it on websites that I thought were trustworthy." > > * Almost half [42%] recognized the self-signed certificate warning > message as one they'd seen before. A third [32%] always ignored > this warning, a fourth [26%] consistently avoided entering sites > when this warning was displayed, and the rest responded > inconsistently. > > * When asked about warnings generally, only about half of > participants recalled ever having seen a warning before trying > to visit a web site. Their recollections of what they were > warned about were sometimes vague, e.g., "sometimes they say > cookies and all that," or uncertain, e.g., "Yeah, like the > certificate has expired. I don't actually know what that means." > When they remembered warnings about security, they often > dismissed them with logical reasoning, e.g., "Oh yeah, I have > [seen warnings], but funny thing is I get them when I visit my > [school] websites, so I get told that this may not be secure or > something, but it's my school website so I feel pretty good > about it." > > * Only half of participants had heard the term "phishing". The > other half couldn't guess what it meant. Most participants had > heard the term "spyware" but a number of those believed it was > something good that protects one's computer from spies. > > *Michael McCormick, CISSP* > Lead Architect, Information Security > Wells Fargo Bank > 255 Second Avenue South > MAC N9301-01J > Minneapolis MN 55479 > (? 612-667-9227 (desk) 7 612-667-7037 (fax) > ( 612-590-1437 (cell) J > michael.mccormick@wellsfargo.com (AIM) > 2 612-621-1318 (pager) * > michael.mccormick@wellsfargo.com > <mailto:michael.mccormick@wellsfargo.com> > > "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS > FARGO" > /This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose, or take any action based > on this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation./ >
Received on Wednesday, 3 January 2007 21:55:10 UTC