- From: <michael.mccormick@wellsfargo.com>
- Date: Wed, 10 Jan 2007 12:19:33 -0600
- To: <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: <public-wsc-wg@w3.org>
- Message-ID: <8A794A6D6932D146B2949441ECFC9D68028713C7@msgswbmnmsp17.wellsfargo.com>
Done. See Shared Bookmarks, Security & Usability section, item 7. I defer to Maritza if/how to update her Design Notes with any applicable content from this source. In my opinion in just validates her description of the Average User. She may just want to add a link from Design Notes to Shared Bookmarks to reference this. Michael McCormick, CISSP Lead Architect, Information Security This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. _____ From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] Sent: Wednesday, January 10, 2007 10:41 AM To: McCormick, Mike Cc: public-wsc-wg@w3.org Subject: RE: "Average User" / CMU Survey Michael (and Simson, whereever you are :-), thanks for pointing this out. Michael, will you add but the reference and your bullet commentary to our shared bookmarks area: Also, can you fold this in to Martiza's description of the user for our Note? Maritza, where in the wiki are you putting that? The percentages of those that always pay attention to a warning and those that never pay attention to a warning remind me of the percentages in our Notes ECL study. Non trivial at both ends, but neither absolute. Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) Lotus/WPLC Security Strategy and Patent Innovation Architect <michael.mccormick@wellsfargo.com> Sent by: public-wsc-wg-request@w3.org 01/03/2007 05:07 PM To <brad@tellme.com> cc <public-wsc-wg@w3.org> Subject RE: "Average User" / CMU Survey Agreed. I wish they'd surveyed a larger, more diverse population sample (they studied only 20 people, all under age 45) but their methodology seems well thought out and the results are certainly suggestive. I suspect adding users over 45 would have skewed the results even more toward the "dumb user" end of the spectrum. Mike Michael McCormick, CISSP Lead Architect, Information Security This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. _____ From: Brad Porter [mailto:brad@tellme.com] Sent: Wednesday, January 03, 2007 3:55 PM To: McCormick, Mike Cc: public-wsc-wg@w3.org Subject: Re: "Average User" / CMU Survey This article is terrific. We should still be careful about extrapolating an "average user" from this given their caveat: Given this small and non-representative sample, we can’t extrapolate prevalence of beliefs to the general population. We purposefully selected participants who were more naive than the average, in order to understand how those without a good understanding of security make sense of Internet risks. That said, the user demographic studied may be exactly our target audience. --Brad michael.mccormick@wellsfargo.com <mailto:michael.mccormick@wellsfargo.com> wrote: There's been recent discussion (most recently in the "Notes section - Design Principles" thread) about how security savvy the "average" web user" is. Simson Garfinkel of Harvard kindly drew my attention to some excellent work done by Carnegie Mellon last year in this area. See http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdf <http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdf> for details. CMU used a pretty rigorous methodology to assess the web security know-how of users drawn from a random cross section of the Pittsburg PA population. Users were questioned & observed while responding to various simulated possible phishing scenarios. Browsers used were MSIE, Firefox, Netscape, & Safari. Their report will be very valuable to the work of WSC -- I urge you all to take a look. Some relevant highlights: * Most participants [85%] had seen lock images on a web site, and knew that this was meant to signify security, but most had only a limited understanding of what how to interpret locks, e.g., “I think that it means secured, it symbolizes some kind of security, somehow.” Few knew that the lock icon in the chrome (i.e., in the browser’s border rather than the page content) indicated that the web site was using encryption or that they could click on the lock to examine the certificate. Indeed, only 40% of those who were aware of the lock realized that the lock had to be within the chrome of the browser. * Only about a third [35%] had noticed a distinction between "http:// <http:///> " and "https:// <https:///> " URLs. Of those some did not think that the “s” indicated anything. But those who were aware of the security connotation of this cue tended to take it as a fairly reliable indication that it is safe to enter information. For those people this extra security was often enough to get them beyond their initial trepidations about sharing sensitive information, e.g., “I feel funny about putting my credit card number in, but they say it is a secure server and some of them say ‘https’ and someone said that it means it’s a secure server.” * About half [55%] had noticed a URL that was not what they expected or looked strange. For some, this was a reason to be wary of the website. For others, it was an annoyance, but no cause for suspicion. The other half [45%} appeared to completely ignore the address bar and never noticed even the most suspicious URLs. * Participants appeared to be especially uncertain what to make of certificates. Many respondents specifically said that they did not know what certificates were, and made inferences about how to respond to any "mysterious message" mentioning certificates. Some inferred that certificates were a "just a formality". Some used previous experience as their basis for ignoring it, e.g., “I have no idea [what it means], because it’s saying something about a trusted website or the certificate hasn’t, but I think I’ve seen it on websites that I thought were trustworthy.” * Almost half [42%] recognized the self-signed certificate warning message as one they'd seen before. A third [32%] always ignored this warning, a fourth [26%] consistently avoided entering sites when this warning was displayed, and the rest responded inconsistently. * When asked about warnings generally, only about half of participants recalled ever having seen a warning before trying to visit a web site. Their recollections of what they were warned about were sometimes vague, e.g., “sometimes they say cookies and all that,” or uncertain, e.g., “Yeah, like the certificate has expired. I don’t actually know what that means.” When they remembered warnings about security, they often dismissed them with logical reasoning, e.g., “Oh yeah, I have [seen warnings], but funny thing is I get them when I visit my [school] websites, so I get told that this may not be secure or something, but it’s my school website so I feel pretty good about it.” * Only half of participants had heard the term "phishing". The other half couldn't guess what it meant. Most participants had heard the term "spyware" but a number of those believed it was something good that protects one's computer from spies. Michael McCormick, CISSP Lead Architect, Information Security Wells Fargo Bank 255 Second Avenue South MAC N9301-01J Minneapolis MN 55479 * 612-667-9227 (desk) * 612-667-7037 (fax) (2-590-1437 (cell) :-) michael.mccormick@wellsfargo.com <mailto:michael.mccormick@wellsfargo.com> (AIM) * 612-621-1318 (pager) * michael.mccormick@wellsfargo.com <mailto:michael.mccormick@wellsfargo.com> “THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS FARGO" This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
Received on Wednesday, 10 January 2007 19:17:20 UTC