Re: "Average User" / CMU Survey

>
> Also, can you fold this in to Martiza's description of the user for  
> our Note? Maritza, where in the wiki are you putting that?
>


I had originally written it as a possible 'assumptions section' (not  
knowing what you had in mind for the assumptions section). My thought  
was, we're assuming this is the type of user we're designing for.  
Another option would be to put it as a subsection of Design  
Principles. Maybe with a intro saying and this is the type of user  
we're assuming we're working with, and citations to work that backs  
it up.

I'm not sure where else this might fit in, thoughts?




> The percentages of those that always pay attention to a warning and  
> those that never pay attention to a warning remind me of the  
> percentages in our Notes ECL study. Non trivial at both ends, but  
> neither absolute.
>
>           Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
>
>
> <michael.mccormick@wellsfargo.com>
> Sent by: public-wsc-wg-request@w3.org
> 01/03/2007 05:07 PM
>
> To
> <brad@tellme.com>
> cc
> <public-wsc-wg@w3.org>
> Subject
> RE: "Average User" / CMU Survey
>
>
>
>
>
> Agreed.  I wish they'd surveyed a larger, more diverse population  
> sample (they studied only 20 people, all under age 45) but their  
> methodology seems well thought out and the results are certainly  
> suggestive.  I suspect adding users over 45 would have skewed the  
> results even more toward the "dumb user" end of the spectrum.  Mike
> Michael McCormick,CISSP
> Lead Architect, Information Security
>
> This message may contain confidential and/or privileged  
> information.  If you are not the addressee or authorized to receive  
> this for the addressee, you must not use, copy, disclose, or take  
> any action based on this message or any information herein.  If you  
> have received this message in error, please advise the sender  
> immediately by reply e-mail and delete this message.  Thank you for  
> your cooperation.
>
>
>
>
> From: Brad Porter [mailto:brad@tellme.com]
> Sent: Wednesday, January 03, 2007 3:55 PM
> To: McCormick, Mike
> Cc: public-wsc-wg@w3.org
> Subject: Re: "Average User" / CMU Survey
>
> This article is terrific.  We should still be careful about  
> extrapolating an "average user" from this given their caveat:
> Given this small and non-representative sample, we can’t
> extrapolate prevalence of beliefs to the general population. We
> purposefully selected participants who were more naive than the
> average, in order to understand how those without a good
> understanding of security make sense of Internet risks.
> That said, the user demographic studied may be exactly our target  
> audience.
>
> --Brad
>
> michael.mccormick@wellsfargo.comwrote:
> There's been recent discussion (most recently in the "Notes section  
> - Design Principles" thread) about how security savvy the "average"  
> web user" is.
>
> Simson Garfinkel of Harvard kindly drew my attention to some  
> excellent work done by Carnegie Mellon last year in this area.  See  
> http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdffor  
> details.
>
> CMU used a pretty rigorous methodology to assess the web security  
> know-how of users drawn from a random cross section of the  
> Pittsburg PA population.  Users were questioned & observed while  
> responding to various simulated possible phishing scenarios.   
> Browsers used were MSIE, Firefox, Netscape, & Safari.  Their report  
> will be very valuable to the work of WSC -- I urge you all to take  
> a look.
>
> Some relevant highlights:
>
> Most participants [85%] had seen lock images on a web site, and  
> knew that this was meant to signify security, but most had only a  
> limited understanding of what how to interpret locks, e.g., “I  
> think that it means secured, it symbolizes some kind of security,  
> somehow.”  Few knew that the lock icon in the chrome (i.e., in the  
> browser’s border rather than the page content) indicated that the  
> web site was using encryption or that they could click on the lock  
> to examine the certificate. Indeed, only 40% of those who were  
> aware of the lock realized that the lock had to be within the  
> chrome of the browser.
> Only about a third [35%] had noticed a distinction between  
> "http://" and "https://" URLs.  Of those some did not think that  
> the “s” indicated anything. But those who were aware of the  
> security connotation of this cue tended to take it as a fairly  
> reliable indication that it is safe to enter information.  For  
> those people this extra security was often enough to get them  
> beyond their initial trepidations about sharing sensitive  
> information, e.g., “I feel funny about putting my credit card  
> number in, but they say it is a secure server and some of them say  
> ‘https’ and someone said that it means it’s a secure server.”
> About half [55%] had noticed a URL that was not what they expected  
> or looked strange. For some, this was a reason to be wary of the  
> website.  For others, it was an annoyance, but no cause for  
> suspicion.  The other half [45%} appeared to completely ignore the  
> address bar and never noticed even the most suspicious URLs.
> Participants appeared to be especially uncertain what to make of  
> certificates.  Many respondents specifically said that they did not  
> know what certificates were, and made inferences about how to  
> respond to any "mysterious message" mentioning certificates. Some  
> inferred that certificates were a "just a formality".  Some used  
> previous experience as their basis for ignoring it, e.g., “I have  
> no idea [what it means], because it’s saying something about a  
> trusted website or the certificate hasn’t, but I think I’ve seen  
> it on websites that I thought were trustworthy.”
> Almost half [42%] recognized the self-signed certificate warning  
> message as one they'd seen before.  A third [32%] always ignored  
> this warning, a fourth [26%] consistently avoided entering sites  
> when this warning was displayed, and the rest responded  
> inconsistently.
> When asked about warnings generally, only about half of  
> participants recalled ever having seen a warning before trying to  
> visit a web site. Their recollections of what they were warned  
> about were sometimes vague, e.g., “sometimes they say cookies and  
> all that,” or uncertain, e.g., “Yeah, like the certificate has  
> expired. I don’t actually know what that means.” When they  
> remembered warnings about security, they often dismissed them with  
> logical reasoning, e.g., “Oh yeah, I have [seen warnings], but  
> funny thing is I get them when I visit my [school] websites, so I  
> get told that this may not be secure or something, but it’s my  
> school website so I feel pretty good about it.”
> Only half of participants had heard the term "phishing".  The other  
> half couldn't guess what it meant.  Most participants had heard the  
> term "spyware" but a number of those believed it was something good  
> that protects one's computer from spies.
> Michael McCormick, CISSP
> Lead Architect, Information Security
> Wells Fargo Bank
> 255 Second Avenue South
> MAC N9301-01J
> Minneapolis MN 55479
> (╴      612-667-9227 (desk)             7      612-667-7037 (fax)
> (       612-590-1437 (cell)             J       
> michael.mccormick@wellsfargo.com(AIM)
> 2       612-621-1318 (pager)            *       
> michael.mccormick@wellsfargo.com
> “THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF  
> WELLS FARGO"
> This message may contain confidential and/or privileged  
> information.  If you are not the addressee or authorized to receive  
> this for the addressee, you must not use, copy, disclose, or take  
> any action based on this message or any information herein.  If you  
> have received this message in error, please advise the sender  
> immediately by reply e-mail and delete this message.  Thank you for  
> your cooperation.
>
>



- Maritza

http://www.cs.columbia.edu/~maritzaj/