Do user personas make sense for usable security?

Hi all,

The wiki page at:

http://www.w3.org/2006/WSC/wiki/NoteUserTestVerification

, as well as much discussion on this mailing list, has assumed there are
different categories of users and that users in each of these categories
have different needs for the presentation of security information. I am
wondering if that's actually true.

Usable security is different from general usability in that security is
not the user's primary goal. The user has a separate task that is their
primary goal and is consuming almost all of their attention and effort.
I am thinking that differences is user behaviour are much more likely
for primary goals than for peripheral goals. I suspect that an expert
user working intently behaves much the same as a novice user, when one
only looks at actions that are peripheral to the primary goal. This
suspicion seems to be substantiated by the results of the "Why Phishing
Works?" user study, which found no correlations between the background
of their test subjects and their performance on phishing tests.

Barring evidence to the contrary, I think this WG should not attempt to
categorize users, or differentiate the presentation of security
information for these hypothetical categories.

Tyler

Received on Thursday, 25 January 2007 23:48:31 UTC