- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Thu, 10 Jan 2008 14:34:32 -0500
- To: Mike Beltzner <beltzner@mozilla.com>
- CC: michael.mccormick@wellsfargo.com, "public-wsc-wg@w3.org >> Web Security Context Working Group WG" <public-wsc-wg@w3.org>
There's another very important dimension to this which no one has mentioned: In the weather analogy, the "user" has very little external stimuli to take into account (i.e. you can look outside, but based on experience, people know that that's not always a very good indicator for distrusting the forecast). Additionally, this is reinforced because you know exactly what decision you made incorrectly: when it rains that day, catching you unprepared, you know you should have trusted the forecast. However with security, the risks of ignoring a warning are rarely realized immediately. You may have a fraudulent charge on your statement, but I doubt you'll be able to pinpoint exactly which transaction resulted in it. Instead you have the vague "be more careful in the future." Because the penalties aren't necessarily associated with the poor decision, people take other factors into account, beyond just the security indicators (and this is for many other reasons too, e.g., the rate of false positives or false negatives that these indicators have had historically). For instance, *many* studies have shown that users routinely base their trust decisions on how the website looks (e.g. a professional looking phishing site will always be more credible to the average user than a poorly designed legitimate site). The design of the website will almost *always* trump a security indicator. This is exactly why we should warn (and prevent the site from being displayed) on bad sites, rather than use passive indicators on good sites. serge Mike Beltzner wrote: > > michael.mccormick@wellsfargo.com wrote: >> I agree. I like the weather analogy. There's no perfect security >> indicator. But the more variables an indicator takes into account the >> more it approaches the asymptote. > > The weather analogy is indeed fantastic, because people know what an 80% > chance of rain means. What Ian and I are asking - and what nobody has > given an answer to, although you've done a great job of continually > reshaping the question! - is what does an "80% chance of security" mean > to someone? > >> I guess the alternative would be to throw up our hands and say all >> security context indicators are useless. > > Yes, if we're looking for strawman arguments, that would be great. > > At no point have I seen anyone say that we shouldn't be listing the > various security indicators and their results. All I've been saying is > that we should be expressing those in human-consumable terms, and then > expressing a human-consumable summary that's actionable. > > In the weather analogy, it's easy to see what you do if there's an 80% > chance of rain: you either wear clothes you don't care about having get > wet, or you drive a car, or you don't go for a jog, etc. > > In the case of our use cases, what I'm saying is that an "80% chance of > security" doesn't help as much as saying "Identity Verified" or "This > site is insecure", with more details available underneath. > > What I'm saying is that summating those disparate indicators into a > single percentage based score isn't helpful in this application. > > cheers, > mike > > -- /* PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Thursday, 10 January 2008 19:35:02 UTC