ABSTRACT
We replicated and extended a 2008 study conducted at CMU that investigated the effectiveness of SSL warnings. We adjusted the experimental design to mitigate some of the limitations of that prior study; adjustments include allowing participants to use their web browser of choice and recruiting a more representative user sample. However, during our study we observed a strong disparity between our participants actions during the laboratory tasks and their self-reported "would be" actions during similar tasks in everyday computer practices. Our participants attributed this disparity to the laboratory environment and the security it offered. In this paper we discuss our results and how the introduced changes to the initial study design may have affected them. Also, we discuss the challenges of observing natural behavior in a study environment, as well as the challenges of replicating previous studies given the rapid changes in web technology. We also propose alternatives to traditional laboratory study methodologies that can be considered by the usable security research community when investigating research questions involving sensitive data where trust may influence behavior.
- M. S. Ackerman, L. F. Cranor, and J. Reagle. Privacy in e-commerce: examining user scenarios and privacy preferences. In Proceedings of the 1st ACM conference on Electronic commerce, EC '99, pages 1--8, New York, NY, USA, 1999. ACM. Google ScholarDigital Library
- R. Biddle, P. C. van Oorschot, A. S. Patrick, J. Sobey, and T. Whalen. Browser interfaces and extended validation ssl certificates: an empirical study. In Proceedings of the 2009 ACM workshop on Cloud computing security, CCSW '09, pages 19--30, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- J. C. Brustoloni and R. Villamarín-Salomón. Improving security decisions with polymorphic and audited dialogs. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 76--85, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- A. Cockburn and B. McKenzie. What do web users do? an empirical analysis of web use. Int. J. Human-Computer Studies, 54:903--922, 2001. Google ScholarDigital Library
- R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In CHI '06: Proceedings of the SIGCHI conference on Human Factors in Computing Systems, pages 581--590, Montréal, Québec, Canada, 2006. ACM. Google ScholarDigital Library
- C. J. Dommeyer and B. L. Gross. What consumers know and what they do: An investigation of consumer knowledge, awareness, and use of privacy protection strategies. Journal of Interactive Marketing, 17(2):34--51, 2003.Google ScholarCross Ref
- S. Egelman, L. F. Cranor, and J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In CHI '08: Proc. of the SIGCHI conf. on Human factors in Computing Systems, pages 1065--1074, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- D. Gefen, E. Karahanna, and D. W. Straub. Trust and tam in online shopping: An integrated model. MIS Quarterly, 27(1):pp. 51--90, 2003. Google ScholarCross Ref
- J. Gideon, L. Cranor, S. Egelman, and A. Acquisti. Power strips, prophylactics, and privacy, oh my! pages 133--144. ACM Press New York, NY, USA, 2006. Google ScholarDigital Library
- J. Henrich, S. Heine, and A. Norenzayan. Most people are not weird. Nature, (466):29, 2010.Google Scholar
- T. Jackson. How our spam filter works. Technical report, Google, 2007.Google Scholar
- T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Commun. ACM, 50(10):94--100, 2007. Google ScholarDigital Library
- M. Jakobsson and J. Ratkiewicz. Designing ethical phishing experiments: a study of (rot13) ronl query features. In WWW '06: Proceedings of the 15th international conference on World Wide Web, pages 513--522, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- A. Patrick. Commentary on research on new security indicators - essay. http://www.andrewpatrick.ca/essays/commentary-on-research-on-new-security-indicators, 2007.Google Scholar
- M. L. Russell, M. G. Donna, and E. Burgess. Paying research subjects: participants' perspectives. Journal of Medical Ethics, 26(2):126--130, 2000.Google ScholarCross Ref
- S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 51--65, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarDigital Library
- D. W. Stewart and I. M. Martin. Intended and unintended consequences of warning messages: A review and synthesis of empirical research. Journal of Public Policy and Marketing, 13(1):1--19, 1994.Google ScholarCross Ref
- J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying Wolf: An empirical study of SSL warning effectiveness. In Proceedings of 18th USENIX Security Symposium, pages 399--432, 2009. Google ScholarDigital Library
- S. J. B. R. van Oorschot P. C. Patrick A. S. Exploring user reactions to new browser cues for extended validation certificates. In Proceedings of the 13th European Symposium on Research in Computer-Security, pages 411--427, 2008. Google ScholarDigital Library
- T. Whalen and K. M. Inkpen. Gathering evidence: use of visual security cues in web browsers. In Graphics Interface, pages 137--144. Canadian Human-Computer Communications Society, 2005. Google ScholarDigital Library
- M. Wogalter. Purpose and scope of warnings. In Handbook of Warnings, pages 3--9. Lawrence Erlbaum Associates, 2006.Google Scholar
- M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI conference on Human Factors in computing systems (CHI '06), pages 601--610, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
Index Terms
- On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings
Recommendations
A method for incorporating usable security into computer security courses
SIGCSE '13: Proceeding of the 44th ACM technical symposium on Computer science educationSince human factor security exploits are on the rise, ensuring Usable Security has become extremely important for the overall security of computer systems. However, traditional undergraduate computer security curriculum focuses heavily on technical ...
Usable Security: Revealing End-Users Comprehensions on Security Warnings
AbstractSecurity warning is a form communication between user and computer to inform the users on the risk of allowing random applications to run on the computer system. Security warning is designed to warn the users such as notify, inform and advice ...
What Usable Security Really Means: Trusting and Engaging Users
Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust - Volume 8533Non-compliance with security mechanisms and processes poses a significant risk to organizational security. Current approaches focus on designing systems that restrict user actions to make them 'secure', or providing user interfaces to make security ...
Comments