« Ka-Ping Yee, Jeff Nelson, Rob Franco, Diana Smetters: Phishing: How will the scourge really be killed? (Panel)
What do we mean by “transparent”? »

Julie S. Downs, Mandy Holbrook, and Lorrie Faith Cranor: Decision Strategies and Susceptibility to Phishing

July 14, 2006 by Ping

Read the paper here.

How do users make decisions?  Are they aware of the risks?  What cues do they use and how do they interpret security messages?

This study interviewed 20 users who had never changed their security preferences, built a website, or helped someone fix their computer, and asked them to explain their concepts of security in their own words.

The users were shown login pages and asked what they would look at to decide whether they were safe; they were shown security popups and asked to explain them; and they were shown e-mail messages that ranged from legitimate to fraudulent and asked to role play someone receiving the message.

In the role playing exercise, users were given a wallet with the business card of their character and a couple of credit cards.  The exercise began with a typical work message about a meeting to get users into their roles.

Most of the participants used Windows PCs and Internet Explorer.  Most understood “anti-virus”, “spam”, and “spyware”.  Only half recognized “phishing”, and those mostly didn’t know what it meant.

Understanding of the lock icon is poor, and no one made a distinction between icons in the chrome and icons in the page.  Some expressed some distrust of the lock icon.

The participants also had a fairly weak understanding of the meaning of the URL, and very little understanding of messages about encryption.  (One user even thought the encryption might “have a virus in there”.)

A common user strategy for protecting themselves was to trust e-mail that is personally addressed to them.  It may be a reasonable strategy for identifying spam, but isn’t good for identifying phishing messages.  For example, participants were suspicious of message that didn’t have a salutation by name or didn’t have a signature line.

Many participants placed trust in existing relationships — they suspected messages that came from sites where they didn’t have an account, and unexpected messages when they hadn’t initiated a transaction.

Participants tended to trust reputable companies, but would rarely suspect that they might be impersonated.

This entry was posted on Friday, July 14, 2006 at 05:24 under General. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.

Ping wrote:
July 14th, 2006 at 05:39

This study is an important reminder that typical browser users don’t speak in the same terms that computer security folks do. Despite how unsurprising this might be to usability folks, i think we still have a tendency to assume too easily that users are familiar with security concepts and terms. For example, Microsoft decided to market features in Internet Explorer 7 as “anti-phishing” and pop up warnings about “phishing sites” to customers who probably don’t know what “phishing” means. And nearly all browsers talk about “encryption”. Why not use words like “secret” or “private” instead?

Reply to this comment
Roland Sassen wrote:
August 19th, 2006 at 05:03

Hello Ka-Ping Yee,
you are right, why not use words like secret or private.
Even the word biometrics is not used in most conversations.
The reason might be that there is no such thing as privacy,
and that it is forbidden to say that anonymity is not useful.
To be honest would include telling that every religion is a dictatorship, which will not be useful to let most people be
hard workers and loyal consumers and so good tax-payers.

A solution for security issues is to use our HEARTBEAT-ID
portal. Have a look at http://www.heartbeat-id.com

Have a great day, Roland Sassen

Reply to this comment