Use Case Dimensions
- What is the user's relationship to the addressed site?
- No previous relationship between website and user
- User has previously interacted with the website
- May or may not have established account credentials (e.g. password)
- May or may not have shared private information (e.g. bank routing number)
- How does the user arrive at the site?
- Manual entry of address
- Site address may be memorable brand (e.g. amazon.com)
- May have learned from advertisement
- Manual entry of part of address with browser heuristics completing the address
Many browsers will automatically add .com to domain name (e.g. amazon => amazon.com)
- Bookmark or other relationship stored in browser or OS
- Link provided by external application
- From email client
- Instant messenger
- Other
- Web link
- From search engine
- From partner site (e.g. citi.com to accountonline.com)
- Advertisement
- Other
- Manual entry of address
- What task is the user intending to perform? (Intended interaction)
- Retrieve information
- Even simple information retrieval may be security-critical (e.g. looking-up instructions and address mailing a banking deposit)
- Interact with others (e.g. interpersonal email, social networking, web-based IMs)
- Trust in data received affects how user chooses to act upon it.
- Secure entry of data into system important for user's reputation (e.g. adverse effects if user falsely associated with NAMBLA)
- Transferring funds (or other valuables) within own accounts or to others
Trust motivation here is obvious
- Exchange goods or services
- User should understand implicit or explicit contract terms (by bidding I'm agreeing to buy this item)
- User will want to know whether he/she is really communicating with the other transacting party (where to ship goods)
- Retrieve information
What can go wrong? -- See ThreatTrees