- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Thu, 8 Feb 2007 14:58:24 -0500
- To: Web Security Context WG <public-wsc-wg@w3.org>
- Message-ID: <OF8B0F7BBD.270C3CC2-ON8525727C.0066E30D-8525727C.006DB785@LocalDomain>
Looking at the Note again, and where a statement on user education might best fit, I now propose it go into section 8, currently titled "Problems with the status quo". But if Tyler, or anyone, thinks it goes better somewhere else, I'm open to that. It could go in 8.3, or in its own subsection if the section is retitled to be more in line with "Analysis of the current situation" (which was an alternative we discussed at the f2f). Assuming the former, my proposal is: Employing a great deal of deception might also be unnecessary for a successful attack, since studies have shown many users have a poor understanding of the chrome. The current chrome indicators provide a thin summary of raw technical artifacts drawn from the network protocol's current exchange. The full meaning of these protocol artifacts is not necessarily understood by users. 8.3.4 Explanations versus understanding Users come to an understanding of security indicators predominantly through use and direct experience, and somewhat through general awareness (discussions with others, news and other information they might receive). Users knowing about the padlock icon at all, for example, shows that user education does happen over time. Experience and history with education on using computer software indicates that users do not learn and act exactly on what is explicitly taught them (for an example of that in user security, see http://www.acsa-admin.org/2002/papers/7.pdf). Explicit user education does not override other problems and consistently alter user behavior. Also ACTION-64
Received on Thursday, 8 February 2007 20:04:30 UTC