...
Well, ok, here's one that shows lack of efficacy, and it's a big one:
EV-certs
/Google to bury indicator for Extended Validation certs in Chrome
because users barely took notice/
https://www.theregister.com/2019/08/12/google_chrome_extended_validation_certificates/
"The reason is simple. "Through our own research as well as a survey of
prior academic work, the Chrome Security UX team has determined that the
EV UI does not protect users as intended... users do not appear to make
secure choice..."
To be fair, this is looking at positive security indicators, not negative
ones. But there are plenty of other studies looking at the more general
case. Here's one that seems relevant to DMARC:
Do Security Toolbars Actually Prevent Phishing Attacks?
https://dl.acm.org/doi/pdf/10.1145/1124772.1124863
Abstract:
Security toolbars in a web browser show security-related
information about a website to help users detect phishing
attacks. Because the toolbars are designed for humans to
use, they should be evaluated for usability - that is, whether
these toolbars really prevent users from being tricked into
providing personal information. We conducted two user
studies of three security toolbars and other browser security
indicators and found them all ineffective at preventing
phishing attacks. Even though subjects were asked to pay
attention to the toolbar, many failed to look at it; others
disregarded or explained away the toolbars' warnings if the
content of web pages looked legitimate. We found that
many subjects do not understand phishing attacks or realize
how sophisticated such attacks can be.
Ned
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
