On Sat 26/Sep/2020 15:06:54 +0200 Dave Crocker wrote:
On 9/26/2020 3:31 AM, Alessandro Vesely wrote:
A pointer to a better aimed report circulated on this list:
An unrefereed presentation (not paper) about a single experiment is better than
a summary of an industry-wide effort that failed?
I meant aimed at email rather than web browsing.
And, for the current discussion, there's the troublesome summary the they give
about their own study:
1. Warning only slightly lowers the click rate
2. The absolute click rate is still high
The key words there are "slightly" and "still high".
"If one person eats a chicken and another person doesn't eat anything, on
average they both ate half a chicken". That's how statistics distorts reality.
I'm sure there are users who watch authentication results, and usually take
no bait. For them, "slightly" and "still high" don't hold.
And, there's increasing activity about anti-phish employee training. As a
consequence, the importance of visual hints is bound to increase.
Prompting the question of why anyone would think this study serves as
demonstrating strong support for the role of end-users in abuse protection?
That wasn't the goal of the presentation, AFAIUI.
At any rate, I don't think that demeaning users can be a long term strategy
toward a more evolved society. Albeit it may work 99% of times, delegating
decisions to a security manager is a limitation. It is possible, at least in
theory, that a message is considered a phish by some but not by others. In
illiberal countries that's all the more likely.
All of which demonstrates a basic problem with efforts to discuss human-related
work: difficulties in understanding how to evaluate research and research
patterns, with a tendency to instead lean on confirmation bias.
That's why it is important to enable each and every soul to exert their own
judgements.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
