On 1/7/2021 2:14 AM, Alessandro Vesely wrote:
On Wed 06/Jan/2021 00:55:41 +0100 Dave Crocker wrote:
On 1/5/2021 3:50 PM, Michael Thomas wrote:
Quit cutting out needed context to make your points. The study
directly contradicts your categorical statement.
Except that it doesn't.
Feel free to provide an serious explanation of why you think
otherwise, but please put some effort into accurately representing
what I said or what the study shows. Attention to detail will help.
Conclusions are less important than showing your work.
The report says:
This returns the email-opening rate of 53.4% and 48.9%. Among
these users,
the corresponding click-through rates are 48.9% (without security
indicator) and 37.2% (with security indicator) respectively. The
results indicate that security indicators have a positive impact
to reduce
risky user actions.
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf
You said:
My point is that we have decades of belief that it's useful but no
demonstration that it actually is. And we have history such as
the EV
effort, showing that it isn't.
https://mailarchive.ietf.org/arch/msg/dmarc/r7unHaCXKKFeotbjU1pL-Jx4f_o
We've got roughly 25 years of anti-abuse effort. This includes some
that have attempted to use end-user trust indicators. All have proved
useless. The entire anti-abuse industry relies on filtering engines,
not end-user behavior. (End user 'education' is minor and generic.
There is little or no evidence it has much effect.)
A single, small-sample study under somewhat-controlled conditions does
not provide 'proof' of efficacy. At very best, it suggest a line for
further inquiry.
At the very least, note the Study Limitations section. Then note that
studies like these have very, very low correlation factors. A result of
0.4 is about as good as it ever gets, and that's quite rare. But it
means that, at best, the study accounts of only 16% of the behavior,
leaving 84% due to other factors. This is not much of a foundation for
the time and opportunity cost of a standards effort.
From the cited paper:
Visual Security Indicators. Security Indicators are
commonly used in web or mobile browsers to warn users
of unencrypted web sessions [25, 39, 61, 49], phishing
web pages [21, 24, 69, 70], and malware sites [7]. Existing work shows
that users often ignore the security indicators due to a lack of
understanding of the attack [69] or
the frequent exposure to false alarms [43]
It's significant that their text misses a variety of cognitive
limitations that are also likely to account for the lack of efficacy.
d/
--
Dave Crocker
[email protected]
408.329.0791
Volunteer, Silicon Valley Chapter
American Red Cross
[email protected]
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
