Gervase Markham wrote:
Ian G wrote:
'bare minimum' ... your thinking is possibly influenced
by the popup experiences of the past. Which were of
course pushed into the direction of "less is better."
Not really. It seems fairly self-evident to me that the more security
UI there is, the more likely users are to ignore it.
In simplistic terms, if nothing else was considered,
that would be true.
...
The key is to allow them to establish as good a confirmation of the
security of the connection as possible, with the minimum of mental
effort. This is why some sort of logo-based trust assessment is never
going to work.
A century of marketing science - specifically,
that part known as branding - disagrees. At
least 2 research teams have independently
trialled these notions in Mozilla and the results
seem to indicate that graphical-based trust
assessment does in fact work.
In fact, precisely this sort of branding is used
in security systems all over the place. Have
a look at an ATM or a POS system next time
you plug your card in - an integral part of
many systems is that the device should be
branded. Have a look at the holographic
logo on your credit card ... that's a brand
that is hard to copy that the *merchant*
can check.
"Whose logo is that?
The specific answer is "mine" if the question
is in the context of the TrustBar paper.
Have I seen it somewhere before?
Yes, I chose it to suit that site.
Is it that one that someone told me was dodgy?
(see above...)
If it is, does it matter? If I've never seen it before, what do I do?
If you didn't select that site logo, then you
are not at that site. Consumers know what
to do then, they take more care.
I want to shop here anyway... Is it really going to matter?"
That's what we want consumers to ask. If
it is their banking site, and it's been spoofed,
most will understand that this is ... an issue!
Far, far too much mental effort.
Well, bear in mind ... the good logos only
disappear when there is a problem like
spoofing, so asking for more mental effort
is what we actually want.
When the good logos are there the amount
of mental effort is optomised because the
brain is able to cache and compress logos
into very small efforts of processing.
One way to consider it is more like the new Flash
bar that pops into play whenever I hit a Flash site.
It's a funny colour, but it's not a popup and I don't
need to pay attention to it. My mind has already
absorbed that information and knows to just ignore
it and carry on browsing.
So you want the security information we present to be ignored like the
Flash bar?
Er, no. That was just an example to indicate
how my brain has already created an "ignore"
bit for the Flash bar. If the bar was related
to say a security purpose, my brain would
create a "watch & process" path.
The brain is very powerful. It can do wonderful
things with imagery. All we have to do is present
it with the right images, and I grant that this does
require a bit of experimentation. But, the science
of imagery and ergonomics is well advanced, there
is no reason to believe this wouldn't be a very
quick experiment.
All the hard work has been done:
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm
Also, see Ye and Smith, I don't have the URL to
hand.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
