Speaker: Markus Jakobsson, Indiana University
Title: The Human Factor in Phishing and Malware
Abstract:
Most security mechanisms are designed without much
consideration of the behavior of the typical end user. This is due to
a competence gap between the designers and users and a poor
scientific understanding of the human factor as it relates to
security. While traditional user studies work well to measure a range
of user behaviors, they fail to measure the impact of deceit,
misconfiguration, and neglect. This is since users will behave
differently if they know they are being tested, which therefore
introduces a bias in the results. Naturalistic user experiments -- in
which the subjects do not know that they are being studied -- offer a
solution to this problem, but come with ethical concerns. I will
describe a collection of ethical and naturalistic experiments, and
the corresponding results. The results tell us how typical users
relate to URLs of different kinds, to certificates and to SSL.