On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings

We replicated and extended a 2008 study conducted at CMU that investigated the effectiveness of SSL warnings. We adjusted the experimental design to mitigate some of the limitations of that prior study; adjustments include allowing participants to use their web browser of choice and recruiting a more representative user sample. However, during our study we observed a strong disparity between our participants actions during the laboratory tasks and their self-reported "would be" actions during similar tasks in everyday computer practices. Our participants attributed this disparity to the laboratory environment and the security it offered. In this paper we discuss our results and how the introduced changes to the initial study design may have affected them. Also, we discuss the challenges of observing natural behavior in a study environment, as well as the challenges of replicating previous studies given the rapid changes in web technology. We also propose alternatives to traditional laboratory study methodologies that can be considered by the usable security research community when investigating research questions involving sensitive data where trust may influence behavior.

[1]  Lorrie Faith Cranor,et al.  Power strips, prophylactics, and privacy, oh my! , 2006, SOUPS '06.

[2]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[3]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[4]  José Carlos Brustoloni,et al.  Improving security decisions with polymorphic and audited dialogs , 2007, SOUPS '07.

[5]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[6]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[7]  Barbara L. Gross,et al.  What consumers know and what they do: An investigation of consumer knowledge, awareness, and use of privacy protection strategies , 2003 .

[8]  Ingrid M. Martin,et al.  Intended and Unintended Consequences of Warning Messages: A Review and Synthesis of Empirical Research , 1994 .

[9]  Mark S. Ackerman,et al.  Privacy in e-commerce: examining user scenarios and privacy preferences , 1999, EC '99.

[10]  J. Henrich,et al.  Most people are not WEIRD , 2010, Nature.

[11]  Detmar W. Straub,et al.  Trust and TAM in Online Shopping: An Integrated Model , 2003, MIS Q..

[12]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[13]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[14]  Kori Inkpen Quinn,et al.  Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[15]  Robert Biddle,et al.  Exploring User Reactions to New Browser Cues for Extended Validation Certificates , 2008, ESORICS.

[16]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[17]  Andy Cockburn,et al.  What do web users do? An empirical analysis of web use , 2001, Int. J. Hum. Comput. Stud..

[18]  Robert Biddle,et al.  Browser interfaces and extended validation SSL certificates: an empirical study , 2009, CCSW '09.

[19]  M. Russell,et al.  Paying research subjects: participants' perspectives , 2000, Journal of medical ethics.