Towards a contingency approach with whitelist- and blacklist-based anti-phishing applications: what do usability tests indicate?

In web browsers, a variety of anti-phishing tools and technologies are available to assist users to identify phishing attempts and potentially harmful pages. Such anti-phishing tools and technologies provide Internet users with essential information, such as warnings of spoofed pages. To determine how well users are able to recognise and identify phishing web pages with anti-phishing tools, we designed and conducted usability tests for two types of phishing-detection applications: blacklist-based and whitelist-based anti-phishing toolbars. The research results mainly indicate no significant performance differences between the application types. We also observed that, in many web browsing cases, a significant amount of useful and practical information for users is absent, such as information explaining professional web page security certificates. Such certificates are crucial in ensuring user privacy and protection. We also found other deficiencies in web identities in web pages and web browsers that present challenges to the design of anti-phishing toolbars. These challenges will require more professional, illustrative, instructional, and reliable information for users to facilitate user verification of the authenticity of web pages and their content.

[1]  Avivah Litan Phishing Attack Victims Likely Targets for Identity Theft , 2005 .

[2]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[3]  Lorrie Faith Cranor,et al.  A Conundrum of Permissions: Installing Applications on an Android Smartphone , 2012, Financial Cryptography Workshops.

[4]  David E. Avison A contingency framework for information systems development , 1990 .

[5]  Gitte Lindgaard,et al.  Usability testing: what have we overlooked? , 2007, CHI.

[6]  Jakob Nielsen,et al.  The "magic number 5": is it enough for web testing? , 2002, CHI Extended Abstracts.

[7]  John A. Clark,et al.  F for fake: four studies on how we fall for phish , 2011, CHI.

[8]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[9]  L. Faulkner Beyond the five-user assumption: Benefits of increased sample sizes in usability testing , 2003, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[10]  Panagiotis Takis Metaxas Web Spam, Social Propaganda and the Evolution of Search Engine Rankings , 2009, WEBIST.

[11]  José Carlos Brustoloni,et al.  Using reinforcement to strengthen users' secure behaviors , 2010, CHI.

[12]  S. Thompson Social Learning Theory , 2008 .

[13]  Linfeng Li,et al.  Usability evaluation of anti-phishing toolbars , 2007, Journal in Computer Virology.

[14]  David Ma,et al.  Does domain highlighting help people identify phishing sites? , 2011, CHI.

[15]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[16]  Jakob Nielsen,et al.  Chapter 4 – The Usability Engineering Lifecycle , 1993 .

[17]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[18]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[19]  Heinrich Hußmann,et al.  Does MoodyBoard make internet use more secure?: evaluating an ambient security visualization tool , 2011, CHI.

[20]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[21]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[22]  Eleni Berki,et al.  A usability test of whitelist and blacklist-based anti-phishing application , 2012, MindTrek.

[23]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.