Eye tracking analysis of browser security indicators

Understanding the natural human behavior when people interact with Web browsers is essential for building more user-centric interface design that is customized based on user's perception and experience. This paper presents the first empirical study of users' interaction with security indicators in Web browsers in a controlled real life security risk. The work focuses on the natural and spontaneous behavior of the victim's eyes on several predetermined area of interest, and empirically presents users' evaluation of several online logon pages. The experiment and its results provide a quantitative evidence of the usability of visual security indicators in Internet Explorer (IE8). We first categorized a set of Websites and created phishing Web Pages using most known phishing techniques, and then a group of users from different backgrounds and age groups took the controlled experiment on an eye tracking machine. We found that the simplicity approach in Web design causes more damage rather than helping in online security, and that the current sleek design of Web pages helps users find the logon area and overlook the security indicators instead. We also found that the security certificate cue was not used by the participants to determine the legitimacy of the presented Websites.

[1]  Robert Biddle,et al.  Exploring User Reactions to New Browser Cues for Extended Validation Certificates , 2008, ESORICS.

[2]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[3]  Barbara S. Chaparro,et al.  Finding Information on the Web: Does the Amount of Whitespace Really Matter? , 2000 .

[4]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[5]  Kori Inkpen Quinn,et al.  Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[6]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[7]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[8]  Junshan Tan,et al.  Countermeasure Techniques for Deceptive Phishing Attack , 2009, 2009 International Conference on New Trends in Information and Service Science.

[9]  Min Wu Fighting phishing at the user interface , 2006 .

[10]  M. Jakobsson,et al.  Designing and Conducting Phishing Experiments , 2006 .

[11]  J. G. Mohebzada,et al.  Phishing in a university community: Two large scale phishing experiments , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[12]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[13]  J. Henderson Human gaze control during real-world scene perception , 2003, Trends in Cognitive Sciences.

[14]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[15]  Christopher Krügel,et al.  There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits , 2008, WOOT.

[16]  Robert Biddle,et al.  Browser interfaces and extended validation SSL certificates: an empirical study , 2009, CCSW '09.

[17]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[18]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[19]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[20]  Carolyn Snyder,et al.  Web Site Usability: A Designer's Guide , 1997 .