The “Emperor’s New Security Indicators” is new well-written researchpaper on the effectiveness of security indicators authored by StuartSchechter (MIT Lincoln Labs), Rachna Dhamija (Harvard University &CommerceNet), Andy Ozment (MIT Lincoln Labs & University ofCambridge), and Ian Fischer (Harvard University). The study describedin the paper finds that several well-known security indicators usuallyfail to help end users make correct security decisions.
In a general sense, it’s accepted and widely acknowledged thatdesigning security indicators and communicating the results is far fromeasy. There have been a number of studies that point out theshortcomings of security tools from a usability perspective.Nonetheless, such published studies are valuable since they really helpquantify how dire the situation is. Also, each of these studies isnaturally unique with respect to the exact conditions used. Since theoutcome can be very sensitive to the underlying conditions, it helps tosee various experiments repeated so that we gain confidence in theoverall thesis the study is putting forth.
One unique aspect of the “Emperor” study is that they examined theeffects of subject roles. First, all subjects were told that, as partof the study, they had to perform various online banking functions. Thesubjects were then divided into three groups:
1. Each subject in the role playing group was told they were a medical doctor with a bank account at a specific bank.
2. Each subject in the security primedgroup was told the same thing as in the role playing group, but alsoinformed that they had to be concerned about the security of theirpasswords.
3. Each subject in the personal accountgroup was told to perform their transactions using their own bankaccount. While they were given no explicit indication that securityindicators were the focus of the study, they had incentive to behavesecurely or else their own account information would be at risk.
The Emperor study examined three security indicators:
1. HTTPS indicators that you see when you point your browser to an SSLprotected Web page. These include the lock icon on the bottom right ofthe browser frame as well as the string “https” appearing in theaddress bar.
2. Site-authentication images that some Web sites use in order toprovide a degree of mutual authentication. That is, you choose theimage up front and the site is supposed to display it whenever youvisit. If the image is missing, it’s an indication that you’re not atthe real site.
3. Warning pages that some browsers display whenever there is an issuewith a site’s digital certificate (in which case, the page warns younot to proceed further).
With regard to security indicators, the study found the following.All 63 participants for whom responses were collected and verifiedfailed to notice missing HTTPS indicators, and gave away their usernameand password. Of 60 participants whose responses were collected andverified when testing the efficacy of site-authentication images, 58failed to notice the absence of a site-authentication image – andproceeded to log in. Finally, of the 57 participants whose responseswere recorded and verified when testing the efficacy of warning pages,a whopping 30 of them still continued entering their password.
In terms of roles, the study found that there was no statisticallysignificant difference between how securely the role playing group andthe security primed group behaved. Ironically, the security primedgroup behaved slightly less securely (giving away 18 passwords) thanthe role playing group (who gave away 17 passwords)! So, telling peoplein a study that you’re actually evaluating security features doesn’tseem to make them act in any more safe a fashion!
The personal account group behaved much more securely than thesecurity primed group. Two-thirds of the security primed group gavetheir passwords away when they shouldn’t have for all three indicators.On the other hand, slightly more than a third in the personal accountgroup did the same.
These studies point to the limitations of various types of securityindicators. However, it’s important to keep in mind that theseindicators only tell one part of the story. First, many sites usemultiple lines of defense. For example, they might use back-end systemsto detect anomalous behavior.
Second, when evaluating a site, one might look for a number of cues.For example, if my bank tells me that an authentication image ismissing, but I still see that I am on the bank’s domain, then I mayfeel safe (and indeed be safe) and log in regardless. It would havebeen interesting if the study also included scenarios where a more“phishy” looking URL was used.
Third, most people are still in a stage where they haven’t learnedto interpret indicators (or the absence of indicators) correctly.Perhaps as peoples’ overall level of Internet usage and sophisticationincreases, they will become better at these tasks. Certainly that’s notgoing to happen overnight, but it’s worth keeping it in mind.
Fourth, there’s always a self selective nature in such studies.After all, I learned that for just $25 bucks a pop, I can convincequite a few students on a college campus to give me their onlinebanking credentials by telling them that they are taking part in a“study”.
The paper itself is located at: http://usablesecurity.org/emperor/.