2.3User Studies
Two main projects characterize the User Study component of the PKI Research group during year one of the Mellon grant: understanding user behavior, and evaluating secure applications.
2.3.1Understanding User Behavior
The first project has focused on determining and understanding user behavior and its implications for security. More specifically this component of the PKI project seeks (1) to determine the extent of “risky” behavior by typical user groups in Higher Education (e.g., undergraduate and graduate students, administrative staff, faculty, etc.), and (2) to identify the factors that affect computer users’ security behavior, including: (a) overall knowledge of security issues, and awareness of methods to decrease exposure and vulnerability; (b) the value placed on protecting private information, and making transactions and exchanges secure; (c) the barriers users’ perceive to taking steps to decrease exposure and vulnerability; and (d) perceptions of the risk of a security breach.
Initially, we sought to identify and compile data from national studies regarding what is already known about user security-related behavior. What we found, in short, is that no one knows very much. There is general information about the extent of particular types of use and transactions. For example, surveys of the national on-line population, estimated to be approximately 66% of adult population in the U.S. (Harris Poll 2002), find that 84% use email, 39% make purchases online, and 18% use online banking (http://www.ntia.doc.gov/ntiahome/dn/html/toc.htm). There is also some detailed information on the issue of privacy. For example, the Markle Foundation’s nationally representative survey (Toward a Framework of Internet Accountability, 2001) found that 54% of the public believes they have fewer protections online compared to off-line, 58% do not trust on-line businesses to regulate their own behavior, and 64% believe the government should develop rules to protect online exchanges.
On issues more closely related to security, there is little information available. Some interesting work has been conducted by the Stanford Persuasive Technology Lab, in conjunction with Consumer Webwatch (http://www.consumerwebwatch.org/news/report3_credibilityresearch/stanfordPTL_abstract.htm). They found that there is some mismatch between what users say they do, and what they actually do. For example, on-line consumers state in surveys that websites’ privacy policies are vital to evaluating credibility; 93% say it is “very important” for e-commerce sites to have a visible statement of how the site will use and protect credit card information (http://www.consumerwebwatch.org/news/1_abstract.htm). During active browsing, however, users rarely look at privacy policies when transacting with websites; only 33% say they always look at a website’s policy on protecting credit card information when transacting with a site. Instead, many users base evaluations of credibility on superficial aspects of websites, such as visual design, layout and text size. This study is worth mentioning because unlike many studies of user attitudes, it measures user behavior, i.e., what users actually evaluate when observing real websites.
Given the lack of general data on user security-behavior, and our desire to understand security issues in the HE community specifically, we have developed an on-line survey to gather data on users’ security knowledge, behavior and attitudes. (See appendix A for the survey questionnaire.) The initial survey of undergraduates will be administered this spring. A survey of staff is expected to be administered this summer, followed by a survey of faculty in the fall. See more details under “Future Plans” (section 3.2.7). Using data from these surveys we expect to not only describe accurately what users do and understand (as well as what they don’t do and don’t understand); we also will begin to more fully articulate the value proposition of PKI in Higher Education.
2.3.2Evaluate Secure Applications: User Study
The secure systems and applications developed by the PKI design team, such as the SRD boundary for the Mozilla browser (see section 2.2.5 above), must be understandable and usable by actual users to have an effect on security. The existence of a trusted path from browser to user as is communicated by the SRD boundary, does not guarantee that users will understand what this path tells them. We therefore conducted user studies to evaluate the usability of communicating security information via the SRD boundary.
We conducted a total of nine sessions with 37 undergraduate and graduate student volunteers. Subjects first answered a brief questionnaire regarding demographic characteristics, as well as questions about their typical computer use and general knowledge of computer security. Next, we gave subjects a brief introduction to security information (e.g., what a certificate is and what it does during an SSL session). Then we introduced them to the SRD boundary approach and informed them of the two parameters (brown color and synchronized boundary changes) that would signal a trusted window. Subjects also viewed the original Mozilla user interface, in order to become familiar with the buttons and window appearance.
The scenario for the test sessions was for users to use a web server from to access their email. Before checking email, they must verify that the browser is indeed communicating with the email secure server. Users never actually accessed their email or entered any private information during the test sessions. Instead, they started our modified browser and entered an SSL session with the server.
We asked users to observe the windows for five seconds before they answered a series of questions regarding what they observed of the two parameters in the window boundaries and whether they thought the window was secure (from the trusted source). The entire test took approximately one hour. Subjects volunteered after responding to advertisements about the study in campus buildings. Subjects were paid $10 for their participation.
The 37 subjects included both undergraduate (n=21) and graduate (n=16) students, and ranged in age from 18 to 40, with a mean age of 23. Over half of the subjects were computer science (CS) or engineering majors (n=22), though these subjects performed no differently (based on statistical comparisons) than subjects from other major areas of study. Subjects self-rated their own expertise as internet users on a scale of 1=expert, 2=knowledgeable, 3=inexperienced. Twenty-seven percent rated themselves as an expert, and 73% as knowledgeable. Expert and knowledgeable subjects also did not differ in performance (according to statistical comparisons).
Across the three test sessions, subjects accurately identified the signal of a trusted window 80% of the time, and accurately identified a not-trusted window 87% of the time. Subjects were most successful in accurately identifying a trusted window in method two in which the SRD boundary is displayed in both a pop-up reference window and the pop-up security-warning window. Subjects in method two also accurately identified not-trusted windows.
In addition to demonstrating the effectiveness of the SRD display as a mechanism to signal website security information, the user study revealed some information about user behavior in general that has contributed to the goals of our first user project. Below are some of the findings regarding security knowledge and behavior from the participants in the SRD-display tests.
2.3.3Findings: Computer Use and Security Knowledge -
92% of subjects spend at least one hour per day on the web, in addition to email.
-
97% have purchased products on-line, and nearly all have done so in the last six months.
-
65% have heard the phrase SSL (all of the experts and half of the knowledgeable users; CS majors more likely than non-CS majors to have heard of SSL).
-
Half of those who have heard of SSL say they know what SSL means.
When submitting private information on-line:
-
Only 25% say they always check security features on their browser.
-
36% sometimes check security features.
-
39% rarely or never check the security features!
The security features typically checked by those who sometimes or always check:
-
51% check the URL for https.
-
70% check the lock icon.
-
35% check the certificate.
These findings have contributed to our development of the survey questionnaire for user behavior.
We will use these and future findings in our Phase 2 outreach education programs (see 3.4) so that others can benefit from the insights we have gained.
|