On 9/27/2020 2:20 AM, Alessandro Vesely wrote:
On Sat 26/Sep/2020 15:06:54 +0200 Dave Crocker wrote:
On 9/26/2020 3:31 AM, Alessandro Vesely wrote:
A pointer to a better aimed report circulated on this list:
An unrefereed presentation (not paper) about a single experiment is
better than a summary of an industry-wide effort that failed?
I meant aimed at email rather than web browsing.
So?
If you think the industry-wide experiment that focused on signalling a
trust indicator and failed is less relevant than a small, single,
unrefereed paper about a preliminary and poorly-design research project
is somehow less relevant, please explain.
And, for the current discussion, there's the troublesome summary the
they give about their own study:
1. Warning only slightly lowers the click rate
2. The absolute click rate is still high
The key words there are "slightly" and "still high".
"If one person eats a chicken and another person doesn't eat anything,
on average they both ate half a chicken". That's how statistics
distorts reality.
The fact that you think this statement is somehow meaningful suggests a
rejection of an entire, established field of study based on not
understanding it.
I'm sure there are users who watch authentication
results, and usually take no bait. For them, "slightly" and "still
high" don't hold.
Except that individual cases are not the basis for establishing
industry-wide practice. Industry-wide behaviors are.
An occasional example simply isn't relevant. That's the difference that
legitimate statistical analysis provides.
And, there's increasing activity about anti-phish employee training. As
a consequence, the importance of visual hints is bound to increase.
Excellent. So that means you can point to studies that show how
effective such training is. Because the general sense is in the
anti-abuse community is that it has little effect. But if you know of
studies to the contrary, it would very useful to hear about them.
Prompting the question of why anyone would think this study serves as
demonstrating strong support for the role of end-users in abuse
protection?
That wasn't the goal of the presentation, AFAIUI.
However it /was/ the apparent reason it was cited.
At any rate, I don't think that demeaning users can be a long term
strategy toward a more evolved society. Albeit it may work 99% of
times, delegating decisions to a security manager is a limitation. It
is possible, at least in theory, that a message is considered a phish by
some but not by others. In illiberal countries that's all the more likely.
All of which demonstrates a basic problem with efforts to discuss
human-related work: difficulties in understanding how to evaluate
research and research patterns, with a tendency to instead lean on
confirmation bias.
That's why it is important to enable each and every soul to exert their
own judgements.
Actually, it's not.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc