Bring Back Clippy?
Tao of Data Security - Part 2 - Bring Back Clippy. Previous and upcoming posts in this series:
In the security industry, a lot of time and money is spent on fancy tools and technologies. Yet, from a consumer perspective a very different perception takes place. One of the best—yet hardly known—studies on consumer internet behavior came out of the University of Texas in 2001: LOOKING WITHOUT SEEING: UNDERSTANDING UNSOPHISTICATED CONSUMERS SUCCESS AND FAILURE TO DETECT INTERNET DECEPTION.
What was interesting was how consumers placed trust in a website. For their study a total of 93 undergraduate students participated in the experiment (35 males, 58 females). Subjects were volunteers recruited from several sections of a marketing class taught at a large U.S. university. The task was simple: buy an item for a friend who was afraid to shop online.
The study found that trust-building mechanisms in websites were based on three factors: web store reputation, customer testimonials, and web store size. Trust in the site would be enhanced if the site contained third-party seals (e.g., the Better Business Bureau BBB On-Line seal), warranties, news clips from third-party publications, and having a physical store location. Consumers perceived risk when the victim of deception began to identify inconsistencies in the web store (e.g., “the link to the source of this news clip is broken”).
Here’s the most depressing part of the study: a third of the study group was trained (or primed using psychology jargon) with materials on fraud and internet security—but the literature made no difference. However, with time and experience, the researchers felt, people could make better judgments.
The unsurprising conclusion of the study—and remember this is from 2001 when XSS was just a baby—is hardly different from the consumer we see today:
The picture of the Internet consumer that emerges from this new focus suggests that many unsophisticated users are struggling to develop effective strategies to transact in a virtual world. When compared to more successful and more mature consumers, they insufficiently discount risk in the presence of trust, are unable to evaluate trust building and assurance mechanisms that they identify on a web site, and are unable to effectively combine the information they gather.
Flash forward to 2010. Last month, in the Wall Street Journal published an article, Sweet Talking Your Computer by Stanford professor Clifford Nass, highlighting how people form a relationship with computers. And it wasn’t just PCs. German men, for instance, complained about navigation systems that used female voices because they couldn’t trust directions from a woman.
This brings us to Clippy. This was Microsoft’s failed attempt at helping consumers better contend with complexities of MS Office. But this is where professor Nass got clever and re-engineered Clippy to turn Microsoft into a scapegoat:
In an experiment, we revised Clippy so that when he made a suggestion or answered a question, he would ask, "Was that helpful?" and then present buttons for "yes" and "no." If the user clicked "no," Clippy would say, "That gets me really angry! Let's tell Microsoft how bad their help system is." He would then pop up an email to be sent to "Manager, Microsoft Support," with the subject, "Your help system needs work!" After giving the user a couple of minutes to type a complaint, Clippy would say, "C'mon! You can be tougher than that. Let 'em have it!"
The system was showed to 25 computer users, and the results were unanimous: People fell in love with the new Clippy. A long-term business user of Microsoft Office exclaimed, "Clippy is awesome!" An avowed "Clippy hater" said, "He's so supportive!"
Perhaps Prof Nass’ work can help consumers make better judgments. With a new generation of growing up with Facebook and Google willing to bulldoze privacy the issue of consumer ignorance may actually get worse. Perhaps the only way to train consumers to protect their data is to resurrect a “security Clippy” with suggestions like:
- This is a porn site--don't make a hacker rich! Dude, clean up your life and avoid malware all at the same time.
- Last week, this site suffered a big breach. Sure you wanna give them your credit card number?
- If it’s too good to be true, it probably is. Some jerk is trying to take advantage of you. Go have a drink instead.
