Lorrie Cranor Carnegie-Mellon University
Supporting Trust Decisions
Internet users frequently encounter situations in which they are asked to make implicit or explicit trust decisions. Examples of such decisions include decisions about whether or not to open an email attachment or provide information and decisions made in response to specific trust- or security-related prompts. The consequences of a wrong decision include infecting their own computers with malware or spyware, unwittingly propagating malware, and revealing information to con artists and identity thieves. Attackers are able to take advantage of most users' poor trust decision-making skills through a class of attacks known as "semantic attacks." While some efforts have been made to find ways of developing information systems that do not force users to make security- or trust-related decisions that they are not prepared to make, it is not always possible for systems to make accurate trust decisions on a user's behalf, especially when those decisions require knowledge of contextual information. There remain many trust decisions that users must therefore make on their own, usually with limited or no assistance or protections from their computer. The goal of this research is to develop approaches to supporting users when they make these trust decisions so that they are better informed and make the best decisions possible. The research will begin with a mental models study aimed at understanding and modeling how people make trust decisions in the online context and ultimately result in the development and evaluation of new software and design patterns.
