|
To avoid phishing and to know which website to trust people are told to "look for the lock" and "read the url." However, the display of a lock or other signals of safety does not guarantee that the site is trustworthy, safe from malware, or not a phishing attack. This research includes consultation with industry technical professionals and policy makers in all sectors of the economy to better understand the gaps between ideal safety and practice. One of these potential gaps is between what citizens using the Internet believe about public key certificates, and the knowledge that technologists assume people have. Another potential gap is between how policy makers want to use certificates and encryption to achieve a set of security goals, and what is already built into the infrastructure that may prevent such security. The core goals of this work are to characterize the expectations of nontechnical groups, enumerate the assumptions of technologists, and use this understanding to help to bridge that understanding to move towards shared goals for a more trustworthy network.
The focus and level of interventions required to create a shared and trustworthy infrastructure requires domain knowledge to understand the specific risks, for example in transportation, as opposed to routing communications. This knowledge requires empirical investigation to understand the risk perceptions of the various stakeholders. Customization of interventions may depend on demographic variables, or more transient variables such as expertise or time spent interacting with a system. This research will involve investigation of one or more domains with the result being either a recommendation for a change in the implementation of the Public Key Infrastructure (PKI), an interaction design, risk communication, integrated network sensing, or some combination of all of these. This project is for planning appropriate methodologies to design, implement, and evaluate these potential solutions.
|
SaTC: CORE: Small: Understanding Socio-Technical Failure Modes in Public Key Infrastructures