If I’m tweeting about how I’m tasting wines in the New York Finger Lakes area (as I did last weekend), I am not interested in knowing about a sale on wines in Ontario. You know what kind of tweet I would have found useful? Something from the local tourism board telling me that I really shouldn’t miss this or that attraction. For example, we discovered the Sonnenberg Gardens quite by accident and even though a large part of it was under construction, it was well worth the afternoon we spent there.

Of all the unsolicited tweets that I have received from companies, there has only been one that I received that I thought was appropriate. After tweeting that I liked a particular feature on my new Janome sewing machine, I got a tweet from Janome saying thanks. And that was it. They didn’t try to upsell me on a new machine, they just had a short but relevant conversation with me.

But I guess you other folks haven’t really read the cluetrain manifesto. More’s the pity.

Tags: twitter, marketing

The first one isn’t directly about trust, but more about learning how to cooperate when there are minimal social cues available, was written by Andrew M. Colman, Briony D. Pulford, David Omtzigt and Ali al-Nowaihi, and is entitled Learning to cooperate without awareness in multiplayer minimal social situations, Cognitive Science, vol. 61, issue 3, pp. 201-227, 2010.

Experimental and Monte Carlo methods were used to test theoretical predictions about adaptive learning of cooperative responses without awareness in minimal social situations—games in which the payoffs to players depend not on their own actions but exclusively on the actions of other group members. In Experiment 1, learning occurred slowly over 200 rounds in a dyadic minimal social situation but not in multiplayer groups. In Experiments 2–4, learning occurred rarely in multiplayer groups, even when players were informed that they were interacting strategically and were allowed to communicate with one another but were not aware of the game’s payoff structure. Monte Carlo simulation suggested that players approach minimal social situations using a noisy version of the win–stay, lose–shift decision rule, deviating from the deterministic rule less frequently after rewarding than unrewarding rounds.

The second one is more about trustworthiness and what factors can have an impact on it. It was written by Luke J. Chang, Bradley B. Doll, Mascha van ’t Wout, Michael J. Frank and Alan G. Sanfey, and is entitled Seeing is believing: Trustworthiness as a dynamic belief, vol. 61, issue 2, pp. 87-105, 2010.

Recent efforts to understand the mechanisms underlying human cooperation have focused on the notion of trust, with research illustrating that both initial impressions and previous interactions impact the amount of trust people place in a partner. Less is known, however, about how these two types of information interact in iterated exchanges. The present study examined how implicit initial trustworthiness information interacts with experienced trustworthiness in a repeated Trust Game. Consistent with our hypotheses, these two factors reliably influence behavior both independently and synergistically, in terms of how much money players were willing to entrust to their partner and also in their post-game subjective ratings of trustworthiness. To further understand this interaction, we used Reinforcement Learning models to test several distinct processing hypotheses. These results suggest that trustworthiness is a belief about probability of reciprocation based initially on implicit judgments, and then dynamically updated based on experiences. This study provides a novel quantitative framework to conceptualize the notion of trustworthiness.

Cute, eh? Turns out that Amy had been inspired by the vintage projects on this page at Cathy of California’s blog. If you look at the image there, the owl case is somewhat different and I much preferred its look.

I printed out Amy’s instructions and bought a bunch of felt in various colors:

I modified a few of the things in the instructions, made the eyes smaller, changed the feathers’ look, and added an extra layer on which I would sew the owl’s features:

I then tried everything together to see what it would look like before I started sewing:

Here’s what it looks like as I was hand-sewing the owl body:

Then I hand-sewed the owl body to the one of the pieces of the case itself:

Here it is, finished (and closed):

I sewed a snap fastener to shut it closed:

The “beak” hides the fastener.

I like it. It’s far from perfect, but I think it’s cute.

Tags: sewing, sunglass, case, owl

Cover page of the book:

Thanks, I just wanted to sqee a bit.

Wow, that just screams phishing attack to me, how about you?

And yet. And yet, this was a genuine email, with a genuine link to a genuine site.

You know what the saddest part of all this is? It’s an email from a security conference.

Talk about training people to do the wrong thing.

Tags: security, phishing, email

I tried Google Wave a couple of times but it never seemed to me as though it could really improve on a simple email exchange. I am sure that there are cases where Wave would have been more appropriate, but it never felt that it would be useful to me. Although I did enjoy those adaptations of movies to Wave. But that’s not a typical use of a CMC.

Via Gizmodo.

Tags: Wave, Google

This year, I thought I’d have read at least 20 papers on trust and security issues by the end of August. Do you know how many I’ve managed to read up to now? Five. A lousy five papers. Sigh.

There are several explanations. For one, I spent a week preparing for, going to, and then finishing up my yearly conference. Then there was the emotional avatars article we had been working on and which I turned into an internal paper. That required more work than expected, having to translate the paper into French, and submitting it to a variety of people for them to sign off on it. Then recently, I had to work on the renewal of my security clearance. That took me a couple of days.

But mostly, I think it’s been slow going through the papers because this is a totally new area for me, so I can’t just skip over anything. I’ve been taking down copious notes and creating a list of other papers to add to my to-read pile. It makes reading any paper a very slow enterprise. Last week, I thought to myself, if I’m going to take so many notes, I might as well write an internal paper. This might slow me down even more, but at least it will help me really connect all the ideas I’ve been reading about and hopefully understand even better the whole area of e-commerce trust.

So that’s where I am at the moment. Still struggling with understanding how humans form trust in e-commerce situations.

Ah well, at least it’s been a nice, sunny and warm summer.

This year’s SOUPS was held on the Microsoft campus itself, or at least one of them in the Seattle area (so I’ve been told). And it really is a campus, just like a university campus, with a huge number of buildings regrouped in the same area of Bellevue/Redmond. Apparently, the building we were at was where they work on the XBox. Or maybe it was next to the buildings where they work on that project. At least, that’s what the taxi driver told me. I wouldn’t be surprised, as there was a guy testing the Xbox 360 Knect system (unfortunately, I was never able to get myself organized enough to become a participant). One nice thing about the building where we were was the large cafeteria, with a variety of food outlets where we could get lunch without leaving the campus. The Post-it wizard in Figure 1 was in one of the buildings right next to where the conference was.

Fig. 1. Eight-bit wizard made from Post-it notes. Somebody at Microsoft has a lot of patience

Wednesday was workshop day, and although I hadn’t signed up in advance, I ended up attending the Usable Security Experiment Reports (USER) Workshop, organized by Sonia Chiasson and Robert Biddle of Carleton University. This turned out to be of value to me as the workshop was all about the various experimental procedures that are used in usable security and their advantages and disadvantages. Some of the issues mentioned are typical of all research (e.g., laboratory experiments have low ecological validity), but most were specific to usable security (e.g., the difficulties associated with observing secure behaviour in the field). One lesson that I took away from the workshop was the fact that security is a secondary task and that people’s primary task is something else: I have to log in (secondary task) to the website so that I can access my email (primary task); I have to set up a secure wireless home system (secondary task) so that I can securily connect my laptop to the internet (secondary task) so that I can look at YouTube videos (primary task).

I also learned that some researchers are using Amazon’s Mechanical Turk as a source of participants for certain types of research. I’ll have to go read the paper but I have the impression this approach works best for studies where you’re trying to recruit people to fill out questionnaires. It’s not perfect - the population using Mechanical Turk is not a reflection of the population at large - but unless you’re Statistics Canada (or a large corporation), you’re always going to get bias when recruiting participants. The important thing is to be aware of the bias and mention it in your research report. For a researcher in my situation, with access to a very limited participant pool unless I associate myself with an academic researcher, Mechanical Turk may be a good source for recruiting participants. My immediate plan is to sign up for it myself and test it out for a couple of weeks to see how it works.

The day ended with a barbecue.

Thursday morning was dedicated to authentication, with the first session being on passwords and accounts and the second on authentication for mobile devices. As there is already a lot of research going on in the area of authentication, I don’t think I’m going to select this as my primary research subject. Although, you never know, I’ve gotten into research areas I didn’t expect to just from knowing people. Anyway, I think I missed a good opportunity for a question. I should have brought along my World of Warcraft authenticator and asked people’s opinion about this kind of system.

In the afternoon, the first session was on privacy policies and the second session was a discussion session where people split up into various groups and talked about different subjects. As there wasn’t anything on trust, I joined the discussion on usable security and privacy for mobile devices.

That evening, we went on a dinner cruise.

Fig. 2. The Carleton Contingent at the prow of the cruise ship

Fig. 3. View from the cruise ship: Mount Rainier and a bridge

Friday morning’s first session was all about security policies, models and decision making. Lots of really fascinating research presented here, from the difference between the security of government and university sites versus corporate sites (such as Amazon) (surprise! the corporate sites require less secure passwords than government or university sites); to the mental models that people have about viruses and hackers (key takeaway: always explain why you want people to take security action X because if it doesn’t correspond to their mental model, they won’t do it); to how to help people set up a secure wireless home network (dear Ho, Truong & Dearman, please make your system available to everyone); to how to make people read your EULAs (surprise! use good visual design).

The second session was all over the place: the impact of sharing location feedback on mobile devices; using mobile devices to make parents feel more secure about their teenager’s whereabouts (this paper left me very skeptical, but mostly because I believe that technology is not the answer for this issue; other people feel differently); and a field study of real world ATM use (interesting study if only for the whole problem of observing people use ATMs without actually observing their pins or creeping people out).

In the afternoon there was a panel on crowdsourcing and cloud computing which was interesting. Unfortunately, a lot of people had already left so there wasn’t as much interaction from the audience as there should have been.

The day ended with an ice cream social and a short visit to one of the Microsoft usability research labs. If they were planning on making me jealous, it worked.

If you’re interested in seeing more photos from SOUPS 2010, there is my set at Flickr as well as Mary Ellen Zurko’s. Oh, and Mary Ellen has one of me in there. How embarrassing.

Updated 26 July
For another view of SOUPS 2010, there is Dana Chisnell’s report on the symposium. Like me, she was a first-time attendee. Unlike me, Dana is already familiar with the area of usable security, so her insights are interesting.

Tags: SOUPS2010, security, usability, privacy

And so, for a variety of practical reasons, I’m concentrating on trust at the moment. There are basically two types of trust papers: computational trust and human trust. Computational trust attempts to model human trust and is conducted mostly by computer scientists. Human trust explores actual human trust behaviour and is conducted mostly by social scientists (psychologists, sociologists, marketing researchers, etc.). My colleagues here at the CRC are working on computational trust and good for them, but I just cannot do it. Well, I suppose I could, but really, it would take me forever to get to a point where I can understand and create models of trust, whereas they’re already doing an excellent job of it.

So I’m going to concentrate on human behaviour since my background is in psychology, and my subject of choice at the moment is the impact of trust in online retail.

By the way, if you’re aware of a seminal paper on this subject, I’d appreciate the pointer. Even by concentrating on this specific subject, I’ve still got a lot of papers to read through and I’d really like to be able to concentrate on the important stuff.

One of the hardest things to do when you start doing research in a new area is figuring out what you should be working on. You need to find out (a) what people have been working on; (b) what the hot topics are at the moment; (c) what the future hot topics will probably be; and (d) what kind of work you can do, preferably from column (c). There are only two ways to do this: talk with other people who are working in the area and read what’s been published in the area.

Because I know practically nothing about usable security, I’ve decided to start off gently, by skimming all of the research papers that have been published at SOUPS from 2005 to 2009. This gives me an idea of the type of work that’s being done without having to read all of it.

The following is a first draft of the themes covered in the papers and posters presented at SOUPS from 2005 to 2009, so there may be some errors in how I’ve regrouped items and in how I’ve classified papers, but it should give you an idea of what people have been working on in the usable security area: SOUPS Research Categories (PDF file)

One thing that surprised me was the almost total absence of work on biometrics. Maybe there isn’t much you can do there, usability-wise? I don’t know. On the other hand, there is a lot of work going on in access control (who can read what where), in authentication (how to improve passwords and challenge questions), in privacy and website privacy policies, and in security (not surprisingly, since it’s a symposium on privacy and security).

As I said, it’s a first draft, so feel free to comment.

Tags: SOUPS, usable security