Self-identified experts lost on the interwebs

Security cues found in web browsers are meant to alert users to potential online threats, yet many studies demonstrate that security indicators are largely ineffective in this regard. Those studies have depended upon self-reporting of subjects' use or aggregate experimentation that correlate responses to sites with and without indicators. We report on a laboratory experiment using eye-tracking to follow the behavior of self-identified computer experts as they share information across popular social media websites. The use of eye-tracking equipment allows us to explore possible behavioral differences in the way experts perceive web browser security cues, as opposed to non-experts. Unfortunately, due to the use of self-identified experts, technological issues with the setup, and demographic anomalies, our results are inconclusive. We describe our initial experimental design, lessons learned in our experimentation, and provide a set of steps for others to follow in implementing experiments using unfamiliar technologies, eye-tracking specifically, subjects with different experience with the laboratory tasks, as well as individuals with varying security expertise. We also discuss recruitment and how our design will address the inherent uncertainties in recruitment, as opposed to design for an ideal population. Some of these modifications are generalizable, together they will allow us to run a larger 2x2 study, rather than a study of only experts using two different single sign-on systems.