{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:19:25Z","timestamp":1754158765461,"version":"3.41.2"},"reference-count":45,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2015,3,9]],"date-time":"2015-03-09T00:00:00Z","timestamp":1425859200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015,3,9]]},"abstract":"Purpose<\/jats:title>\u2013 This paper aims to classify different types of \u201cuser-visible cryptography\u201d and evaluate the value of user-visible cryptographic mechanisms in typical email and web scenarios for non-expert IT users.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>\u2013 The authors review the existing literature, and then identify user stories typical to their users of interest. They analyse the risks, mitigations of risks and the limits of those mitigations in the user stories.<\/jats:p><\/jats:sec>Findings<\/jats:title>\u2013 The scenarios identified suggest that background, opportunistic encryption has value, but more explicit, user-visible cryptographic mechanisms do not provide any further mitigation. Other mechanisms beyond technological mitigations provide the required mitigation for the users.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>\u2013 Further work should be carried out on the trust issues with trusted third parties, as they are intrinsic to global, automated cryptographic mechanisms. The authors suggest that deployed systems should rely on automation rather than explicit user involvement; further work on how best to involve users effectively remains valuable.<\/jats:p><\/jats:sec>Practical implications<\/jats:title>\u2013 Deployed systems should rely on automation rather than explicit user dialogues. This follows from recognised aspects of user behaviour, such as ignoring dialogues and unconsciously making a holistic assessment of risk that is mostly mitigated by social factors.<\/jats:p><\/jats:sec>Social implications<\/jats:title>\u2013 The user populations concerned rely significantly on the existing legal and social infrastructure to mitigate some risks, such as those associated with e-commerce. Guarantees from third parties and the existence of fallback procedures improve user confidence.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>\u2013 This work uses user stories as a basis for a holistic review of the issues surrounding the use of cryptography. The authors concentrate on a relatively large population (non-expert IT users) carrying out typical tasks (web and email).<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-07-2013-0054","type":"journal-article","created":{"date-parts":[[2015,2,26]],"date-time":"2015-02-26T06:35:30Z","timestamp":1424932530000},"page":"58-72","source":"Crossref","is-referenced-by-count":1,"title":["User-visible cryptography in email and web scenarios"],"prefix":"10.1108","volume":"23","author":[{"given":"Phil","family":"Brooke","sequence":"first","affiliation":[]},{"given":"Richard","family":"Paige","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020122521291800800_b1","unstructured":"BitDefender (2010), \u201cBitdefender finds exposed social media credentials often provide access to email accounts\u201d, available at: www.bitdefender.co.uk\/NW1684-uk\u2013BitDefender-Finds-Exposed-Social-Media-Credentials-Often-Provide-Access-to-Email-Accounts.html (accessed 29 July 2011)."},{"key":"key2020122521291800800_b2","doi-asserted-by":"crossref","unstructured":"B\u00f6hme, R. and Grossklags, J. (2011), \u201cThe security cost of cheap user interaction\u201d, Proceedings Of the New Security Paradigms Workshop , California, 12-15 September.","DOI":"10.1145\/2073276.2073284"},{"key":"key2020122521291800800_b3","unstructured":"Brooke, P.J. and Paige, R.F. (2013), \u201cThe value of user-visible internet cryptography\u201davailable at: http:\/\/arxiv.org\/abs\/1303.1948"},{"key":"key2020122521291800800_b4","doi-asserted-by":"crossref","unstructured":"Brooke, P.J. , Paige, R.F. and Power, C. (2010), \u201cDocument-centric XML workflows with fragment digital signatures\u201d, Software Practice & Experience , Vol. 40 No. 8, pp. 655-672.","DOI":"10.1002\/spe.974"},{"key":"key2020122521291800800_b5","unstructured":"Cisco (2011), \u201cCisco IronPort email security appliances\u201d, available at: www.cisco.com\/en\/US\/products\/ps10154\/index.html (accessed 29 July 2011)."},{"key":"key2020122521291800800_b6","unstructured":"Convergence (2011), \u201cConvergence\u201d, available at: http:\/\/convergence.io\/ (accessed 24 July 2012)."},{"key":"key2020122521291800800_b7","unstructured":"Corbet, J. (2011), \u201cFraudulent *.google.com certificate issued\u201d, available at: http:\/\/lwn.net\/Articles\/456798\/ (accessed 8 September 2011)."},{"key":"key2020122521291800800_b8","unstructured":"Cranor, L.F. and Garfinkel, S. (Eds) (2005), Security and Usability: Designing Secure Systems that People Can Use , O\u2019Reilly."},{"key":"key2020122521291800800_b9","doi-asserted-by":"crossref","unstructured":"Ellison, C.M. (2004), \u201cSPKI\/SDSI certificates\u201d, available at: http:\/\/world.std.com\/\u223ccme\/html\/spki.html (accessed 29 July 2011).","DOI":"10.1007\/978-1-4419-5906-5_135"},{"key":"key2020122521291800800_b10","doi-asserted-by":"crossref","unstructured":"Friedman, B. , Hurley, D. , Howe, D.C. , Felten, E. and Nissenbaum, H. (2002), \u201cUsers\u2019 conceptions of web security: a comparative study\u201d, Extended Abstracts of CHI 2002 Conference on Human Factors in Computing Systems, ACM Press, New York, NY, pp. 746-747.","DOI":"10.1145\/506443.506577"},{"key":"key2020122521291800800_b11","doi-asserted-by":"crossref","unstructured":"Furnell, S. (2007), \u201cMaking security usable: are things improving?\u201d, Computers & Security , Vol. 26, pp. 434-443.","DOI":"10.1016\/j.cose.2007.06.003"},{"key":"key2020122521291800800_b12","doi-asserted-by":"crossref","unstructured":"Furnell, S. , Jusoh, A. and Katsabas, D. (2006), \u201cThe challenges of understanding and using security: a survey of end-users\u201d, Computers & Security , Vol. 25 No. 1, pp. 27-35.","DOI":"10.1016\/j.cose.2005.12.004"},{"key":"key2020122521291800800_b13","doi-asserted-by":"crossref","unstructured":"Garfinkel, S.L. (2003a), \u201cEmail-based identification and authentication: an alternative to PKI?\u201d, IEEE Security & Privacy , Vol. 1 No. 6, pp. 20-26.","DOI":"10.1109\/MSECP.2003.1253564"},{"key":"key2020122521291800800_b14","unstructured":"Garfinkel, S.L. (2003b), \u201cEnabling email confidentiality through the use of opportunistic encryption\u201d, Proceedings of the 2003 Annual National Conference Digital Government Research , Boston, MA."},{"key":"key2020122521291800800_b15","doi-asserted-by":"crossref","unstructured":"Garfinkel, S.L. and Miller, R.C. (2005), \u201cJohnny 2: a user test of key continuity management with S\/MIME and Outlook Express\u201d, Proceeding of Symposium on Usable Privacy and Security , Pittsburgh, PA.","DOI":"10.1145\/1073001.1073003"},{"key":"key2020122521291800800_b16","unstructured":"Gutmann, P. (2003), \u201cPlug-and-play PKI: a PKI your mother can use\u201d, Proceedings of the 12th USENIX Security Symposium , Auckland University, pp. 45-58."},{"key":"key2020122521291800800_b17","unstructured":"Gutmann, P. (2004), \u201cWhy isn\u2019t the Internet secure yet, dammit?\u201d, available at: www.cs.auckland.ac.nz\/\u223cpgut001\/pubs\/dammit.pdf"},{"key":"key2020122521291800800_b18","doi-asserted-by":"crossref","unstructured":"Gutmann, P. and Grigg, I. (2005), \u201cSecurity usability\u201d, IEEE Security & Privacy , Vol. 3 No. 4, pp. 56-58.","DOI":"10.1109\/MSP.2005.104"},{"key":"key2020122521291800800_b19","doi-asserted-by":"crossref","unstructured":"Herley, C. (2009), \u201cSo long, and no thanks for the externalities: the rational rejection of security advice by users\u201d, Proceedings of the New Security Paradigms Workshop , ACM, New York, NY.","DOI":"10.1145\/1719030.1719050"},{"key":"key2020122521291800800_b20","unstructured":"HMSO (1998), Data Protection Act (c.29)."},{"key":"key2020122521291800800_b21","unstructured":"HMSO (2000), Electronic Communications Act (c.7)."},{"key":"key2020122521291800800_b22","unstructured":"Hushmail (2010), \u201cUsing Java with Hushmail\u201d, available at: https:\/\/help.hushmail.com\/entries\/245155-using-java-with-hushmail (accessed 19 July 2011)."},{"key":"key2020122521291800800_b23","unstructured":"Hushmail (2011), \u201cHow Hushmail can protect you\u201d, available at: www.hushmail.com\/about\/technology\/security\/ (accessed 19 July 2011)."},{"key":"key2020122521291800800_b24","doi-asserted-by":"crossref","unstructured":"Ibrahim, T. , Furnell, S.M. , Papadaki, M. and Clarke, N.L. (2010), \u201cAssessing the usability of end-user security software\u201d, in Katsikas, S. , Lopez, J. and Soriano, M. (Eds), Proceedings of TrustBus , Vol. 6264, pp. 177-189.","DOI":"10.1007\/978-3-642-15152-1_16"},{"key":"key2020122521291800800_b25","unstructured":"InfoSecurity (2011), \u201cComodo certificate compromise has Iranian fingerprints\u201d, available at: www.infosecurity-magazine.com\/view\/16874\/comodo-certificate-compromise-has-iranian-fingerprints\/ (accessed 29 July 2011)."},{"key":"key2020122521291800800_b26","doi-asserted-by":"crossref","unstructured":"Jackson, C. , Simon, D.R. , Tan, D.S. and Barth, A. (2007), \u201cAn evaluation of extended validation and picture-in-picture phishing attacks\u201d, 11th International Conference, FC 2007, and 1st International Workshop on Usable Security, Scarborough, 12-16 February.","DOI":"10.1007\/978-3-540-77366-5_27"},{"key":"key2020122521291800800_b27","doi-asserted-by":"crossref","unstructured":"Kapadia, A. (2007), \u201cA case (study) for usability in secure email communication\u201d, IEEE Security & Privacy , Vol. 5 No. 2, pp. 80-84.","DOI":"10.1109\/MSP.2007.25"},{"key":"key2020122521291800800_b28","doi-asserted-by":"crossref","unstructured":"Kazman, R. , Abowd, G.D. , Bass, L.J. and Clements, P.C. (1996), \u201cScenario-based analysis of software architecture\u201d, IEEE Software , Vol. 13 No. 6, pp. 47-55.","DOI":"10.1109\/52.542294"},{"key":"key2020122521291800800_b29","doi-asserted-by":"crossref","unstructured":"Kirlappos, I. , Sasse, M.A. and Harvey, N. (2012), \u201cWhy trust seals don\u2019t work: a study of user perceptions and behaviour\u201d, Proceedings of TRUST 2012 , Vienna, pp. 308-324.","DOI":"10.1007\/978-3-642-30921-2_18"},{"key":"key2020122521291800800_b30","doi-asserted-by":"crossref","unstructured":"Lacohee, H. , Phippen, A.D. and Furnell, S.M. (2006), \u201cRisk and restitution: assessing how users establish online trust\u201d, Computers and Security , Vol. 25, pp. 486-493.","DOI":"10.1016\/j.cose.2006.09.001"},{"key":"key2020122521291800800_b31","doi-asserted-by":"crossref","unstructured":"Likarish, P. , Jung, E. , Dunbar, D. , Hansen, T.E. and Hourcade, J.P. (2008), \u201cB-APT: Bayesian anti-phishing toolbar\u201d, IEEE International Conference on Proceeding of the Communications .","DOI":"10.1109\/ICC.2008.335"},{"key":"key2020122521291800800_b35","unstructured":"McQueen, M. (2010), \u201cSoftware and human vulnerabilities (implications for protection of our critical infrastructures)\u201d, Proceeding of the IECON, Phoenix, AZ, Tutorial slides."},{"key":"key2020122521291800800_b32","doi-asserted-by":"crossref","unstructured":"Martin, L. (2006), \u201cFitting square pegs into round holes\u201d, IEEE Security & Privacy , Vol. 4 No. 5, pp. 64-66.","DOI":"10.1109\/MSP.2006.120"},{"key":"key2020122521291800800_b33","unstructured":"Mason, S. and Brombay, M. (2012), \u201cResponse to Digital Agenda for Europe: electronic identification, authentication and signatures in the European digital single market public consultation\u201d, European Journal of Law and Technology , Vol. 3 No. 1, available at: www.law.ed.ac.uk\/ahrc\/ITTT\/EU_Electronic_signature_consultation_Bileta_submission.pdf (accessed 12 March 2013)."},{"key":"key2020122521291800800_b34","doi-asserted-by":"crossref","unstructured":"Mason, S. (2012), Electronic Signatures in Law , 3rd ed., Cambridge University Press, Cambridge.","DOI":"10.1017\/CBO9780511998058"},{"key":"key2020122521291800800_b36","unstructured":"PCI Security Standards Council (2010), \u201cData security standard\u201d, available at: www.pcisecuritystandards.org\/security_standards\/index.php (accessed 24 July 2012)."},{"key":"key2020122521291800800_b37","doi-asserted-by":"crossref","unstructured":"Perlman, R. (1999), \u201cAn overview of PKI trust models\u201d, IEEE Network , Vol. 13 No. 6.","DOI":"10.1109\/65.806987"},{"key":"key2020122521291800800_b38","doi-asserted-by":"crossref","unstructured":"Reid, R.C. , Platt, R.G. and Wei, J. (2005), \u201cA teaching module to introduce encryption for web users\u201d, Proceeding of Information Security Curriculum Development Conference , Kennesaw, GA, pp. 60-65.","DOI":"10.1145\/1107622.1107636"},{"key":"key2020122521291800800_b39","doi-asserted-by":"crossref","unstructured":"Shamir, A. (1985), \u201cIdentity-based cryptosystems and signature schemes\u201d, in Blakley, , G. , Chaum, and D. (Eds), Advances in Cryptology , Springer-Verlag, pp. 47-53.","DOI":"10.1007\/3-540-39568-7_5"},{"key":"key2020122521291800800_b40","unstructured":"Shultze, S. (2012), \u201cFirefox changes its https user interface [\u2026] again\u201d, available at: https:\/\/freedom-to-tinker.com\/blog\/sjs\/firefox-changes-its-https-user-interface-again\/ (accessed 26 July 2012)."},{"key":"key2020122521291800800_b41","unstructured":"Singel, R. (2007), \u201cEncrypted e-mail company Hushmail spills to Feds\u201d, available at: www.wired.com\/threatlevel\/2007\/11\/encrypted-e-mai\/ (accessed 29 July 2011)."},{"key":"key2020122521291800800_b42","doi-asserted-by":"crossref","unstructured":"Straub, T. and Baier, H. (2004), \u201cA framework for evaluating the usability and the utility of PKI-enabled applications\u201d, Proceedings of the European PKI Workshop: Research and Applications (EuroPKI\u201804) , Vol. 3093, Springer-Verlag, pp. 112-125.","DOI":"10.1007\/978-3-540-25980-0_9"},{"key":"key2020122521291800800_b43","doi-asserted-by":"crossref","unstructured":"Sweikata, M. , Watson, G. and Frank, C. (2009), \u201cThe usability of end user cryptographic products\u201d, Proceedings of Information Security Curriculum Development Conference , Kennesaw, GA, pp. 55-59.","DOI":"10.1145\/1940976.1940988"},{"key":"key2020122521291800800_b44","unstructured":"Wendlandt, D. , Andersen, D.G. and Perrig, A. (2008), \u201cPerspectives: improving SSH-style host authentication with multi-path probing\u201d, Proceeding of USENIX Annual Technical Conference, USENIX Association, Berkeley, CA."},{"key":"key2020122521291800800_b45","unstructured":"Whitten, A. and Tygar, J.D. (2005), \u201cWhy Johnny can\u2019t encrypt: a usability evaluation of PGP 5.0\u201d, in Cranor, , L.F. , Garfinkel, and S. (Eds), Security and Usability: Designing Secure Systems that People Can Use , O\u2019Reilly, pp. 669-692."}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-07-2013-0054","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2013-0054\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2013-0054\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:00Z","timestamp":1753406580000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/23\/1\/58-72\/111038"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,3,9]]},"references-count":45,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2015,3,9]]}},"alternative-id":["10.1108\/ICS-07-2013-0054"],"URL":"https:\/\/doi.org\/10.1108\/ics-07-2013-0054","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2015,3,9]]}}}