During the history of computer security, there is a large number of examples of the right answers to the wrong questions. For example, cryptographers (myself included) busied themselves for nearly a decade developing privacy-preserving payment systems, not realizing that privacy was seen as an unsurmountable obstacle to financial institutions concerned with fraud detection, abuse prevention, and mandated record keeping. While one may argue that the development of privacy preserving technology could have extended to address such concerns, this never happened, maybe just because academics were unaware of the constraints of reality.
Similarly, when I started working on understanding the threat of phishing around year 2000, the reaction I got was almost always “That won’t happen, and if it does, there will be one article about it in the Times, and then everybody will know to look for the SSL lock.” I don’t want to gloat, but we know now that it is just not that simple. To prove that to people then, I started designing experiments. For quite some time, these experiments were informal and were never published — I never got IRB approval. Later, I carried out more rigorous experiments, and with approval from IRB and legal — examples are my phishing experiments on FaceBook users and eBay users, and on how malware might spread over social networks. That was to show how people really react, to prove my point. Soon afterwards, phishing was a common word in media, and no point needed to be proven. But there was still a need for experiments — to understand the exact nature of the threat, how people react to it, and to test how people may react to yet non-existent threats. From then on, the user was always a part of the picture for me.
Recognizing constraints of reality — whether technological, legal, social or cultural — is a necessary part of being able to formulate the right questions. Understanding just one of these dimensions is insufficient: For security to be relevant, it needs to be holistic, considering all dimensions. Speaking of which, I think it is actually possible to take a big bite out of web and app spoofing – if we are willing to challenge our preconceived notions!