The Emperor's New Security Indicators is an extremely interesting (and terrifying) journal paper presented at the 2007 IEEE symposium on security and privacy.
Mandatory reading for anybody working on security, and it should prove very interesting for everybody else.
Conclusions from the paper:
- Users will enter their passwords even when HTTPS indicators are absent
- Users will enter their passwords even if their site authentication images are absent
- Site authentication images may cause users to disregard other important security indicators
- Role playing has a significant negative effect on the security vigilance of study participants
- 36% of study participants who were using their own personal banking account chose to login after seeing an explicit warning page saying that the connection was probably insecure