Crying Wolf: Do Security Warnings Help?

false alarm

Like the boy who cried wolf, have Internet security warnings lost their credibility?

After studying the behavior of more than 400 Internet users, Carnegie Mellon University computer researchers concluded that because users encounter so many pop-up warnings in benign situations, they have become immune to the messages.

Convinced that the warnings mean little, if anything at all, they leave themselves open to attack when they do click their way into dangerous territory.

But psychologists and public safety experts say this problem isn't reserved to the virtual world. The Department of Homeland Security's Advisory System, which has been under review since July 14, has been the subject of ridicule for the very same reason: The notoriously vague warnings are so pervasive they're hard to take seriously.

Internet Users 'Swat' Away Pop-Up Warnings

The Carnegie Mellon researchers, who will present their findings in August at the Usenix Security Symposium in Montreal, say some Internet warnings are so ineffective they should be reduced or eliminated altogether.

"People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon. "Nothing bad happened before and they think nothing bad will happen again."

In the study, Cranor and a team of graduate students observed 409 Internet users to examine their reactions to and understanding of Secure Sockets Layer (SSL) warnings, which are intended to validate the authenticity of Web sites.

Most times a user receives a pop-up SSL warning, it means the certificate has expired for harmless reasons. But sometimes the warning indicates that the user could be a victim of a cyberattack.

However, because users are practically trained to ignore the warnings, Cranor said they remain vulnerable to those threats.

Security Researcher: Reduce or Eliminate Warnings

Though the study focused only on SSL warnings, Cranor said Internet users behave similarly when faced with other kinds of online warnings.

"People don't even notice the message," she said. "They see this thing and they just assume that they know what it says."

Cranor and the other researchers say the warning systems should be improved so that the pop-ups for the different threat levels are more visually distinct and easier to understand. The warnings for the riskiest situations should be red, for example, and those for less serious threats should be less alarming colors.

But the best solution? To reduce or completely eliminate the use of warnings, they say.

Cranor acknowledged that this requires more intelligence on the part of the browser and, therefore, more work and money on the part of those who develop them, but emphasized, "My browser should just protect me, not warn me."

What About Homeland Security's Warning System?

In a similar vein, some have argued that the government should just protect its citizens from terrorist threats and not warn them through the Department of Homeland Security's Advisory System (HSAS).

The most serious threat level is "Severe" or "Red" but the country has been almost permanently parked in "Elevated or "Yellow" since the system's launch. Travelers might note that all domestic or international flights are said to be in "High" or "Orange."

  • 1
  • |
  • 2
  • |
  • 3
Join the Discussion
blog comments powered by Disqus
You Might Also Like...