Crying Wolf: Do Security Warnings Help?

July 30, 2009— -- Like the boy who cried wolf, have Internet security warnings lost their credibility?

After studying the behavior of more than 400 Internet users, Carnegie Mellon University computer researchers concluded that because users encounter so many pop-up warnings in benign situations, they have become immune to the messages.

Convinced that the warnings mean little, if anything at all, they leave themselves open to attack when they do click their way into dangerous territory.

But psychologists and public safety experts say this problem isn't reserved to the virtual world. The Department of Homeland Security's Advisory System, which has been under review since July 14, has been the subject of ridicule for the very same reason: The notoriously vague warnings are so pervasive they're hard to take seriously.

Internet Users 'Swat' Away Pop-Up Warnings

The Carnegie Mellon researchers, who will present their findings in August at the Usenix Security Symposium in Montreal, say some Internet warnings are so ineffective they should be reduced or eliminated altogether.

"People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon. "Nothing bad happened before and they think nothing bad will happen again."

In the study, Cranor and a team of graduate students observed 409 Internet users to examine their reactions to and understanding of Secure Sockets Layer (SSL) warnings, which are intended to validate the authenticity of Web sites.

Most times a user receives a pop-up SSL warning, it means the certificate has expired for harmless reasons. But sometimes the warning indicates that the user could be a victim of a cyberattack.

However, because users are practically trained to ignore the warnings, Cranor said they remain vulnerable to those threats.

Security Researcher: Reduce or Eliminate Warnings

Though the study focused only on SSL warnings, Cranor said Internet users behave similarly when faced with other kinds of online warnings.

"People don't even notice the message," she said. "They see this thing and they just assume that they know what it says."

Cranor and the other researchers say the warning systems should be improved so that the pop-ups for the different threat levels are more visually distinct and easier to understand. The warnings for the riskiest situations should be red, for example, and those for less serious threats should be less alarming colors.

But the best solution? To reduce or completely eliminate the use of warnings, they say.

Cranor acknowledged that this requires more intelligence on the part of the browser and, therefore, more work and money on the part of those who develop them, but emphasized, "My browser should just protect me, not warn me."

What About Homeland Security's Warning System?

In a similar vein, some have argued that the government should just protect its citizens from terrorist threats and not warn them through the Department of Homeland Security's Advisory System (HSAS).

The most serious threat level is "Severe" or "Red" but the country has been almost permanently parked in "Elevated or "Yellow" since the system's launch. Travelers might note that all domestic or international flights are said to be in "High" or "Orange."

The color-coded system, which was developed under the Bush administration soon after the terror attacks of Sept. 11, 2001, to inform the public about terror threats, has been the butt of many a joke and the target of many a critique for being too vague to be effective.

"Like yesterday, apparently, [it] went from blue to pink and now half the country thinks we're pregnant," "Tonight Show" host Jay Leno said on March 14, 2002. "To give you an idea how sophisticated this system is, today they added a plaid, in case we were ever attacked by Scotland."

Secretary Napolitano Launches Review of Warning System

On July 14, Department of Homeland Security Secretary Janet Napolitano announced a task force to conduct a 60-day review of the system to assess its effectiveness. Members of the public have also been invited to contribute suggestions and opinions.

As the review is currently in effect, DHS spokesman Matt Chandler wouldn't elaborate on the motivation behind the review or the comments that have been received.

"It's just a review of the current system ... to determine if the system we currently have effectively communicates homeland security threats," he said.

But though the DHS is reluctant to comment on how efficient the system is, others are not.

Jack Cloonan, a 25-year veteran of the FBI and security expert, said that though the system makes sense conceptually, the inability of it to convey details of the threats has rendered the warnings useless to the public and frustrating to security professionals.

Color-Coded System Attracts Ridicule

"In the post 9/11 world, it is not sufficient to just say 'unspecific sources provided vague or uncorroborated information about a possible attack,'" he said. "The criticism the HSAS received was justified in my mind because it lead the public to believe the Secretary and DHS was crying wolf.

"The public tends to become immune to the warnings and sees them as a nuisance," he continued, adding that they need to do away with the simplistic and joke-worthy color-coded system.

As Napolitano shepherds an overhaul of the system, he said she needs to assure the public and private sector that if the threat level is raised there are solid reasons for doing so.

"The HSAS task force needs to scrap the current system in favor of fact-based analysis scored on probability," he said.

But whether warnings refer to Internet or terrorist threats, psychologists say they need to change with those they're trying to protect. Warnings have value, they say, but they have to get our attention first.

"If you're constantly bombarded with the same message over again, you tend to ignore it," said John Grohol, a clinical psychologist and founder of the online mental health resource Psych Central. "The message has lost any intensity or originality or uniqueness in our minds."

Static Messages Don't Work

When it comes to security, he said that if messages convey a constant state of heightened alert but threats never appear, the messages lose their meaning.

For example, he said that as traffic engineers grapple with the problem of getting drivers to slow down in residential areas, signs that simply say "slow down" stop working.

Although drivers might slow down at first, as they learn that they can speed up without hurting anyone, they'll stop heeding the signs.

But, as author Tom Vanderbilt pointed out in his book "Traffic: Why We Drive the Way We Do," Grohol said people slow down when they see people or feel uncertain. Taking their cue from that observation, engineers put up silhouettes of people to change drivers' behavior.

"Novel situations really do get people to slow down," he said, adding that similarly security warnings need to continually come across as unexpected and unique in both the message and the medium.

He acknowledged that Internet and national security may be more challenging, but said the key is to be adaptive and creative.

"[Successful messages] are always changing in order to continue to get people's attention," he said.