• DocumentCode
    2486819
  • Title

    Don´t work. Can´t work? Why it´s time to rethink security warnings

  • Author

    Krol, Kat ; Moroz, Matthew ; Sasse, M. Angela

  • Author_Institution
    Dept. of Comput. Sci., Univ. Coll. London, London, UK
  • fYear
    2012
  • fDate
    10-12 Oct. 2012
  • Firstpage
    1
  • Lastpage
    8
  • Abstract
    As the number of Internet users has grown, so have the security threats that they face online. Security warnings are one key strategy for trying to warn users about those threats; but recently, it has been questioned whether they are effective. We conducted a study in which 120 participants brought their own laptops to a usability test of a new academic article summary tool. They encountered a PDF download warning for one of the papers. All participants noticed the warning, but 98 (81.7%) downloaded the PDF file that triggered it. There was no significant difference between responses to a brief generic warning, and a longer specific one. The participants who heeded the warning were overwhelmingly female, and either had previous experience with viruses or lower levels of computing skills. Our analysis of the reasons for ignoring warnings shows that participants have become desensitised by frequent exposure and false alarms, and think they can recognise security risks. At the same time, their answers revealed some misunderstandings about security threats: for instance, they rely on anti-virus software to protect them from a wide range of threats, and do not believe that PDF files can infect their machine with viruses. We conclude that security warnings in their current forms are largely ineffective, and will remain so, unless the number of false positives can be reduced.
  • Keywords
    Internet; alarm systems; computer viruses; laptop computers; Internet users; PDF file download warning; academic article summary tool; antivirus software; computing skills; false alarms; false positives; generic warning; laptops; online security threat protection; security risks; security warnings; usability test; Browsers; Google; Internet; Interviews; Portable computers; Security;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Risk and Security of Internet and Systems (CRiSIS), 2012 7th International Conference on
  • Conference_Location
    Cork
  • Print_ISBN
    978-1-4673-3087-9
  • Electronic_ISBN
    978-1-4673-3088-6
  • Type

    conf

  • DOI
    10.1109/CRISIS.2012.6378951
  • Filename
    6378951