DocumentCode
2486819
Title
Don´t work. Can´t work? Why it´s time to rethink security warnings
Author
Krol, Kat ; Moroz, Matthew ; Sasse, M. Angela
Author_Institution
Dept. of Comput. Sci., Univ. Coll. London, London, UK
fYear
2012
fDate
10-12 Oct. 2012
Firstpage
1
Lastpage
8
Abstract
As the number of Internet users has grown, so have the security threats that they face online. Security warnings are one key strategy for trying to warn users about those threats; but recently, it has been questioned whether they are effective. We conducted a study in which 120 participants brought their own laptops to a usability test of a new academic article summary tool. They encountered a PDF download warning for one of the papers. All participants noticed the warning, but 98 (81.7%) downloaded the PDF file that triggered it. There was no significant difference between responses to a brief generic warning, and a longer specific one. The participants who heeded the warning were overwhelmingly female, and either had previous experience with viruses or lower levels of computing skills. Our analysis of the reasons for ignoring warnings shows that participants have become desensitised by frequent exposure and false alarms, and think they can recognise security risks. At the same time, their answers revealed some misunderstandings about security threats: for instance, they rely on anti-virus software to protect them from a wide range of threats, and do not believe that PDF files can infect their machine with viruses. We conclude that security warnings in their current forms are largely ineffective, and will remain so, unless the number of false positives can be reduced.
Keywords
Internet; alarm systems; computer viruses; laptop computers; Internet users; PDF file download warning; academic article summary tool; antivirus software; computing skills; false alarms; false positives; generic warning; laptops; online security threat protection; security risks; security warnings; usability test; Browsers; Google; Internet; Interviews; Portable computers; Security;
fLanguage
English
Publisher
ieee
Conference_Titel
Risk and Security of Internet and Systems (CRiSIS), 2012 7th International Conference on
Conference_Location
Cork
Print_ISBN
978-1-4673-3087-9
Electronic_ISBN
978-1-4673-3088-6
Type
conf
DOI
10.1109/CRISIS.2012.6378951
Filename
6378951
Link To Document