Article

Don't work. Can't work? Why it's time to rethink security warnings

Author:

Matthew MorozAuthors Info & Claims

CRISIS '12: Proceedings of the 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS)

Pages 1 - 8

https://doi.org/10.1109/CRISIS.2012.6378951

Published: 10 October 2012 Publication History

Abstract

As the number of Internet users has grown, so have the security threats that they face online. Security warnings are one key strategy for trying to warn users about those threats; but recently, it has been questioned whether they are effective. We conducted a study in which 120 participants brought their own laptops to a usability test of a new academic article summary tool. They encountered a PDF download warning for one of the papers. All participants noticed the warning, but 98 (81.7%) downloaded the PDF file that triggered it. There was no significant difference between responses to a brief generic warning, and a longer specific one. The participants who heeded the warning were overwhelmingly female, and either had previous experience with viruses or lower levels of computing skills. Our analysis of the reasons for ignoring warnings shows that participants have become desensitised by frequent exposure and false alarms, and think they can recognise security risks. At the same time, their answers revealed some misunderstandings about security threats: for instance, they rely on anti-virus software to protect them from a wide range of threats, and do not believe that PDF files can infect their machine with viruses. We conclude that security warnings in their current forms are largely ineffective, and will remain so, unless the number of false positives can be reduced.

Cited By

View all

Dambra SBilge LKotzias PShen YCaballero JCalandrino JTroncoso C(2023)One size does not fit allProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620555(5683-5700)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620555
Xiao MWang MKulshrestha AMayer JCalandrino JTroncoso C(2023)Account verification on social mediaProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620411(3099-3116)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620411
Alt FHassib MDistler V(2023)Human-centered Behavioral and Physiological SecurityProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633504(48-61)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633504
Show More Cited By

Index Terms

Don't work. Can't work? Why it's time to rethink security warnings
1. Security and privacy

Recommendations

Cyberentity Security in the Internet of Things

A proposed Internet of Things system architecture offers a solution to the broad array of challenges researchers face in terms of general system security, network security, and application security.
Security threats and countermeasures on the internet of things

Internet of things (IoT) refers to intelligent technologies and services that connect all objects based on the internet to communicate information between people and things, things and systems. However, these IoT-based devices are exposed to many security ...
RFC 4303: IP Encapsulating Security Payload (ESP)

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CRISIS '12: Proceedings of the 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS)

October 2012

160 pages

ISBN:9781467330879

Publisher

IEEE Computer Society

United States

Publication History

Published: 10 October 2012

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Dambra SBilge LKotzias PShen YCaballero JCalandrino JTroncoso C(2023)One size does not fit allProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620555(5683-5700)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620555
Xiao MWang MKulshrestha AMayer JCalandrino JTroncoso C(2023)Account verification on social mediaProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620411(3099-3116)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620411
Alt FHassib MDistler V(2023)Human-centered Behavioral and Physiological SecurityProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633504(48-61)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633504
Razi AAlsoubai AKim SAli SStringhini GDe Choudhury MWisniewski P(2023)Sliding into My DMs: Detecting Uncomfortable or Unsafe Sexual Risk Experiences within Instagram Direct Messages Grounded in the Perspective of YouthProceedings of the ACM on Human-Computer Interaction10.1145/35795227:CSCW1(1-29)Online publication date: 16-Apr-2023
https://dl.acm.org/doi/10.1145/3579522
Haesler SWendelborn MReuter C(2023)Getting the Residents’ Attention: The Perception of Warning Channels in Smart Home Warning SystemsProceedings of the 2023 ACM Designing Interactive Systems Conference10.1145/3563657.3596076(1114-1127)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3563657.3596076
Garcia-Pueyo LGuthrie SSantana Schwarz BXu B(2022)Informative Integrity Frictions in Social NetworksCompanion Proceedings of the Web Conference 202210.1145/3487553.3524221(141-145)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3487553.3524221
Zhu FCarpenter SZeng M(2022)Subliminal Warnings: Utilizing the High Bandwidth of Nonconscious Visual PerceptionPersuasive Technology10.1007/978-3-030-98438-0_20(255-271)Online publication date: 29-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-030-98438-0_20
Gutfleisch MPeiffer MErk SSasse M(2021)Microsoft Office Macro Warnings:A Design Comedy of Errors with Tragic Security ConsequencesProceedings of the 2021 European Symposium on Usable Security10.1145/3481357.3481512(9-22)Online publication date: 11-Oct-2021
https://dl.acm.org/doi/10.1145/3481357.3481512
Do YHoang LPark JAbowd GDas S(2021)Spidey Sense: Designing Wrist-Mounted Affective Haptics for Communicating Cybersecurity WarningsProceedings of the 2021 ACM Designing Interactive Systems Conference10.1145/3461778.3462027(125-137)Online publication date: 28-Jun-2021
https://dl.acm.org/doi/10.1145/3461778.3462027
Hassib MAbdelmoteleb HKhamis M(2020)Are my Apps Peeking? Comparing Nudging Mechanisms to Raise Awareness of Access to Mobile Front-facing CameraProceedings of the 19th International Conference on Mobile and Ubiquitous Multimedia10.1145/3428361.3428384(186-190)Online publication date: 22-Nov-2020
https://dl.acm.org/doi/10.1145/3428361.3428384
Show More Cited By

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Index Terms

Recommendations

Cyberentity Security in the Internet of Things

Security threats and countermeasures on the internet of things

RFC 4303: IP Encapsulating Security Payload (ESP)

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations