Crying Wolf: Do Security Warnings Help?

July 30, 2009— -- Like the boy who cried wolf, have Internet security warnings lost their credibility?

After studying the behavior of more than 400 Internet users, Carnegie Mellon University computer researchers concluded that because users encounter so many pop-up warnings in benign situations, they have become immune to the messages.

Convinced that the warnings mean little, if anything at all, they leave themselves open to attack when they do click their way into dangerous territory.

But psychologists and public safety experts say this problem isn't reserved to the virtual world. The Department of Homeland Security's Advisory System, which has been under review since July 14, has been the subject of ridicule for the very same reason: The notoriously vague warnings are so pervasive they're hard to take seriously.

The Carnegie Mellon researchers, who will present their findings in August at the Usenix Security Symposium in Montreal, say some Internet warnings are so ineffective they should be reduced or eliminated altogether.

"People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon. "Nothing bad happened before and they think nothing bad will happen again."

In the study, Cranor and a team of graduate students observed 409 Internet users to examine their reactions to and understanding of Secure Sockets Layer (SSL) warnings, which are intended to validate the authenticity of Web sites.

Most times a user receives a pop-up SSL warning, it means the certificate has expired for harmless reasons. But sometimes the warning indicates that the user could be a victim of a cyberattack.

However, because users are practically trained to ignore the warnings, Cranor said they remain vulnerable to those threats.