Crying Wolf?

You’re sitting in front of your computer browsing the Internet when a security warning pops up. What to do?

You could take the time to read the message and make sure you fully understand the warning before proceeding.

It’s more likely you barely the notice the warning as your reflexes hastily click until the box disappears.

According to computer science researchers at Carnegie Mellon, pop-up warnings aren’t as effective as they could – or should – be.

Carnegie Mellon professor Lorrie Cranor, along with a team of graduate students, observed the Internet habits of more than 400 people. What they found is people simply encounter too many security warnings in harmless situations. As a result, they automatically ignore all warnings, leaving them vulnerable to a cyberattack.

What to do?

Cantor, who is the director of the CyLab Usable Privacy and Security Laboratory (CUPS), thinks using different colored security warnings for different threat levels could help. But the best solution may actually be to limit – or even completely do away with – pop-up security warnings.

It would cost more money and take more work for those who develop web browsers, but ultimately a more intelligent browser that automatically protects Internet users, instead of simply warning them, might just be the best solution yet.

The team authored the paper “Crying Wolf: An Empirical Study of SSL Warning Effectiveness” and Josh Sunshine (CS’10) will present it next week at the USENIX 2009 Security Symposium.

No comments: