Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Bridging the Gap in Computer Security Warnings

advertisement 
Alice in Warningland
A Large-Scale Field Study of
Browser Security Warning Effectiveness
Devdatta Akhawe
UC Berkeley
Adrienne Porter Felt
Google, Inc.
Given a choice between dancing
pigs and security, the user will
pick dancing pigs every time
Felten and McGraw
Securing Java
1999
Evidence from experimental
studies indicates that most people
don’t read computer warnings,
don’t understand them, or simply
don’t heed them, even when the
situation is clearly hazardous.
Bravo-Lillo
Bridging the Gap in
Computer Security
Warnings
2011
Didn’t that change anything?
today
A large scale measurement of
user responses to
modern warnings in situ
What did we
measure?
Clickthrough Rate
# warnings ignored
# warnings shown
(across all users)
What is the ideal click
through rate of effective
warnings?
0%
How did we
measure it?
Browser Telemetry
• A mechanism for browsers to collect
pseudonymous performance and quality data
from end users
• Users opt-in to sharing data with the browser
vendors
• Data collected: May 2013
What did we
find?
Results
1. Malware/Phishing
2. SSL Warnings
7.2%
23.2%
(Firefox Malware)
(Chrome Malware)
Less than 25%!
9.1%
18.0%
(Firefox Phishing)
(Chrome Phishing)
7.2%
23.2%
(Firefox Malware)
(Chrome Malware)
Rational?
9.1%
18.0%
(Firefox Phishing)
(Chrome Phishing)
Impact of Demographics
Operating
System
Windows
Linux
Malware
Firefox
Malware
Chrome
Phishing
Firefox
Phishing
Chrome
7.1%
23.5%
8.9%
17.9%
18.2%
13.9%
34.8%
31.0%
Linux clickthrough rates much higher
(except Chrome malware)
Hypothesis: A greater degree of technical skill
corresponds to reduced risk aversion.
(if Linux => more technical skill)
Results
1. Malware/Phishing
2. SSL Warnings
33.0%
70.2%
(Firefox beta)
(Chrome stable)
Possible Reasons
1. Warning Appearance
2. Number of Clicks (1 click vs 3)
Chrome Team investigated by running trials
Possible Reasons
1. Warning Appearance
2. Number of Clicks
~33% of
difference
~25% of
difference
Chrome Team investigated by running trials
Implications
Browser security warnings are effective,
although they can be improved.
Warning mechanism design can have a
tremendous impact on user behavior.
Security Practitioners should not
ignore role of the user
Thanks for Listening!
evil@berkeley.edu
devd.me
@frgx
Related documents
Student Login Manual
Student Login Manual
Cyber Security is everybody`s responsibility
Cyber Security is everybody`s responsibility
Virtual Worlds - Cyberspace Law and Policy Centre
Virtual Worlds - Cyberspace Law and Policy Centre
What is Bad Email?
What is Bad Email?
Security Awareness for ISACA
Security Awareness for ISACA
Using Wacky Web Tales
Using Wacky Web Tales
Internet Security - SIUE Computer Science
Internet Security - SIUE Computer Science
Evolution of Remote Banking fraud
Evolution of Remote Banking fraud
Your Reputation Precedes You: History, Reputation, and
Your Reputation Precedes You: History, Reputation, and
Download
advertisement