Google Study Shows Users Fail to Understand Security Warnings

Researchers found ways to improve Internet users' adherence to advice, but users still demonstrated they don't understand what is at stake.

Security Alerts 2

Few users who encounter an alert through their browser actually read or understand the suggested advice but can be guided to take corrective action, according to a study by Google and University of Pennsylvania researchers, who hope to find ways to fix the problems.

In a study to be presented in April, the group of nine researchers found that the use of graphics to promote the most secure course of action, known as opinionated design, dramatically increased the number of users who follow a recommended course of action. Yet, despite that success, relatively few users understand warning text that describes the threat or what data could be at risk.

“Comprehension rates remain lower than desired for all of the SSL warning texts that we tested,” the researchers stated. “This is disappointing, as we view comprehension as more important than adherence.”

The Secure Sockets Layer (SSL) is the foundation of much of the security on the Web and the Internet. SSL is the most popular way to encrypt network communications and is used to secure traffic to and from Web servers and between email servers and clients. The standard continues to evolve, with a more modern version known as the Transport Layer Security (TLS) protocol.

Google has focused on securing SSL as part of its continuing development of the Chrome browser. In September, for example, the company decided to phase out the acceptance of SSL certificates based on a cryptographic protocol known as SHA–1.

Because many users assume SSL warnings are false alarms, Google researchers have studied what causes SSL errors, finding that they are not just caused by man-in-the-middle attacks and bad Web coding, but by many factors.

Some issues are simple errors, such as incorrect certificates or an incorrectly set clock on the client systems. Other issues are not errors, but infrastructure that does not play by the SSL rules, such as captive portals or networks that intercept SSL requests, a typical network design within primary and secondary schools. Finally, a minority are attacks, from serious malware to Internet service providers attempting to add advertisements onto Websites.

The ideal SSL warning should allow users to understand the source of the threat, what data is at risk and whether the alert could be due to misconfiguration or a false positive, according to a Jan. 30 presentation by Adrienne Porter Felt of the Chrome security team.

The researchers adopted visual cues, such as a red lock and a yellow background, to try to increase the proportion of users who follow the browser’s advice. Called opinionated design, the technique increased the proportion of users who followed the warning to 61 percent in real-world testing, compared with 37 percent for warnings in the prior version of the software.

Yet, reducing the complexity of the language accompanying the warnings failed to markedly increase comprehension of the threats. The researchers used simpler sixth-grade-level language, rather than the eleventh-grade language of previous warnings, to describe a specific risk and added an illustration of a red lock.

The researchers were clearly frustrated by the results.

“Why do all warnings—including ours—fail?” the paper’s authors asked. “Although we tried to follow best practices, we faced tradeoffs between contradictory advice. Our choices may not have been optimal. This suggests a need for more research into the relative importance of brevity, specificity and non-technicality in security warnings.”

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...