1 / 26

Alice in Warningland A Large-Scale Field Study of Browser Security Warning Effectiveness

Alice in Warningland A Large-Scale Field Study of Browser Security Warning Effectiveness. Devdatta Akhawe UC Berkeley. Adrienne Porter Felt Google, Inc. Given a choice between dancing pigs and security , the user will pick dancing pigs every time . Felten and McGraw

kirima
Download Presentation

Alice in Warningland A Large-Scale Field Study of Browser Security Warning Effectiveness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Alice in WarninglandA Large-Scale Field Study of Browser Security Warning Effectiveness Devdatta AkhaweUC Berkeley Adrienne Porter Felt Google, Inc.

  2. Given a choice between dancing pigs and security, the user will pick dancing pigs every time Felten and McGraw Securing Java 1999

  3. Evidence from experimental studies indicates that most people don’t read computer warnings, don’t understand them, or simply don’t heed them, even when the situation is clearly hazardous. Bravo-Lillo Bridging the Gap in Computer Security Warnings2011

  4. Didn’t that change anything?

  5. today A large scale measurement of user responses to modern warnings in situ

  6. What did we measure?

  7. Clickthrough Rate # warnings ignored # warnings shown • (across all users)

  8. What is the ideal click through rate of effective warnings? 0%

  9. How did we measure it?

  10. Browser Telemetry • A mechanism for browsers to collect pseudonymous performance and quality data from end users • Users opt-in to sharing data with the browser vendors • Data collected: May 2013

  11. What did we find?

  12. Results 1. Malware/Phishing 2. SSL Warnings

  13. 7.2% (Firefox Malware) 23.2%(Chrome Malware) Less than 25%! 9.1% (Firefox Phishing) 18.0%(Chrome Phishing)

  14. 7.2% (Firefox Malware) 23.2%(Chrome Malware) Rational? 9.1% (Firefox Phishing) 18.0%(Chrome Phishing)

  15. Impact of Demographics Linux clickthrough rates much higher(except Chrome malware)

  16. Hypothesis: A greater degree of technical skill corresponds to reduced risk aversion. (if Linux => more technical skill)

  17. Results 1. Malware/Phishing 2. SSL Warnings

  18. 33.0% (Firefox beta) 70.2%(Chrome stable)

  19. Possible Reasons 1. Warning Appearance 2. Number of Clicks (1 click vs 3) Chrome Team investigated by running trials

  20. Possible Reasons ~33% of difference 1. Warning Appearance 2. Number of Clicks ~25% of difference Chrome Team investigated by running trials

  21. Implications

  22. Browser security warnings are effective, although they can be improved. Warning mechanism design can have a tremendous impact on user behavior. Security Practitioners should notignore role of the user

  23. Thanks for Listening! evil@berkeley.edudevd.me@frgx

More Related