Monday, August 3, 2009

CyLab CUPS Researchers Release Study on SSL Warning Effectiveness



"People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon. "Nothing bad happened before and they think nothing bad will happen again." ABC News, 7-30-09



CyLab CUPS Researchers Release Study on SSL Warning Effectiveness

Josh Sunshine will be presenting the paper Crying Wolf: An Empirical Study of SSL Warning Effectiveness at the USENIX 2009 Security Symposium.

Co-authored by with Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor, Crying Wolf is another compelling example of how Carnegie Mellon University CyLab is helping to both frame the dialogue and deliver the goods on how best to raise awareness and deliver effective user education:

We conducted a survey of over 400 Internet users to examine their reactions to and understanding of current SSL warnings.
We then designed two new warnings using warnings science principles and lessons learned from the survey … Our results suggest that, while warnings can be improved, a better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections and eliminating warnings in benign situations.
Crying Wolf: An Empirical Study of SSL Warning Effectiveness

Dr. Cranor, Director of the CyLab Center for Usable Privacy and Security (CUPS), was quoted in several news media stories breaking the study’s results.

Here is a sampling with links to the full texts:

After studying the behavior of more than 400 Internet users, Carnegie Mellon University computer researchers concluded that because users encounter so many pop-up warnings in benign situations, they have become immune to the messages … People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon. "Nothing bad happened before and they think nothing bad will happen again." ABC News, 7-30-09

“The big takeaway is that computer security warnings are not an effective way of addressing computer security,” study researcher and co-author Lorrie Faith Cranor, an associate professor of computer science, engineering and public policy at Carnegie Mellon University, told SCMagazineUS.com on Tuesday. “People don't read warnings and don't understand them when they do read them” … In addition, researchers also surveyed experts – those with an IT-related degree, computer security work experience or programming knowledge – to see if they would behave any differently when receiving a warning. Researchers found that even experts often ignored the warnings, indicating that the system of relying on warnings to communicate computer security risks is “fundamentally broken,” Cranor said. SC Magazine, 7-28-09

"Everyone knew that there was a problem with these warnings," said Joshua Sunshine, a Carnegie Mellon graduate student and one of the paper's co-authors. "Our study showed dramatically how big the problem was … hey found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites. "That's sort of a backwards understanding of what these messages mean," Sunshine said. "The message is validating that you're visiting the site you think you're visiting, not that the site is trustworthy." Computerworld, 7-24-09