Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alice in Warningland A Large-Scale Field Study of Browser Security Warning Effectiveness Devdatta Akhawe UC Berkeley Adrienne Porter Felt Google, Inc.

Similar presentations


Presentation on theme: "Alice in Warningland A Large-Scale Field Study of Browser Security Warning Effectiveness Devdatta Akhawe UC Berkeley Adrienne Porter Felt Google, Inc."— Presentation transcript:

1 Alice in Warningland A Large-Scale Field Study of Browser Security Warning Effectiveness Devdatta Akhawe UC Berkeley Adrienne Porter Felt Google, Inc.

2 Given a choice between dancing pigs and security, the user will pick dancing pigs every time Felten and McGraw Securing Java 1999

3 Evidence from experimental studies indicates that most people don’t read computer warnings, don’t understand them, or simply don’t heed them, even when the situation is clearly hazardous. Bravo-Lillo Bridging the Gap in Computer Security Warnings 2011

4

5

6

7 Didn’t that change anything?

8 today A large scale measurement of user responses to modern warnings in situ

9 What did we measure?

10 Clickthrough Rate # warnings ignored # warnings shown (across all users)

11 What is the ideal click through rate of effective warnings? 0%

12 How did we measure it?

13 Browser Telemetry A mechanism for browsers to collect pseudonymous performance and quality data from end users Users opt-in to sharing data with the browser vendors Data collected: May 2013

14 What did we find?

15 Results 1. Malware/Phishing 2. SSL Warnings

16 7.2% (Firefox Malware) 23.2% (Chrome Malware) 9.1% (Firefox Phishing) 18.0% (Chrome Phishing) Less than 25%!

17 7.2% (Firefox Malware) 23.2% (Chrome Malware) 9.1% (Firefox Phishing) 18.0% (Chrome Phishing) Rational?

18 Impact of Demographics Operating System Malware Firefox Malware Chrome Phishing Firefox Phishing Chrome Windows7.1%23.5%8.9%17.9% Linux18.2%13.9%34.8%31.0% Linux clickthrough rates much higher (except Chrome malware)

19 Hypothesis: A greater degree of technical skill corresponds to reduced risk aversion. (if Linux => more technical skill)

20 Results 1. Malware/Phishing 2. SSL Warnings

21 33.0% (Firefox beta) 70.2% (Chrome stable)

22 Possible Reasons 1. Warning Appearance 2. Number of Clicks (1 click vs 3) Chrome Team investigated by running trials

23 Possible Reasons 1. Warning Appearance 2. Number of Clicks Chrome Team investigated by running trials ~33% of difference ~25% of difference

24 Implications

25 Browser security warnings are effective, although they can be improved. Warning mechanism design can have a tremendous impact on user behavior. Security Practitioners should not ignore role of the user

26 Thanks for Listening!


Download ppt "Alice in Warningland A Large-Scale Field Study of Browser Security Warning Effectiveness Devdatta Akhawe UC Berkeley Adrienne Porter Felt Google, Inc."

Similar presentations


Ads by Google