• Corpus ID: 17465744

Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness

  title={Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness},
  author={Devdatta Akhawe and Adrienne Porter Felt},
  booktitle={USENIX Security Symposium},
We empirically assess whether browser security warnings are as ineffective as suggested by popular opinion and previous literature. [] Key Result This indicates that the user experience of a warning can have a significant impact on user behavior. Based on our findings, we make recommendations for warning designers and researchers.


This research used different kinds of Android mobile browsers as well as desktop browsers to evaluate security warnings and finds how inconsistent browsers really are in prompting security warnings.

An Experience Sampling Study of User Reactions to Browser Warnings in the Field

It is concluded that further improvements to warnings will require solving a range of smaller contextual misunderstandings, including a single dominant failure in modern warning design---like habituation---that prevents effective decisions.

Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning

It is found that users consistently heed warnings about websites that they have not visited before, however, users respond unpredictably to warnings about sites that they had previously visited, and recommendations for warning designers are provided and open questions are posed about the design of malware warnings.

Appraisal on User's Comprehension in Security Warning Dialogs: Browsers Usability Perspective

Investigation further from the end-user’s experience whilst encountering security warnings (i.e. Chrome browser context) shows that elements such as icon, colour, wording used in the warning can impact the efficacy of the warning.

Empirical Investigations on Usability of Security Warning Dialogs: End Users Experience

One-to-one interview session with 60 participants was conducted in order to gain further comprehension among the end users experiencing security warning and to investigate the usability issues of current security warning implementation.

Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse

This work investigates the effectiveness of API-integrated security advice which informs about an API misuse and places secure programming hints as guidance close to the developer, and finds that this approach significantly improves code security.

A Week to Remember: The Impact of Browser Warning Storage Policies

This work evaluated six storage policies for HTTPS error exception storage with a large-scale, multimonth field experiment and found substantial differences between the policies and that one of the storage policies achieved more of the goals than the rest.

Why eve and mallory (also) love webmasters: a study on the root causes of SSL misconfigurations

This paper conducts the first study with webmasters operating non-validating X.509 certificates to understand their motives behind deploying those certificates and gives insight into their motives.

A First Look at Firefox OS Security

It is argued that the caching of certificate overrides across applications--a known problem in Firefox OS--generates a counter-intuitive user experience that detracts from the security of the system.

Alice in Battlefield: An Evaluation of the Effectiveness of Various UI Phishing Warnings

By comparing and contrasting three experiments conducted by three major American universities, this paper explores the effectiveness of various UI phishing warnings as well as evolvement of phishing warning UI designs and implementations.



Crying Wolf: An Empirical Study of SSL Warning Effectiveness

A better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections and eliminating warnings in benign situations.

You've been warned: an empirical study of the effectiveness of web browser phishing warnings

Using a model from the warning sciences, how users perceive warning messages is analyzed and suggestions for creating more effective warning messages within the phishing context are offered.

Here's my cert, so trust me, maybe?: understanding TLS errors on the web

This work identifies low-risk scenarios that consume a large chunk of the user attention budget and makes concrete recommendations to browser vendors that will help maintain user attention in high-risk situations.

Why phishing works

This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users by analyzing a large set of captured phishing attacks and developing a set of hypotheses about why these strategies might work.

On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings

Alternative to traditional laboratory study methodologies are proposed that can be considered by the usable security research community when investigating research questions involving sensitive data where trust may influence behavior.

An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks

It is found that picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack and reading the help file made users more likely to classify both real and fake web sites as legitimate when the phishing warning did not appear.

Do security toolbars actually prevent phishing attacks?

It is found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be, and security toolbars are found to be ineffective at preventingPhishing attacks.

Browser interfaces and extended validation SSL certificates: an empirical study

This study explores the interfaces related to SSL certificates in the most widely deployed browser (Internet Explorer 7), proposes an alternative set of interface dialogs, and compares their effectiveness through a user study involving 40 participants, finding the alternative interface to offer statistically significant improvements in confidence, ease of finding information, and ease of understanding.

Exploring User Reactions to New Browser Cues for Extended Validation Certificates

While the new interface features in the unmodified Firefox browser went unnoticed by all users in this study, the modified design was noticed by over half of the participants, and most users show a willingness to adopt these features once made aware of their functionality.

Gathering evidence: use of visual security cues in web browsers

It is demonstrated that while the lock icon is commonly viewed, its interactive capability is essentially ignored, and that people stop looking for security information after they have signed into a site.