Abstract
In response to the threat of phishing, web browsers display warnings when users arrive at suspected phishing websites. Previous research has offered guidance to improve these warnings. We performed a laboratory study to investigate how the choice of background color in the warning and the text describing the recommended course of action impact a user’s decision to comply with the warning. We did not reveal to participants that the subject of the study was the warning, and then we observed as they responded to a simulated phishing attack. We found that both the text and background color had a significant effect on the amount of time participants spent viewing a warning, however, we observed no significant differences with regard to their decisions to ultimately obey that warning. Despite this null result, our exit survey data suggest that misunderstandings about the threat model led participants to believe that the warnings did not apply to them. Acting out of bounded rationality, participants made conscientious decisions to ignore the warnings. We conclude that when warnings do not correctly align users’ risk perceptions, users may unwittingly take avoidable risks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: An empirical study of the effectiveness of web browser phishing warnings. In: CHI 2008: Proceeding of the 26th SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM, New York (2008)
Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: New Security Paradigms Workshop, pp. 133–144 (2009)
Lawrence, E.: IE8 Security Part III: SmartScreen Filter (July 2008), http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iii-smartscreen-filter.aspx
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of ssl warning effectiveness. In: Proceedings of the 18th USENIX Security Symposium, SSYM 2009, pp. 399–416. USENIX Association, Berkeley (2009)
Terdiman, D.: Microsoft aiming to clean up hotmail user’s inboxes. CNET News (October 3, 2011), http://news.cnet.com/8301-13772_3-20114975-52/microsoft-aiming-to-clean-up-hotmail-users-inboxes/
Wash, R.: Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS 2010. ACM, New York (2010)
Wogalter, M.S.: Communication-Human Information Processing (C-HIP) Model. In: Wogalter, M.S. (ed.) Handbook of Warnings, pp. 51–61. Lawrence Erlbaum Associates (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Egelman, S., Schechter, S. (2013). The Importance of Being Earnest [In Security Warnings]. In: Sadeghi, AR. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7859. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39884-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-39884-1_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39883-4
Online ISBN: 978-3-642-39884-1
eBook Packages: Computer ScienceComputer Science (R0)