Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness

We empirically assess whether browser security warnings are as ineffective as suggested by popular opinion and previous literature. We used Mozilla Firefox and Google Chrome's in-browser telemetry to observe over 25 million warning impressions in situ. During our field study, users continued through a tenth of Mozilla Firefox's malware and phishing warnings, a quarter of Google Chrome's malware and phishing warnings, and a third of Mozilla Firefox's SSL warnings. This demonstrates that security warnings can be effective in practice; security experts and system architects should not dismiss the goal of communicating security information to end users. We also find that user behavior varies across warnings. In contrast to the other warnings, users continued through 70.2% of Google Chrome's SSL warnings. This indicates that the user experience of a warning can have a significant impact on user behavior. Based on our findings, we make recommendations for warning designers and researchers.

Spotlight

VivoSecurity Inc.

VivoSecurity is transforming how business calculates security risks…by putting a dollar value on cyber-security events to help plan how – and where – you should spend your security budget.

OTHER WHITEPAPERS
news image

Recommended Criteria for Cybersecurity Labeling of Consumer Software

whitePaper | February 4, 2022

Software is an integral part of life for the modern consumer. Nevertheless, most consumers take for granted and are unaware of the software upon which many products and services rely. From the consumer’s perspective, the very notion of what constitutes software may even be unclear. While enabling many benefits to consumers, that software that is, software normally used for personal, family, or household purposes can also have cybersecurity flaws or vulnerabilities which can directly affect safety, property, and productivity.

Read More
news image

VIRSEC ® SECURITY PLATFORM

whitePaper | December 10, 2019

Advanced application attacks that weaponize at runtime (WRT) are increasingly putting businesses at risk. These attacks challenge application security by leveraging fileless malware, memory corruption and uncommon vulnerabilities to evade traditional security solutions. WRTs manipulate legitimate processes and enable stealthy execution of malicious code, resulting in data breaches, damaged infrastructure, and financial losses.

Read More
news image

Cybersecurity 2018

whitePaper | February 2, 2020

Small businesses usually neglect cybersecurity as an essential function making their IT infrastructure vulnerable. IT security issues often cost companies a lot of money and downtime every year. Even if the IT infrastructure consists of couple laptops and Devices, cybersecurity should always be a top priority.

Read More
news image

Awesome Cyber Security Facts - Infographic

whitePaper | November 15, 2019

Check out our "Awesome Cyber Security Facts" infographic below to see how crucial cyber security attack was for some businesses, what are our main weaknesses in terms of personal cyber security and even more.

Read More
news image

INDUSTRIAL CYBER RISK MANAGEMENT

whitePaper | May 21, 2021

Critical infrastructure owners and operators have managed industrial risk for hundreds of years. This risk is usually measured in impact to health, safety, and reliability. As these industrial systems become increasingly digitized, so does the risk. What were once seen as isolated, manual processes have become reliant on communication networks and digital devices.

Read More
news image

Google Cloud security foundations guide

whitePaper | April 19, 2021

This guide presents an opinionated view of Google Cloud security best practices, organized to allow users to adopt or adapt them and then automatically deploy them for their estates on Google Cloud. This document can be useful to you if you are a CISO, security practitioner, risk or compliance officer.

Read More

Spotlight

VivoSecurity Inc.

VivoSecurity is transforming how business calculates security risks…by putting a dollar value on cyber-security events to help plan how – and where – you should spend your security budget.

Events