Do Security Alerts Really Work?

By Matthew Harwood

Whether it's the pop-up alert warning you about a shady Web site to the rainbow colored terror alert system, security researchers and psychologists say security warnings lose their power once familiarity creeps in, reports ABC News.

Researchers at Carnegie Mellon studying the effect of Secure Socket Layers (SSL) on online behavior discovered that 409 Internet users routinely ignore their browser's SSL warning. The warnings inform users whether the Web site has been authenticated, meaning the Web site is who it says it is. Typically, the warning flashes because the certificate that validates a Web site has expired. Less often, it means the user could be entering a dangerous Web site riddled with malware.

"People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon, told ABC News. "Nothing bad happened before and they think nothing bad will happen again."

Another area where familiarity breeds neglect, if not outright contempt, is the Department of Homeland Security's Homeland Security Alert System (HSAS). Since its creation after 9-11, the terror alert scale has almost permanently reclined in yellow, meaning there is a "significant risk of terrorist attacks."

"In the post 9/11 world, it is not sufficient to just say 'unspecific sources provided vague or uncorroborated information about a possible attack,'" Jack Cloonan, a 25-year veteran of the FBI and security expert, told ABC News. "The criticism the HSAS received was justified in my mind because it lead the public to believe the Secretary and DHS was crying wolf."

Two weeks ago, Homeland Security Secretary Janet Napolitano created a task force to review the oft-ridiculed HSAS. The panel will either make recommendations to improve the system or advise Napolitano to scrap it entirely, reported the AP.

The reason why people tend to ignore security warnings is quite simple, according to clinical psychologist John Grohol.

"If you're constantly bombarded with the same message over again, you tend to ignore it," he said. "The message has lost any intensity or originality or uniqueness in our minds."

♦ Photo of SSL warning by Andrew Mason/Flickr


Pricey SSL certs

SSL certificates market is monopolised by a few players and they keep the prices pretty high. Its hard for a startup to just shell out hundreds of dollas to get a SSL cert.

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.