Do Security Alerts Really Work?

Published on Security Management (http://www.securitymanagement.com)

By Matthew Harwood

Created 07/31/2009 - 09:58

Wrap-Up?:

Weight:

Lead Headline?:

Date:

07/31/2009

By Line:

By Matthew Harwood

Teaser:

Security warnings tend to lose their power once familiarity creeps in, experts say.

Whether it's the pop-up alert warning you about a shady Web site to the rainbow colored terror alert system, security researchers and psychologists say security warnings lose their power once familiarity creeps in, reports ABC News [1].

Researchers at Carnegie Mellon studying the effect of Secure Socket Layers (SSL) on online behavior discovered that 409 Internet users routinely ignore their browser's SSL warning. The warnings inform users whether the Web site has been authenticated, meaning the Web site is who it says it is. Typically, the warning flashes because the certificate that validates a Web site has expired. Less often, it means the user could be entering a dangerous Web site riddled with malware.

"People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon, told ABC News. "Nothing bad happened before and they think nothing bad will happen again."

Another area where familiarity breeds neglect, if not outright contempt, is the Department of Homeland Security's Homeland Security Alert System (HSAS). Since its creation after 9-11, the terror alert scale has almost permanently reclined in yellow, meaning there is a "significant risk of terrorist attacks."

"In the post 9/11 world, it is not sufficient to just say 'unspecific sources provided vague or uncorroborated information about a possible attack,'" Jack Cloonan, a 25-year veteran of the FBI and security expert, told ABC News. "The criticism the HSAS received was justified in my mind because it lead the public to believe the Secretary and DHS was crying wolf."

Two weeks ago, Homeland Security Secretary Janet Napolitano created a task force to review the oft-ridiculed HSAS. The panel will either make recommendations to improve the system or advise Napolitano to scrap it entirely, reported the AP [2].

The reason why people tend to ignore security warnings is quite simple, according to clinical psychologist John Grohol.

"If you're constantly bombarded with the same message over again, you tend to ignore it," he said. "The message has lost any intensity or originality or uniqueness in our minds."

♦ Photo of SSL warning by Andrew Mason/Flickr [3]

Thumbnail:

Comments

Pricey SSL certs

Submitted by ryan on Mon, 08/03/2009 - 07:41.

SSL certificates market is monopolised by a few players and they keep the prices pretty high. Its hard for a startup to just shell out hundreds of dollas to get a SSL cert.

Security Management is the award-winning publication of ASIS International, the preeminent international
organization for security professionals, with more than 38,000 members worldwide.

ASIS International, Inc. Worldwide Headquarters, 1625 Prince Street, Alexandria, Virginia 22314-2818 U.S.A.
703.519.6200 | fax 703.519.6299 | www.asisonline.org

© 2013 Security Management
This site is protected by copyright and trade mark laws under U.S. and International law.
No part of this work may be reproduced without the written permission of Security Management.

Source URL: http://www.securitymanagement.com/news/do-security-alerts-really-work-005983

Links:
[1] http://abcnews.go.com/print?id=8205775
[2] http://www.google.com/hostednews/ap/article/ALeqM5gg4zczSIwqDYPqYT12kYuYvOLMjAD99EAGJ03
[3] http://www.flickr.com/photos/a_mason/3738813364/
[4] http://www.securitymanagement.com/../../../../../../news/dhs-task-force-review-color-coded-terror-alert-system-005889