Find a SECReT supervisor
prism apply now

Download warnings: A rational rejection of security advice?

22 February 2012

Kat Krol and Matt Moroz

As the number of Internet users has grown, so have the security threats that they face online. Security warnings are one key strategy for trying to warn users about those threats; but recently, it has been questioned whether they are effective. We conducted a study to explore how users react to security warnings and why. In our study with 120 participants – all of whom noticed the warning – 81.7% downloaded a file despite a warning.

There was no significant difference between generic warnings and specific ones, unlike speculated by previous research. The minority of participants who were stopped by the warnings rated themselves as not knowledgeable about computers or/and reported having had previous experience with viruses or fraud. Analysis of the reasons given by participants for ignoring warnings shows that they have become desensitised by frequent exposure to warnings and the experience of false alarms.

Their answers also revealed a set of misunderstandings about the nature of security threats, blind trust in their anti-virus software and unawareness of threats associated with PDF files. Based on our findings, we conclude that security warnings in their current forms are and will remain ineffective, and require a fundamental rethink.