Usable Security Lessons for Creating Effective Browser Warnings
October 19, 2009
Speaker: Serge Egelman, Brown
Time: Monday, October 19, 2PM
Location: Babbio 221
Host: Sven Dietrich
In a world where making an incorrect online trust decision can mean the difference between checking your account balance and transferring it to criminals, Internet users need effective security warnings to help them identify risky situations. In a perfect world, software could automatically detect all security threats and then block access to high risk websites. Because there are many threats that we cannot detect with 100% accuracy and false positives are all too frequent, web browser vendors generally opt to warn users about security threats. In this talk I cover the common pitfalls of web browser security warnings and draw parallels with warnings in the physical world. I describe the results of laboratory phishing studies I performed in order to examine users' mental models, risk perceptions, and comprehension of current security warnings. Finally, I show how I used these findings to design and test a more usable SSL warning that better conveys risk and uses context to minimize habituation effects.
Serge Egelman is a postdoctoral researcher at Brown University working on access control mechanisms that minimize human error. He also dabbles in behavioral economics in order to better understand why people make poor security choices. He recently earned a PhD from Carnegie Mellon University's School of Computer Science. His main research area is on usable privacy and security, which has included work on phishing detection, authentication systems, online privacy, user account models, and online shopping behaviors. Serge was a summer intern at PARC in 2006, as well as an intern at Microsoft Research for six months in 2008. While at MSR, he helped the IE team redesign the IE8 phishing warning based on the results of his dissertation research. Serge enjoys traveling the world and hopes to visit every UNESCO World Heritage Site.