Upfront

Making online security warning messages more useful and effective

June 2013, Vol 44, No. 6

Print version: page 12

With an NSF grant, Dr. Gary Brase is working to make computer security alerts clearer and more meaningful for everyone. (credit: Courtesy of Kansas State University)

Most of us have gone online to buy something or check our bank balance, only to encounter a pop-up message indicating danger if we proceed. Do we heed the warning or go on to the website? For many of us, the answer isn't clear.

To help people interpret these warnings and keep their personal information secure, psychologist Gary Brase, PhD, and computer security researcher Eugene Vasserman, PhD, both of Kansas State University, are using a $150,000 grant from the National Science Foundation to develop more effective online alerts.

"We don't just want to get something that's better; we want to find something that's fundamentally better," Brase says.

A number of factors are contributing to our confusion, says Brase. For one, many of these messages contain technical language that is meaningless to most people, such as "Do you want to trust this signed applet?" or "This application's digital signature has an error; do you want to run the application?"

For another, such alerts often fail to communicate clearly the actual risk of continuing to a website. Not all warnings are equal: One may pop up simply because a website is a day late in updating its security certificate information, while another that looks exactly the same may be signaling that someone is trying to intercept your personal information.

What's more, people aren't always concerned about security risk while browsing the Web. Some may be visiting a site just to read a magazine article or price items from different stores, while others are poised to share vulnerable personal information.

"Good security alerts should be tailored for all types of users, no matter what their intent," says Brase.

To determine the best approach, the team is conducting lab studies to see how people respond to different types of warnings, such as warnings that are mainly visual, or that feature clearer, more user-friendly educational text. Then they will test various alerts to see which ones prompt people to easily make smart decisions. It's important to address such problems because user education has not kept pace with the increasing complexity of Internet transactions, says Brase.

"We want to help make the computers easier to understand rather than trying to make the people understand computers," he says.

—Tori DeAngelis