This is an important question. The common belief in the community is that people are oblivious of security issues. They will not care. Akahawe (Berkley) and Felt (Google) launched and empirical study by observing more than 25 million real interactions during security warnings for Chrome and Firefox browsers. This recent study was conducted during May and June 2013. They collected information using the in-browser telemetry system. For memory, the telemetry system is switched on voluntarily by users. The researchers studied phishing warnings, malware warnings and SSL warnings. They measured the click-through ratio, i.e. the number of times, users click through to view the corresponding page
First some raw data extracted from their paper.
Firefox | Chrome | |
Malware | 7.2% | 23.2% |
Phishing | 9.1% | 28.1% |
SSL | 32.2% | 73.3% |
The good news is that the majority of users take into account the security warnings in case of malware or phishing. As the detection mechanism uses Google’s Safe Browsing List, the ideal ratio should be near 0% as the ratio of false positive in the list is extremely low. For SSL warnings, the ratio is significantly higher. Of course, there are many legitimate sites that generate such warnings (misconfiguration of the server, self signed certificates…). Thus, the ideal ratio may not be null. Nevertheless, the ratio seems high.
Interestingly also, Chrome has a higher click-through ratio than Firefox. In other words, Chrome users take less care of the warnings. In the case of SSL, the huge difference (+40%) can be explained because for several reasons, Chrome users receive more warnings. For instance, by default, Firefox memorizes an accepted SSL warning whereas Chrome will repeatedly present the same warning.
Some interesting findings:
- Consistently, Linux users did have a higher click-through ratio than other operating systems’ users. Two reasons may explain it:
- They feel more confident in their skill set because they are tech savvy, and have less risk aversion than average users.
- They feel that being under Linux prevents them from security issues. Unfortunately, that is not true for phishing or SSL.
- The number of clicks to go through the warning did not impact the ratio. To accept malware or phishing, you need one click with Mozilla and two clicks with Chrome.
- Users who discarded the warnings spend less time on the page (1.5s) compared to users who took into account the warnings (3.5s).
In any case, a good reading…
D. Akhawe and A.P. Felt, “Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness,” 2013 available at http://research.google.com/pubs/archive/41323.pdf.