Why are some security warnings more effective than others?

Add to my custom PDF

Experimenting at Scale with Google Chrome’s SSL Warning

Modern browsers warn users when they are potentially clicking from an encrypted connection, using the Secure Socket Layer (SSL) to an unprotected connection. This can indicate a potential threat to the user. Despite the difficulty in assessing the risk highlighted by the warning, many users ‘click-through’ this message. Past research has shown that more people using Google Chrome ignore warnings than those using Mozilla Firefox. This raises the question of how the security warning itself affects the user assessment of risk.

Felt et al. set out to understand why Firefox has a 37% lower ‘click-through’ rate on SSL warnings than Google Chrome. The researchers designed six experimental warnings to test four hypotheses about the impact of visual design, an extra warning stage, corporate style guidelines, and the image of a watching human on lowering click through rates (CTRs). The experimental warnings were included in Google Chrome 29, providing differing warnings to those opting to ‘send crash reports and statistics to Google’. The researchers measured 130,754 impressions under field conditions.

The study provided some interesting outcomes. In a test where users had to click through a warning twice, the second did little with almost all participants (98%) clicking through both. The use of corporate style or branding had little effect and the use of a watching figure, such as a police officer did not increase the effectiveness of the warning.

The results of the field study suggest that the visual appearance of the SSL warning accounts for one-third to one-half of the difference in effectiveness between Firefox and Google Chrome. Therefore, the design of SSL warnings can drive users towards lower click-through rates and thus safer decisions. This research contributes to the ability of SSL warning designers to create effective warnings that avoid the use of technical jargon by de-emphasizing technical details, include information on ways to mitigate risk, and include a clear default choice.

Users can be encouraged to make safer decisions by modifying the appearance of security warnings.