We’ve written in the past about this subject but a recent conversation with a customer brought me back to this concept and whilst we often talk about the perils of an infected website or an out-of-date SSL certificate in ominous tones: browser warnings, customers clicking away and loss of reputation and trust; how much of this is based on real customer behaviour?
The University of California, together with Google, recently undertook a study to track real-world clickthrough rates from browser security warnings in two of the most popular web browsers Google Chrome and Mozilla Firefox. The results reveal a much more security-conscious population than you might expect.
Alice in Warningland
The study looked at the malware, phishing and SSL certificate warnings that each browser shows to users and not only monitored clickthrough rates, but also how long people spent looking at the warning before clicking and how many people clicked to find out more detailed information about the warning.
With the exception of SSL warnings in Google Chrome, the study concluded that browser security warnings ‘effectively protect most users in practice’, with relatively low clickthrough rates. In addition, there seemed to be some active engagement and understanding of the warnings people were seeing:
‘In Mozilla Firefox, a fifth of users who choose to click through an SSL warning remove a default option, showing they are making cognitive choices while bypassing the warning,’ says the report.
Exceptions to the rule
Although the ideal clickthrough rate is zero, especially for malware warnings where the false positive rate is particularly low, the study proved that all types of warning are bypassed by at least some users, some of the time.
This doesn’t necessarily mean that people clicking through are the ‘oblivious users’ that experts once thought all internet users were.
For example, there was a higher clickthrough rate for phishing warnings than malware. ‘This behaviour is rational,’ explains the study, ‘a malware website can infect the users computer without any action on the users’ part, but a phishing website can only cause harm by tricking the user at a later point in time.’
In other words, customers are able to discern between different types of threats and make an informed decision about how much risk they are willing to take by proceeding to their desired website.
Where warnings fail
Perhaps the most surprising result of the study was that Google Chrome users clicked through SSL warnings 70.2 percent of the time. Why do they have such a lax attitude towards security?
The study makes some well-reasoned suggestions, the most convincing of which is warning fatigue. ‘Our findings support recent literature that has modeled user attention to security warnings as a finite resource,’ explains the paper.
Perhaps Google Chrome users are faced with so many of the same warnings over and over again, especially since there is no option to save a preference as there is in Mozilla Firefox, that warnings simply start to lose their impact.
That said, despite the high clickthrough rate in Google Chrome, users were still discerning between different types of SSL warning and assessing the relative levels of risk.
‘There is a 24.4-point difference between the clickthrough rates for untrusted issuer errors (81.8%) and expired certificate errors (57.4%) in Google Chrome.’
The former type of warning might often apply to small, independent websites that users know and trust personally, hence the higher clickthrough rate. On the other hand, expired certificates suggest poor management, or perhaps that a business is no longer the genuine owner of a site, and users are therefore more cautious.
What does this study mean to businesses?
Ultimately, between 77 and 91 percent of people will not click through a malware or phishing warning, and in Mozilla Firefox at least two thirds of users will not click through an SSL warning of any kind.
So if you’re deciding whether or not to prioritise website security and SSL certificate management, just remember, security warnings really do work in keeping visitors away from malicious and poorly managed sites. It’s much better to have valid, up-to-date certificates than scare people away.