Empirical Investigations on Usability of Security Warning Dialogs: End Users Experience

  • Farah Nor Aliah Ahmad
  • Zarul Fitri ZaabaEmail author
  • Mohamad Amar Irsyad Mohd Aminuddin
  • Nasuha Lee Abdullah
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1132)


The dependencies of the computer and the Internet keep increasing among the users. Thus, it poses to the increasing number of attacks as a result of using various application and tools. Security warning conveys an alert on the potential harm users might expose such as malware and any kind of attacks on their computer. In practice, most of the end users tend to ignore the security warning as it shows the messages repeatedly, although they have been exposed to many risks. A security warning dialogue is supposed to catch the user’s attention and comprehension however, because of users’ past experiences such habituation makes them became less focus. One-to-one interview session with 60 participants was conducted in order to gain further comprehension among the end users experiencing security warning and to investigate the usability issues of current security warning implementation. It is deemed of necessity to discover these usability issues in the current context of security warning presentations. The result revealed that the problems and challenges continue to persist such as difficulties to make a decision, difficulties to comprehend technical jargons, lack of attractiveness of current security warning and issues of habituation or repeated exposures of warnings.


Usability Security warning Usable security Security Human-computer interaction 


  1. 1.
    Mahajan, A.: 3.6 billion active internet users worldwide by 2018 with nearly 50% penetration. Accessed 31 Sept 2018
  2. 2.
    Passeri, P.: Cyber attacks statistics. Accessed 31 Sept 2018
  3. 3.
    Amran, A., Zaaba, Z., Mahinderjit Singh, M.: Usable security: revealing end-users comprehensions on security warnings. In:4th Information Systems International Conference, ISICO 2017, pp. 635–631, Elsevier B.V., Penang (2017)CrossRefGoogle Scholar
  4. 4.
    Wogalter, M.: Purposes and scope of warnings. Hum. Factors Ergonom. 3–9 (2006)Google Scholar
  5. 5.
    Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: The 2007 IEEE Symposium on Security and Privacy, p. 15. IEEE, Oakland (2007)Google Scholar
  6. 6.
    Akhawe, D., Felt, A.: Alice in warningland: a large-scale field study of browser security warning effectiveness. In: Proceedings of the 22th USENIX Security Symposium (2013)Google Scholar
  7. 7.
    Minakawa, R., Takada, T.: Exploring alternative security warning dialog for attracting user attention: evaluation of “Kawaii” effect and its additional stimulus combination. In: IIWAS 2017: The 19th International Conference on Information Integration and Web-based Applications and Services. Association for Computing Machinery, Salzburg (2017)Google Scholar
  8. 8.
    Bravo-Lillo, C, Cranor, L.F., Downs, J.S., Komanduri, S.: POSTER: what is still wrong with security warnings: a mental models approach. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, Redmond, WA (2010)Google Scholar
  9. 9.
    Bravo-Lillo, C., Cranor, L.F., Down, J.S., Komanduri, S.: Bridging the gap in computer security warning. A Mental Model Approach, pp. 18–26 (2011)Google Scholar
  10. 10.
    Krol, K., Moroz, M., Sasse, M. A.: Don’t work. Can’t work? Why it’s time to rethink security warnings. In: 2012 7th International Conference on Risks and Security of Internet and System (CRiSIS) (2012)Google Scholar
  11. 11.
    Samsudin, N., Zaaba, Z.: Security warning life cycle: challenges and panacea. J. Telecommun. Electron. Comput. Eng. 9(2–5), 53–57 (2017)Google Scholar
  12. 12.
    Amran, A., Zaaba, Z., Mahinderjit Singh, M.: Habituation effects in computer security warning. Inform. Secur. J.: Glob. Perspect. 27(2), 119–131 (2018)Google Scholar
  13. 13.
  14. 14.
    Zaaba, Z., Furnell, S., Dowland, P.: A study on improving security warning (2014)Google Scholar
  15. 15.
    Zaaba, Z., Teo, K.: Examination on usability issues of security warning dialogs. J. Multidisc. Eng. Sci. Technol. (JMEST) 2(6), 1337–1345 (2015)Google Scholar
  16. 16.
    Raja, F., Hawkey, K., Hsu, S., Wang, K.LC., Beznosov, K.: A brick wall, a lock door and a bandit: a physical metaphor for firewall warnings. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, Pittsburgh, USA, pp. 1–20 (2011)Google Scholar
  17. 17.
    Samsudin, N.F., Zaaba, Z.F., Sing, M.M., Samsudin, A.: Symbolism in computer security warnings: signal icons and signal word. Int. J. Adv. Comput. Sci. Appl. (IJACSA) 7(10), 148–153 (2016)Google Scholar
  18. 18.
    Wu, M., Miller, R., Garfinkel, S.: Do security toolbars actually prevent phishing attacks? In: CHI 2006, pp. 601–610. ACM, Québec (2010)Google Scholar
  19. 19.
    Motiee, S., Hawkey, K., Beznosov, K.: Do windows users follow the principle of least privilege?: investigating user account control practices. In: Symposium on Usable Privacy and Security (SOUPS), p. 13. ACM, Washington (2010)Google Scholar
  20. 20.
    Anderson, B.B., Kirwan, C.B., Jenkins, J.L., Eargle, D., Howard, S., Vance, A.: How polymorphic warnings reduce habituation I the brain: insights from fMRI study. In: Proceeding of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 2883–2892 (2015)Google Scholar
  21. 21.
    Ion, I., Reeder, R., Consolvo S.: “…no one can hack my mind”: comparing expert and non-expert security practices. In: Symposium on Usable Privacy and Security (SOUPS). USENIX (2015)Google Scholar
  22. 22.
    Furnell, S.M., Jusoh, A., Katsabas, A.: The challenge of understanding and using security: a survey of end-users. In: Computer and Security, The International Source of Innovation for the Innovation Security and IT Audit Professional (2006)Google Scholar
  23. 23.
    Althobaiti M.M., Mayhew, P.: User’s awareness of visible security design flaws. Int. J. Innov. Manag. Technol. 3(7) (2016)Google Scholar
  24. 24.
    Harbach, M., Fahl, S., Yakovleva, P., Smith, M.: Sorry, I don’t get it: an analysis of warning message texts. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 94–111. Springer, Heidelberg (2013). Scholar
  25. 25.
    Mesbah, S.: Internet science-creating better browser warnings. Seminar Future Internet WS1415 (2015)Google Scholar
  26. 26.
    Jenkins, J.L., Anderson, B.B., Vance, A.: More harm than good? How messages that interrupt can make us vulnerable. Inform. Syst. Res. 27, 1–17 (2016)CrossRefGoogle Scholar
  27. 27.
    Wash, R.: Folks models of home computer security. In: Symposium on Usable Privacy and Security (SOUPS) (2010)Google Scholar
  28. 28.
    Vance, A., Kirwan, B., Bjorm, D., Jenkins, J., Anderson, B.B.: What do we really know about how habituation to warnings occurs over time? A longitudinal fMRI study of habituation and polymorphic warning. In: Computer Human Interaction (CHI 2017), Denver, CO, USA (2017)Google Scholar
  29. 29.
    Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: My data just goes everywhere: user mental models of the internet and implications for privacy and security. In: Symposium on Usable Privacy and Security (SOUPS), pp. 39–50 (2015)Google Scholar
  30. 30.
    Shepherd, L.A., Archibald, J., Ferguson R.: Reducing risky security behaviours: utilising affective feedback to educate users. In: Proceedings of Cyberforensics (2014)Google Scholar
  31. 31.
    Redmiles, E., Malone, A., Mazurek, M.: I think they’re trying to tell me something: advice sources and selection for digital security. In: IEEE Symposium on Security and Privacy, pp. 272–288. IEEE (2016)Google Scholar
  32. 32.
    Das, A., Khan, H.: Security behaviors of smartphone users. Inform. Comput. Secur. 1(24), 116–134 (2016)CrossRefGoogle Scholar
  33. 33.
    Anderson, B.B., Vance, A., Kirwan, B., Eargle, D.: User aren’t (necesserily) lazy: using NeuroIS to explain habituation to security warnings. In: Thirty Fifth International Conference on Information System, Auckland (2014)Google Scholar
  34. 34.
    Bravo-Lillo, C.A.: Improving computer security dialogs: an exploration of attention and habituation. PhD thesis, Carnegie Mellon University (2014)Google Scholar
  35. 35.
    Zaaba, Z., Furnell, S., Dowland, P.: Literature studies on security warnings development. Int. J. Percept. Cogn. Comput. (IJPCC. 2, 8–13 (2016)Google Scholar
  36. 36.
    Anderson, B., Vance, A., Kirwan, C., Jenkins, J., Eargle, D.: From warning to wallpaper: why the brain habituates to security warnings and what can be done about it. J. Manag. Inform. Syst. 33, 713–743 (2016)CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Farah Nor Aliah Ahmad
    • 1
  • Zarul Fitri Zaaba
    • 1
    Email author
  • Mohamad Amar Irsyad Mohd Aminuddin
    • 1
  • Nasuha Lee Abdullah
    • 1
  1. 1.School of Computer SciencesUniversiti Sains MalaysiaGelugorMalaysia

Personalised recommendations