We have lots of security schemes that try to figure out whether an online resource like a web page or an e-mail message is benign or malicious. Their tests use a lot of heuristics so they occasionally guess wrong or can’t tell. The WKBI is to show a warning and ask the user what to do if the system isn’t sure. Unfortunately, experiments have consistently shown that users do not understand the warnings and usually do whatever makes the warning go away fastest.
It’s been described as “gargle parp SECURITY WARNING blurch gloopf DANGEROUS flurp churble. OK?” It’s always OK.
Locks, green bars, and related icons and logos have the same problem. Users don’t understand what they mean, and don’t understand why a lock in one part of the screen (the browser bar) means something different from a lock somewhere else (inside a malicious web page.)
- Browser bad certificate warnings
- Mail icons or logos intended to indicate virtuous mail
- Mail programs highlight signed and unsigned parts of the message
References
The Emperor’s New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies
http://www.usablesecurity.org/emperor/