An effective security warning is concrete and clear, appeals to authority, and doesn’t pop up too often, say the results of a study into the psychology of malware warnings conducted by Cambridge University researchers.
“We’re constantly bombarded with warnings designed to cover someone else’s back, but what sort of text should we put in a warning if we actually want the user to pay attention to it?” asked Cambridge University’s Head of Cryptography Professor Ross Anderson and research associate David Modic, and decided to investigate.
The unfortunate reality is that Internet users are faced with a number of security warnings, and that they ignore most of them. The things that can influence their behaviour in that respect are the ones that influence them in their day-to-day, offline life: authority, group pressure or influence, and risk preferences.
The researchers surveyed over 500 men and women which they recruited via Amazon Mechanical Turk. The group of respondents were faced with five different malware warnings.
The control group saw the typical Google Chrome warning, others were shown variations of warnings that:
- contained an appeal to authority (“The site you were about to visit has been reported and confirmed by our security team to contain malware.”)
- elements of social influence (“The scammers operating this site have been known to operate on individuals from your local area. Some of your friends might have already been scammed.”)
- a concrete threat (“The site you are about to visit has been confirmed to contain software that poses a significant risk to you, with no tangible benefit. It would try to infect your computer with malware designed to steal your bank account and credit card details in order to defraud you.”)
- a vague threat (“We have blocked your access to this page. It is possible that it might contain software that might harm your computer.”)
The respondents were also asked to choose a reason for turning off browser warnings, and to indicate what kind of information would make them heed the warning more (ex. information how a particular scam works, average amount of money lost in this scheme, etc.)
The research showed that users mostly turn off the warnings because of the high rate of false positives, but that the overwhelming majority of all users keep the warnings on (and women are a bit more likely to do so).
“Our analysis showed that the more familiar our respondents were with computers, the more likely they were to keep the malware warnings on,” the researchers noted in their paper. “Risk assessment is possibly more accurate in the population familiar with various cyber threats. This result indicates that the ability for premeditation outweighs the need for convenience to some extent.”
Some of the users who turn off the browser malware warnings cite the inability to understand them as the reason, which implies that the warnings are not written in a clear enough manner.
“When individuals have a clear idea of what is happening and how much they are exposing themselves, they prefer to avoid potentially risky situations,” the researchers note. Also, users respond more to soft power techniques (expert opinion) than harsh ones (threats, coercion).