I’m sure there have been at least a few occasions when you’ve been surfing the web, clicked on a link, and then discovered a warning notice in your browser, telling you to proceed at your peril!
And you’ve paid attention and gone back to whence you came from. Right?
Given that you are reading a security blog you probably are wise enough to heed such warnings but most people aren’t like you – they ignore things that could do them serious harm.
Its well known that the average internet surfer will ignore messages which tell them not to proceed. There are many reasons for why this may be so, from the fact that they are used to seeing advertisements disguised as such to the fact that there are just so darn many warnings to contend with each day. Not only that, but the fact that bad things always happen to other people, not them. Or so they would wish to believe.
So what is the solution? How should warning notices be crafted in order to attract attention and elicit the correct response?
A new study from Ross Anderson, Head of Cryptography at Cambridge University, and David Modic took a psychological approach. Their downloadable report, called “Reading This May Harm Your Computer: The Psychology of Malware Warnings” was published at the end of last week.
“We’re constantly bombarded with warnings designed to cover someone else’s back, but what sort of text should we put in a warning if we actually want the user to pay attention to it?”
The biggest barrier, the researchers discovered, was the fact that the average user would always ignore such alerts if they could do so. And so they looked for a way to make the warnings more effective.
Anderson and Modic suggest that key here is the premise that less is more, particularly where browser warnings are concerned.
They also argue that psychological factors can be employed to ensure that users take warnings more seriously.
An experiment was conducted which involved 500 people and used variations of a Google Chrome warning message, presented in four different formats – authority, social influence, concrete threat and vague threat.
The results that came back surprised Anderson who said,
“To our surprise, social cues didn’t seem to work. What works best is to make the warning concrete; people ignore general warnings such as that a web page “might harm your computer” but do pay attention to a specific one such as that the page would “try to infect your computer with malware designed to steal your bank account and credit card details in order to defraud you”. There is also some effect from appeals to authority: people who trust their browser vendor will avoid a page “reported and confirmed by our security team to contain malware”.”
The study also discovered that word of mouth was far more important to many users than any warning on their screen, with many of the participants saying they would click through flagged links if their Facebook friends told them it would be ok to do so. In this case it seems that making sure your friends on social sites are trustworthy is more important than ever!
The study also analysed who disabled browser based warnings altogether, discovering that:
“We also analysed who turned off browser warnings, or would have if they’d known how: they were people who ignored warnings anyway, typically men who distrusted authority and either couldn’t understand the warnings or were IT experts.”
The report concluded that some 25% of users clicked through links that were potentially fraudulent (see: how not to get phished) or malicious which shows that there is still a great need for improved security awareness amongst the computer using public. Hopefully improved warning messages will lessen the clickthrough rates in the future.