Fake security messages more credible than real notices investigation shows
Cambridge University researchers disclose why people trust spiteful, fake security messages, and ignore real notices.
How do you respond to the following warning when it explosions up on your screen?
I have yet to discover a person who always follows the above threatening, but the warning below has proven very actual, even though it’s a whole fake. Why?
This is a question that two researchers at Cambridge University are trying to answer in their paper, Reading This Can Harm Your Computer: Psychology of Malware Warnings. Professor David Modic and Professor Ross Anderson, the authors of the paper, have long considered why computer security warnings do not work.
Warning Message Overload – Fake Security Messages
Experts cite a few previous studies that provide evidence that users prefer to ignore safety warnings. I wrote about one of the cited studies written by Cormac Herley, in which he said:
- A large amount of security advice is very powerful.
- The average user does not always see the benefit of following safety tips.
- The help of listening to safety tips is speculative.
Cambridge investigators agree with Herley, stating this blog post:
“We are continually blasted with warnings intended to cover somebody else’s back, but what sort of text should we comprise in a warning if we need the user to pay attention?”
I can’t think of a better example of what Herley, Anderson, and Modic were talking about than the first example: the “site certificate is unreliable”.
Warning messages are persuasive
Anderson and Modic reviewed previous research on the use of persuasive psychology as a way to address issues that have a bearing on decision-making. Come up with the following decisions:
- Influence of authority: Warnings are most real when possible victims believe they are from a trusted home.
- Community influence: People will follow if they believe other members of their community are also compliant.
- Risk Factors: People often tend to act recklessly under dangerous circumstances.
Use what works for the bad guys
To find out what users will be paying attention to, Anderson and Modic did research on warnings that played on different emotions, hoping which warnings would have an impression. Surprisingly, researchers use the same psychological traits that have already shown to work with bad people:
“We have attentive on our warnings on certain of the social and psychological issues that work best when cast-off by fraudsters. Factors that contribute to increasing potential victimization through fraudulent applications also work effectively in warnings.”
The alerts use in the trial divide into the following types:
- Control Group: Anti-malware alerts currently in use in Google Chrome
- Authorized: The site you were visiting was reported and verified by the security team to install malware.
- Social Influence: The site you were visiting included software that could harm your computer. Fraudsters who work on this site are known to work for people from your local area. Some of your friends may already be fraudulent. Please, do not continue on this site.
- Portable Threat: The site you are visiting will confirm to include software that puts you at risk. It will try to infect your computer with malware designed to steal your bank account and credit card details to deceive you.
- Anonymous Threat: We have blocked your entrance to this page. This page may contain software that could harm your computer. Please close this tab and move on to another location.
The team of researchers then asked 500 men and women through Amazon Mechanical Turk to take part in the study, recording how it influences each type of warning to participants.
People respond with clear, and powerful messages
Anderson and Modic express surprise that social media was not as effective as they have expected to be. The most effective warnings were clear and concise. Like messages announcing that a computer will be infected with malware, or a malicious website will steal a user’s financial information. Anderson and Modic suggest that software developers who create warnings should heed the following advice:
- The warning text should include a clear and unambiguous description of the potential adverse effect.
- The warning should be a straightforward informative message from the authority.
- The use of coercion (comparing to persuasion) must minimize, as it may not be productive.
Most importantly according to Anderson and Modic, “Warnings should be few, but better.” And from what I have learned in this report, bad people do a great job when it comes to warnings, even if for a different reason.