How do you react to the following warning when it pops up on your screen?
I have yet to find a person who always obeys the above warning, but the warning below has proven very effective, even though it's a complete fake. Why?
This is a question two University of Cambridge researchers try to answer in their paper, Reading This May Harm Your Computer: The Psychology of Malware Warnings. Professor David Modic and Professor Ross Anderson, authors of the paper, took a long hard look at why computer security warnings are ineffective.
Warning message overload
The professors cite several earlier studies which provide evidence that users are choosing to ignore security warnings. I wrote about one of the cited studies authored by Cormac Herley, where he argues:
- The sheer volume of security advice is overwhelming.
- The typical user does not always see the benefit from heeding security advice.
- The benefit of heeding security advice is speculative.
"We're constantly bombarded with warnings designed to cover someone else's back, but what sort of text should we put in a warning if we actually want the user to pay attention to it?"
I can't think of a better example of what Herley, Anderson, and Modic were referring to than my first example: the "site's security certificate is not trusted" warning.
Full Article
