RUNNING HEAD: READING THIS MAY HARM YOUR COMPUTER: THE PSYCHOLOGY OF MALWARE WARNINGS
In life, as on the Internet, most of us are satisficers – we tend to favour actions and make
decisions that are good enough, rather than optimal (Simon, 1956). As an energy-saving
technique, this has benefits, but also drawbacks. When it comes to protecting oneself online,
Akhawe and Felt (2013) and Herley (2010) have shown that Internet users work hard to
ignore warnings and security notices. Existing theories and empirical work in criminology
suggest this might be a problem. Situational crime prevention shows that offenders are more
likely to take advantage of an environment that appears target-rich (cf. Felson & Clarke,
1998), while routine activity theory (RAT; Cohen & Felson, 1979) analyses crime incidence
in terms of a motivated offender, a suitable target and an opportunity. However, there is
comparatively little research on the causal link between ignoring warnings and being
defrauded. One plausible explanation is that those who ignore the warnings might believe
themselves to be less vulnerable because they might have less money to lose or are confident
in their ability to resist scams. In reality, lack of funds does not pose a hurdle for determined
scammers, who have been known to push prospective victims into taking loans (e.g. in
investment scams; Stevenson, 2000) or entangle them in money laundering schemes
(Zuckoff, 2005). Overconfidence in one’s ability to resist fraud has also been shown to
increase the likelihood of being scammed (Camerer & Lovallo, 1999; Fischer, Lea, & Evans,
2013).
While computer users are more likely to follow an inconvenient procedure if they are explicitly told it is for security purposes (Egelman et al., 2010), the daily exposure to an overwhelming amount of warnings remains an issue. This makes it hard for users to sort the real threats from the many trivial ones and the even greater number of false alarms (BravoLillo et al., 2013). Users are willing to expend only a certain amount of effort and time on security concerns: that is, their compliance budget (Beautement, Sasse, & Wonham, 2008) is a limited resource. In brief, users would prefer to ignore warnings, but if that is hard enough they will comply with some of them, up to a point.
Thus there is a need for fewer but more effective of malware warnings, particularly in
browsers. Earlier research tended to focus on the presentation of warnings; for example,
passive warnings (that require no user action) tend to be almost universally ignored. Egelman,
Cranor, and Hong (2008) found that active warnings helped deter 79% of their participants
from visiting a potentially harmful website. Later research has moved towards the positioning
of the dialogues, the amount of text, the length of the message and the amount of technical
detail (Bauer, Bravo-Lillo, Cranor, & Fragkaki, 2013). Another recent approach has been to
manipulate the content of security warnings (e.g. malware warnings;Egelman & Schechter,
2013; and SSL warnings; Sunshine, Egelman, Almuhimedi, Atri, & Cranor, 2009). The wording in warnings in such studies generally appears to be based on trial and error rather
than on established psychological theories of communication or persuasion. In the present
paper, we based our warnings on some of the social psychological factors that have been
shown to be effective when used by scammers (Modic, 2013; Modic & Lea, 2013). Those
factors which play a role in increasing potential victims’ compliance with fraudulent requests,
will also prove effective in warnings.
Read more at Woods LLP