Computer users often feel bombarded by warnings about malware – particularly in internet browsers, which often repeatedly warn about risky sites – but tricks used by cybercriminals can help stop this, a new paper claims.
Direct threats against users are more effective than other tactics, such as vague warnings about systems or the impact on others – as any good malware writer could tell you.
Two Cambridge University researchers tested various anti-malware warnings on 583 respondents, mostly from the United States, and with a range of ages and computer ability – and tested, “some of the social-psychological techniques the scammers themselves use.”
Clear threats to computer users themselves – ie an explanation of the damage or financial losses they might face, worked more effectively than warnings about certificates or technical terms.
Tech Republic commented that the ‘fake’ warnings created by the academics were in fact more effective than ‘real’ warnings, according to the survey results – citing the “site’s security certificate is not trusted” warning as an example of a real-world warning unlikely to have an impact.
In a blog post, the researchers, David Modic and Ross Anderson said, “Internet users face large numbers of security warnings, which they mostly ignore. To improve risk communication, warnings must be fewer but better.”
“We report an experiment onwhether compliance can be increased by using, namely appeal to authority, social compliance, concrete threats and vague threats – some of the social psychological factors that have been shown to be effective when used by scammers. The factors which play a role in increasing potential victims’ compliance with fraudulent requests also prove effective in warnings.”
The academics found that concrete, detailed threats were highly effective, with the message, “The site you are about to visit … would try to infect your computer with malware designed to steal your bank account and credit card details in order to defraud you,” working effectively to deter users.
Social factors – such as whether Facebook friends or people in the local area had fallen victim – had little effect.
“What works best is to make the warning concrete; people ignore general warnings such as that a web page “might harm your computer” but do pay attention to a specific one such as that the page would “try to infect your computer with malware designed to steal your bank account and credit card details in order to defraud you”. There is also some effect from appeals to authority: people who trust their browser vendor will avoid a page “reported and confirmed by our security team to contain malware”
“There is a need for fewer but more effective of malware warnings, particularly in browsers,” the writers conclude. “Warning text should include a clear and non-technical description of potential negative outcome; or an informed direct warning given from a position of authority.”
Author Rob Waugh, We Live Security