Creating Better Malware Warnings Through Psychology

msm1267 writes "Generic malware warnings that alert computer users to potential trouble are largely ineffective and often ignored. Researchers at Cambridge University, however, have proposed a change to the status quo, believing instead that warnings should be re-architected to include concrete, specific warnings that are not technical and rely less on fear than current alerts."

Waste of Time

The fake warnings that get people to click on them will just copy the wording and format of the new warnings and use those to entice people to "click here to avert catastrophe".

Re:Waste of Time

I don't know what the article said. I was afraid to download the paper linked because it occurred to me that it might have been one of the very malware warnings they were talking about since they said "Reading this May Harm Your Computer: The Psychology of Malware Warnings".

Preeety clever guys, but I ain't gonna let y'all pull a fast one on me

Re:Waste of Time

[Pope]

Maybe you should read about this one weird computer security tip discovered by a mom. Malware writers hate her!

Re:Waste of Time

[geminidomino]

Right, but the point of the article is to do so on sites that ARE bad and WILL drive-by software that will try to log your keystrokes, steal your passwords and account numbers, and use your computer to send out spam (concrete threats), and not "this could be something scary and microsoft doesn't approve" because you have a GUI IP scanner installed.

specific warnings that are not technical

[kruach+aum]

If you click this link you will literally want to kill yourself like that time you thought you'd pulled your underwear all the way down but instead re-enacted the slicing frame scene from Cube but with poop

If you click this link you will be tricked into being tricked into giving Russians money to make a non-existent problem not go away, like that time you bought a can opener because you chipped a tooth opening a beer bottle and then never used it

If you click this link you will experience the mental equivalent of three elephant births through a human sized vagina worth of pain over the course of a week and a half

Too much repetition

[asmkm22]

This is just based on my experience, but it seems like users are very quick to develop habits based on repetition. UAC is a good example, in that it doesn't take more than a few days to get used to clicking OK on the box that pops up when then screen fades out a little. Changing what the message says won't change that behavior.

Re:Hmmm ...

[vux984]

The NSA would use a major signing authority so as to avoid any warnings. And it would say it was signed by whoever they wanted it to say it was signed by because... NSA.

You are actually better off using your own PKI all the way up and adding your own root certs etc to your browsers if you are concerned about the NSA.

This isn't actually bad advice in general.

Re:Oxymorons

[Tablizer]

"concrete, specific warnings" and "not technical"

"Don't click the purple button shaped like the bow-tie Justin Beiber wore on 'Dancing with Stars' last week".

See, it can be done.

Re:Hmmm ...

[lgw]

Pretty hard to prevent when they can display arbitrary images. You'd have to do something they couldn't replicate, like personalizing it per user, or using a reserved part of the screen.

Trivial: just put a very obvious and different border around any dialog raised by the browser, like thick red and black hashing or something equally unsubtle. It's wouldn't solve every problem, but making it really obvious when it's a pop-up would help.

Or, better, just remove the whole horrible idea of pop-ups from the world of browsers. It solves a problem that no longer exists in tabbed browsing. Restrict web pages from opening anything but a new tab, and nothing of value will be lost.