In life, as on the Internet, most of us are satisficers – we tend to favour actions and make

decisions that are good enough, rather than optimal (Simon, 1956). As an energy-saving

technique, this has benefits, but also drawbacks. When it comes to protecting oneself online,

Akhawe and Felt (2013) and Herley (2010) have shown that Internet users work hard to

ignore warnings and security notices. Existing theories and empirical work in criminology

suggest this might be a problem. Situational crime prevention shows that offenders are more

likely to take advantage of an environment that appears target-rich (cf. Felson & Clarke,

1998), while routine activity theory (RAT; Cohen & Felson, 1979) analyses crime incidence

in terms of a motivated offender, a suitable target and an opportunity. However, there is

comparatively little research on the causal link between ignoring warnings and being

defrauded. One plausible explanation is that those who ignore the warnings might believe

themselves to be less vulnerable because they might have less money to lose or are confident

in their ability to resist scams. In reality, lack of funds does not pose a hurdle for determined

scammers, who have been known to push prospective victims into taking loans (e.g. in

investment scams; Stevenson, 2000) or entangle them in money laundering schemes

(Zuckoff, 2005). Overconfidence in one’s ability to resist fraud has also been shown to

increase the likelihood of being scammed (Camerer & Lovallo, 1999; Fischer, Lea, & Evans,


While computer users are more likely to follow an inconvenient procedure if they are explicitly told it is for security purposes (Egelman et al., 2010), the daily exposure to an overwhelming amount of warnings remains an issue. This makes it hard for users to sort the real threats from the many trivial ones and the even greater number of false alarms (BravoLillo et al., 2013). Users are willing to expend only a certain amount of effort and time on security concerns: that is, their compliance budget (Beautement, Sasse, & Wonham, 2008) is a limited resource. In brief, users would prefer to ignore warnings, but if that is hard enough they will comply with some of them, up to a point.

Thus there is a need for fewer but more effective of malware warnings, particularly in

browsers. Earlier research tended to focus on the presentation of warnings; for example,

passive warnings (that require no user action) tend to be almost universally ignored. Egelman,

Cranor, and Hong (2008) found that active warnings helped deter 79% of their participants

from visiting a potentially harmful website. Later research has moved towards the positioning

of the dialogues, the amount of text, the length of the message and the amount of technical

detail (Bauer, Bravo-Lillo, Cranor, & Fragkaki, 2013). Another recent approach has been to

manipulate the content of security warnings (e.g. malware warnings;Egelman & Schechter,

2013; and SSL warnings; Sunshine, Egelman, Almuhimedi, Atri, & Cranor, 2009). The wording in warnings in such studies generally appears to be based on trial and error rather

than on established psychological theories of communication or persuasion. In the present

paper, we based our warnings on some of the social psychological factors that have been

shown to be effective when used by scammers (Modic, 2013; Modic & Lea, 2013). Those

factors which play a role in increasing potential victims’ compliance with fraudulent requests,

will also prove effective in warnings.

Read this entire article

Read more at Woods LLP

11 views0 comments

(713) 224-6604

©2020 by Woods LLP.