Reading This May Harm Your Computer: The Psychology of Malware Warnings Cambridge Computer Laboratory Research was funded by: David Modic and Ross Anderson

Reading This May Harm Your Computer:The Psychology of Malware Warnings

Cambridge Computer Laboratory

Research was funded by:

David Modic and Ross Anderson

Overview

• Who am I and what do I do.

• Psychology of fraud (brief overview) – This ties into the present research

• Why malware and why tangle psychology into it

• Methodology

• Results

• Discussion

Running time: approximately 1h

Deception research http://research.deception.org.uk

http://research.deception.org.uk/

Who, what, where

• My name is dr. David Modic.

• I am a postdoc at the Cambridge Computer Lab.

• My Phd is in economic psychology.

• My research interests include cybercrime, victimisation studies, psychology of fraud, personality traits of victims and scammers, persuasive mechanisms…



Internet fraud - context

• The word fraud comes from Latin (fraudare - to cause deceit or injury).

• The term scam is used as a synonym (believed to be first said by Steve McQueen when he was describing the working ethics of a carny ringmaster where he used to work).

• From the perspective of a psychologist, scams can be described in several ways:

a) As an error in judgment (a break from Rational Choice Theory).

b) As an illegitimate marketing offer.



Internet fraud – context II.

ad a) Error in judgement

• Falling for a scam is not rational (especially if we take victim facilitation into account).

• It is not about being stupid (if it was, better educated people and the elderly would be impervious).

• If falling for a scam is irrational and not connected to intelligence, then it must be connected to something else. Our previous research was concerned with uncovering these factors.



Internet fraud – context III.

ad b) Illegitimate marketing offer

If this claim is true, then we have a solid consumer psychology foundation for our research. There is some anecdotal and some empirical evidence supporting this, for example:

• Anecdotal: Theory of communication; The marketing mix

• Empirical: OFT reports (Fischer, Lea & Evans, 2008); Modic & Lea (2013).



Victim facilitiation

In criminology, first mentioned by Wolfgang (1957). It means the potential victim has to play an active part in victimization.

Victim facilitation =/= victim blaming.

Highly applicable to Internet fraud.

Applicable to some forms of malware.



Why am I talking about this?

Because this frames our approach to fraud and gives us foundation to research it empirically.

And, we have in fact done this already.

We looked at salient factors that increase compliance with advertising and that break rationality (for a given definition).

To make a long story short, factors that are salient for research presented today; and increase compliance with scams, were:

- Influence of Authority

- Social Influence

- Attitudes towards risk



So… what are you on about?

What connection does this have with malware warnings?

If some factors increase compliance of potential victims when it comes to scams…

It would make sense to infer that these same factors would increase compliance when it comes to warnings.

- The overall framing is similar (compliance with a request).

- A potential victim is being influenced (by scammers; or by us).

- There is victim facilitation (if we, for the moment, do not take into account the probably low effectiveness of malware discovery).



But…

What if nobody ever encounters browser warnings, because they turn them off?

What if they would turn the warnings off, if they knew they could?

What would be the possible reasons for that?



Why would people keep the warnings on?

Status quo bias (also called default bias).

90% of users do not change any settings in a popular word processing package (Spool, 2011).

Political party in power is more likely to be re-elected (Jost, Banaji & Nosek, 2004).

Corollary: opt-out vs. opt-in.



Ok, why would they turn warnings off?

To optimize efficiency. We know that users in general expend a lot of energy on ignoring warnings (Akhawe & Felt, 2013; Herley, 2010).

Compliance budget (Beatument, Sasse and Wonham, 2008) comes into play.

Malware is relatively rare, so there are diminishing returns. This is like the U.S. war on terror…



Ok, why else would you turn the warnings off?

We know that it is hard to separate the wheat from the chaff in warnings. There are so many about so many things (Bravo-Lillo et al., 2013)



What is next then?

We know the theory would support us both ways, so let’s test it. We postulated these reasons:

A user wants to make their own decisions (because - no trust in computers; e.g. Lee & See, 2004)

Ignoring the unknown and obscure

Following warnings is a waste of time (because of diminishing returns; Herley, 2009)

False positives (Krol, Moroz in Sasse, 2012).

Could be that OS X and Linux users feel invulnerable.



But…

What if there is almost nobody who does turn off warnings?

Well, that is good, then, right? Because our analysis later will be stronger.

But.

What if people would like to turn the warnings off, but don’t know how?

What if the reasons we imagine people would have to turn warnings off are not the real reasons?



So, what did we find about the preferences

Initial raw sample:

12% [70 people] turned off anti-malware, or would turn it off if they knew how to do it.

There are discrepancies between why people actually turn off warnings and why they imagine other people do it.

Interestingly, not in the direction, but in size (those who keep malware on, overestimate the importance of particular reasons for turning it off).



Turning off Warnings

Take-away point 1: We can tentatively use intent data in the stead of action data (with caveats – for example discrepancy in group sizes).



So what factors do influence turning off warnings?



Other Interesting take-away points

Differences in opinion about, and the actual fact of turning off warnings:

• People who keep warnings on, are opinionated about others . Although it turns out that not exactly without cause.

• The biggest difference in means is ignores warnings (meaning that the word on the street is that people who turn off warnings are doing it because they ignore them anyway).

• The attempt to add fuel to the fire of OS wars misfired spectacularly (none of the three groups scored this reason highly).

• The highest scoring reason across all groups was false positives. But not a significant regressor.



Some more conclusions

• Status quo bias confirmed (only approximately 10% or respondents turn off warnings).

• Two most important predictors were Ignore warnings and Does not understand.

• IT Savvy users are likely to keep warnings on.

• We assume that this is because the ability to premeditate outweighs comfort.

And some more conclusions…

Female respondents more frequently retained warnings. This is in line with other research on risk preferences.

Since we know that users will in general try to ignore computer warnings of any kind (e.g. Akhawe & Felt, 2013; Herley, 2010), it is not surprising that they will try the same when it comes to browsers.



Study of susceptibility to warnings

n = 583 (from Amazon Mechanical Turk)

5 groups (Control, Authority, Social Influence, clear risk outline, vague threats).

Instructions + one of five screenshots of anti-malware warning.

A bunch of questions on trust - because if people do not trust the other party, then their compliance will be very low because of that. Also interesting corollaries (do they trust facebook friends more than real friends).

In the end we asked about what people actually wanted see in a malware warning.



Results – Preliminary analysis

63 answers were duplicates or triplicates or quadruplicates.

n = 520 left for the final analysis.

ICT knowledge: 415 (85%) users report as being better than average at ICT. (mean: 4.32 max: 6).


The level of CS proficiency does significantly impact the decision to follow to a problematic page.

People familiar with computers are more likely to ignore malware warnings. Aha! Overconfidence.


Some more preliminary analysis

Education: normally distributed. 240 (49%) BSc, approx. 2% PhD (this has interesting implications).

Browser usage: 51% Chrome, 37% Firefox, 7% Internet Explorer. Other browsers < 1%.

Social Networks: 439 (89%) Facebook users, 51% Twitter, 46% Google Plus, 42% LinkedIn, 23% Pinterest, 14% Tumblr, 1% Path.



Muliple regression final step


No need to care about this table. I shall interpret for you.


Overview

The interesting thing is that in this analysis two regressors make you more likely to follow through to a fraudulent site:

If your friends or Facebook friends tell you that it is safe.



Overview II.

Bear in mind that the DV was not normally distributed (49% or respondents reported likelihood of visiting as 1 out of 7).

I did some non-parametric mumbo-jumbo and the results still hold and analysis is valid.

The take-away message is, though, that regardless of message contents, as soon as there is a message, many will stop.



Overview III.

Statistically significant regressors:

• Authority

• Concrete risk assesment

As far as authority is concerned, soft tactics work (strength of argument, persuasion), while harsh tactics do not work (vague threats were not significant in this experiment).

Individuals respond better to clear assessment than to vague prophecies of doom.



Conclusion

Better response to clear threats might be problematic because most warnings in real life are not clear, concise and descriptive.

Because most warnings in concrete life are their own purpose.

So that someone can be prevented from suing because there was clearly a warning telling you not to do something.



Thank you

Questions?

[email protected]



Documents

Reading This May Harm Your Computer: The Psychology of Malware Warnings Cambridge Computer Laboratory Research was funded by: David Modic and Ross Anderson