Are security warnings making us fatigued?

Internet security, software and anti-virus updates - we are all aware of these and many of us frequently ignore them and now there is some research on why that is. People may be experiencing ‘security fatigue’ due to the amount of security warnings out there, and this may be dangerous as it leads to less caution. Having so much security or fraud advice from different sources, can confuse and intimidate users to the point that they ignore all advice. For example, in real life, we have limited time for making decisions. When there is too much information to consider, it’s easier to ignore all information than trying to figure out which security advice should be followed.

17155483_10154294576425918_3362219899975784474_n.jpg

Badly designed security warnings are largely ignored

In a research study by Egelman, Cranor & Hong, participants that willingly gave their details to a fraudulent website created for the experiment, explained they did so because they did not understand the risks and said they frequently ignore security advice. Therefore, warnings barked at people without properly explaining why there is a need to be cautious may not be the best way forward. Having simple advice, concentrating on fraud elements that are mostly stable (e.g. scam techniques or personal vulnerabilities), as well as individual factors (e.g. personality or circumstances that influence fraud compliance) may be a better way in fight against fraud. This is supported by research that looked at how individual differences impact privacy attitudes (Egelman & Peer, 2015).


Designing good security advice is an art. Just as criminals use specific persuasion techniques to influence compliance, security advice that is not compelling will be largely ignored.
For example, research by Modic & Andersen found that security warnings that used concrete (explanation of what malware does to a computer), rather than vague (message saying access is blocked due to security concerns) threats were more effective.  They also found that adding cues to authority (e.g. security team has identified this site is dangerous) to a security message was more effective than social cues (e.g. your friends have already been scammed). This means that people seem to appreciate concrete advice coming from those that they perceive are experts in the field, rather than being inundated by vague or conflicting security advice that can be found in abundance online.

 

There is another aspect to consider and that is a potential for alienating customers. Many companies invest money in fraud prevention measures that reduce revenue lost to fraud but forget about fraud prevention advice for their customers. This is often just an afterthought and I have seen many legitimate emails contain really outdated scam advice within their content. This includes telling customers that they can trust emails that have their name in the content or to pay attention to spelling. Fraud is an organized crime and scammers have realized that a little bit more effort invested in designing phishing content tends to pay big dividends. Often this means that they get some data on the potential victim and can offer personal information as a way of enhancing credibility of the correspondence.

If your customer receives a phishing email bearing your logos, and they remember your outdated phishing advice, which is no longer valid, they may get scammed.

Once this happens they will forever have a negative view of your brand. They will no longer trust you.

Many fraud victims I interviewed told me about lack of trust following victimization. And sometimes this mistrust gets attached to companies whose credentials were misused by scammers. The best you can do for your customers is keep any fraud prevention advice current and relevant.

When a person is defrauded, they suffer great psychological distress. It is not just about the lost funds, it is about deception, about morals. On a rational level, a victim of a phishing attack bearing your company logo will know that you did not cause this but on an emotional level, they will forever associate your brand with not being able to trust you. This is why it’s important to have the best possible fraud prevention advice for your customers, to make it engaging, relevant and personal and to update it frequently.