You’ve decided to go on vacation, and hop online to check out a few potential destinations. You’re cruising along, clicking links with abandon, when suddenly, you receive a warning: “The website may not be safe. We recommend that you do not click the link.”
Do you:
- Click anyway, thinking that your antivirus program is just being cautious?
- Hit the back button and find another source to check out photos of the beach in Grand Cayman?
- Close your browser window, clear your cache, run a quick virus scan, and then wash your hands just to be sure?
If you’re like most people, there’s a pretty good chance that you answered A. The fact is most people actually ignore the security warnings that pop up on their computers, even when they know the potential dangers lurking online. According to a 2013 study by Google, of the more than 25 million website security warnings that were issued during the study period, 70 percent went unheeded. This aligns with many experts’ claims that the vast majority of security incidents — as many as 95 percent — are due to human error.
This begs the question, then, as to why this is the case, especially when security experts constantly tout education as the solution to data breaches. Clearly, current warning methods aren’t working, and there are several reasons that is the case.
Researchers have conducted several studies to determine exactly why people ignore security warnings, and reached several conclusions.
1. Security Warnings Are Too Technical
While many developers believe that the messages they use to warn users about potential security risks are clear and easy to understand, the truth is that to the average user, they aren’t actually very clear. Often, the security warnings focus on the problem (“There is a problem with this site’s security certificate” for example) and not the potential outcome if you click on it.
Because most users are not technically inclined, they may not understand the warning and thus dismiss its importance. In fact, when Google researchers removed technical language from security warnings and added illustrations that indicated danger, the number of users that actually responded to warnings increased.
2.Previous Security Warnings Have Been False Alarms
Unfortunately, security is an area in which past experience can work against you. When you ignore a warning and nothing happens, it’s easy to fall into a false sense of security and believe that all warnings spring from an abundance of caution and can be safely ignored.
It’s only when something bad actually happens that many people take heed of warnings — usually when it is too late. This is the same reason that many people fail to protect their Apple products. While it may have been true once upon a time, many are discovering that the refrain of “Macs don’t get viruses” to be untrue. These days, the prevalence of malware designed to infect iOS makes antivirus for Mac a necessity, and ignoring the warnings can be costly.
3. We Can’t Help It
According to researchers at Brigham Young University, ignoring security warnings is actually a normal function of the human brain. While ignoring security warnings without consequence leads to ignoring the warnings in the future, some of the disregard for warnings also comes from the way our brains are hardwired.
In the BYU study, subjects were repeatedly shown more than 40 different common warnings. However, after the first warning of each kind, the brain subconsciously ignored it. Essentially, seeing a warning once leads to habituation; while the first time we see something, it sparks a stimulus; subsequent viewings rely on memory and therefore are not as stimulating. This explains, at least in part, why we ignore the warnings that don’t lead to consequences, but more importantly, why it appears that we hardly even acknowledge subsequent warnings.
The fact that users have a tendency to ignore security warnings is leading developers to create security products that essentially take users out of the equation entirely. By creating blacklists that automatically block potentially harmful sites or running sites without the proper security certificates in “containers” to limit damage from malware, developers are in effect protecting users from themselves. While some may balk at these controls — and have legitimate reasons for overriding them — in highly sensitive environments, taking the decision away from the user may be the best option for protecting data.
In the meantime, users need to become more aware of security warnings, and respond appropriately. You never know when that simple click could be the one that leads to a serious, and costly, attack.
Article Submitted By Community Writer
