Cyber Security Warnings
1. Warning source
We conducted research to determine how the source of a warning (i.e., Google, Department of Justice, FBI Cyber Division) impacts attention, risk perception, and disclosure of personal information online.
Our survey showed that Google received the highest ratings. In a later experiment, warnings with sources did reduce the extent of disclosure, with the FBI Cyber Division (not Google) being the most effective source. The results indicate that warnings need to be tested with respect to the actual target behavior (in this case, disclosure), rather than relying on individuals’ perceptions of trust, risk, or influence of a warning message when designing effective warnings.
2. The most effective warning words
Which of three warning words (i.e., “warning,” “caution,” and “hazard”) is best able to capture attention in order to mitigate mindlessness attacks?
All warnings proved to be effective, but the extent of effectiveness depended on the type of information being requested and the warning word. We offer our opinions on how to design warnings in cyber-environments and addresses future possibilities for research on this topic, using the Communication-Human Information Processing model as a framework.
3. The effectiveness of dynamic warnings
Computer warnings have been designed to mitigate unnecessary identity disclosure. However, people often click the OK button without reading warning messages. We use eye gaze information to provide dynamic warnings. The dynamic warnings are designed to display just-in-time, and they fade out after users read them. They are shown right next to the location where users look. Results show that dynamic warnings are more effective than typical Windows warnings.
4. Warnings may not be effective to reduce disclosure of non-critical personal information
People do not consider their date of birth, gender, and zip code information particularly important to keep private. The combination of these identity elements, however, has a 66% chance of uniquely identifying an individual.
No significant differences in disclosure rates, as a function of Warning condition, although the same warning website and format which had been successful in reducing disclosure of more sensitive identity information. It may be especially difficult to create warnings that are effective in convincing people not to disclosure information they consider non-sensitive.
5. Suggesting an alternative to reduce exposure of non-critical identity information
As a follow-up to the above experiment, we tested whether providing a warning indicating an alternative can reduce disclosure. In many cases, for example, exact of birthday is not necessary to acquire a service that a user wants from a provider. The experimental warning suggested that participants enter a false month for their date of birth. The warning proved to be very effective.
Relevant Publication(s)
1. Sandra Carpenter, Michael Shreeves, Payton Brown, Feng Zhu, Mini Zeng, “Designing Warnings to Reduce Identity Disclosure,” International Journal of Human-Computer Interaction, pp1-8, 2017.
2. Sandra Carpenter, Feng Zhu, Mini Zeng, Michael Shreeves, “Expert Sources in Warnings May Reduce the Extent of Identity Disclosure in Cyber Contexts,” International Journal of Human-Computer Interaction, pp215-228, 2016.
3. Mini Zeng, Feng Zhu, Sandra Carpenter, “Eye-gazed based Dynamic Warnings,” the 9th International Conference on Advances in Computer-Human Interaction, Venice, 2016
4. Sandra Carpenter, Feng Zhu, Swapna Kolimi, “Reducing online identity disclosure by using warnings”. Applied Ergonomics, 45(5), 1337 – 1342, 2014.
Data files (SPSS/Excel)
This warning research was partially support by the NSF SaTC grant #1220026
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.