May I have your attention, please?… A sincere request from a security pop-up.

“…social engineering bypasses all technologies, including firewalls”
-Kevin Mitnick

The above statement is no surprise. Make the most secure system in the world and give access to a user and it becomes vulnerable. The vulnerability lies in the fact that people are not as predictable as computers and tend to make mistakes. The reasons can vary from ignorance (Oops! I accidentally left my private key without any access control), security fatigue (too tired of following security, let’s skip it this one, nothing bad can happen!) and lack of education (What on the world is a private key?). In this blog, I would like to talk a bit about the importance of those little pop-ups, the long privacy notices and those annoying security warnings whose appearance makes us search for the ‘x’ button on the screen and how it has evolved over the years to grab our attention.

So why those warnings? People spend their lives, do PhDs, to find ways to make us read the security/privacy notices, after all, there should be something important about it, isn’t it? These notices are a way to educate us about the current state of our system and what we can/should do to make it better. A user tends to use a system with the intention of performing his/her task. The greatest problem here is that security is never part of anyone’s to-do list. Security is a non-functional asset of a system and so its effects are invisible. A firewall might be constantly protecting our system every time we connect the chaotic world of the internet but still, we would be completely unaware of that. The same doesn’t apply to other forms of updates, for example, if WhatsApp comes with up a cool new sticker feature, we will update it immediately. With the advent of new malware, the computer needs to learn about the ways to tackle them and thus, there is a need to constantly remind the user about the security of the system, importance of which (unfortunately) is usually taken into account once the damage has been done.
Security warnings have evolved over the years and the reason is that the mindset of people is changing with each generation. The attention span of baby booms is supposed to be 12 minutes, Generation X is 6 minutes, millennials is 12 seconds and Gen Z is 8 seconds. This reduction in attention span or rather a switch towards selective reading makes it more and more difficult to make the user read about the warnings. The initial notices consisted of plain texts which provided a lot of details which might just confuse the user. In such cases, the user will need to take extra efforts to know more about the issue. Over the years these problems have been studied and more visually appealing and attention-grabbing security warnings have been developed.

Let’s take the following example:

Example 1: Classic email attachment notification
Example 2: Security notice of most desktop applications
Example 3: Web browser security warning

In the about three examples which one do, you feel is better? The first one is a classic example of a notice that we see when we download an attachment. From the text, one can’t really extract any useful information to take any decision. The second one is a security warning that we see in most of our desktop application. It is better than the first example as the icon seems to be more relevant and eye-grabbing. Also, the important text is highlighted. The user, in this case, knows that something is wrong but has no idea what decision to take in such a situation. By default, the ‘No’ button is highlighted but still, a better understanding of the problem is required. In the third example (taken from CMU research paper), we find that there is a significant improvement in both the language and the visual appeal. Reading through this notice we feel as if there is someone sitting beside us guiding us through the problem, it’s implication and what needs to be done about it.

Apart from providing the necessary information, the main aspect of a warning is to grab attention. Developers try to have many interesting ways of grabbing attention like a walking dino taking about the security and privacy, chatty ML assistant, animated pop-ups etc. We also have browser extensions like ‘Terms of Service; Didn’t Read’ that highlights the important security and privacy aspects of a website. There is ongoing research work regarding the presentation of the textual information as a table or a graph. All these ideas have their own merits and have been successful in grabbing attention. I learned about an interesting way to grab the attention of people in my UPS class. People have a tendency to pay attention to other people’s life (no wonder Facebook is a hit). Integration of this mentality with the security warning might prove to be very effective. When people come to know that most of their friends have updated their software to the newest version or are using the new two-factor authentication then that kind of information would definitely grab attention and make the users think over it.

At the end of the day, the aim of a pop-up or a warning is to make people not only think about but also act upon the security of a system. As for the conclusion, I feel that with time we will be seeing less and less of update pop-ups and more of the privacy pop-ups. The reason is that many of the software companies are moving to cloud platforms and are constantly in contact to the applications via the internet and thus the software are automatically updated giving the users very limited control over it. Some of these applications include Facebook and Google mobile apps. A move to cloud platform makes the cloud provider responsible for the privacy of the data and so must plan a way to convey their privacy policy in a more efficient manner.

--

--