Perhaps the poor users have been maligned for all these years after all. Security pundits have long decried enterprise and consumer users' tendency to clickety-click their way right through important security warning screens without ever paying heed to the content of the warning. It's a propensity that leaves their machines vulnerable to misconfigurations, makes them easy targets for dangerous attacks that still require user input to download malicious content and otherwise clears the path for all nature of endpoint-oriented social engineering.
Last week Ars Technica reported on a new scientific study that'll be presented later in April that shows that it isn't actually users' faults after all. It's just that the system we've set up to warn users about insecure behaviors triggers the brain to ignore those warnings after seeing them more than once. The scientists show that ignoring security warnings is more a function of biology than willful ignorance.
The experiments revolve around our predisposition for a learned response called habituation, which is a kind of neurological numbing of response to repeated exposures to certain stimulus. And just as someone who lives near an airport stops hearing the planes overhead, repeated exposure to things like SSL expiration warnings similarly causes the brain to look right through them. Security teams have known this to be anecdotally true for a while, but now there's science behind how and why it happens.
In a paper called "How Polymorphic Warnings Reduce Habituation in the Brain—Insights from an fMRI Study", scientists analyzed functional magnetic resonance imaging (fMRI) images of users as they were exposed to security warnings.
"Our results show a dramatic drop in the visual processing centers of the brain after only the second exposure to a warning, with further decreases with subsequent exposures," they wrote.
It's their belief that part of the answer to this problem lies in changing the appearance of how security warnings look to reduce the effect of habituation around conventional security warnings. These changes included size and color of text, size of the box, background color of the box and border around the box containing the warning. The scientists did note that their research did not tackle whether or not these changes did ultimately affect the click-through rate for these warnings, but instead focused on habituation.
It poses some interesting questions for future UI design, though architects may need to consider an unintended consequence of creating polymorphic security warnings. As it is, attackers are taking advantage of the warning system with attacks such as fake AV campaigns that convince users to heed fake warnings to download malicious 'security' products. If security warnings always look different, it may be even more difficult for users to discern real warnings from phony ones in the long run.