The Effect of Warning Messages on Secure Behaviour Online: Results from a lab experiment

Abstract

Objective: The level of online security is affected by technical factors, natural events and human behaviour. The purpose of this research is to contribute to policy actions that lead consumers to increase online security. It tests several warning messages based on the literature of behavioural insights that may persuade consumers to behave more securely while online, thus diminishing their chances of suffering a cyber-attack. Methods: A lab experiment was conducted in Spain (n=600). Participants had to make some online shopping decisions, and were assigned a quantity of money. The incentive for participating in the experiment depended on how secure their behaviour was during the purchasing process as regards: choosing a safe connection, providing less information during the sign-up process, choosing a strong password, choosing a trusted vendor, and logging-out. Each decision they made could increase their chances of suffering a cyber-attack at the end of the experiment and losing part of the incentive if it was less safe. Other factors that may affect secure behaviour were measured through a pre-purchase and a post-purchase questionnaire. Findings: Results show that long security messages and messages accompanied by a male anthropomorphic character will lead consumers to disclose less personal information when signing-up to an e-commerce website. A loss-framed security message will make subjects choose a trusted vendor over an untrusted one, to log-out after purchasing on an e-commerce website. It will also make them behave more securely, if cyber security is treated as a composite indicator built on three behavioural measures (use trusted sites, use secure passwords and log-out of sites after finishing our session). None of the treatments was effective in making subjects choose a safe connection, or a stronger password. Conclusions: The design of security messages has an effect on security behaviour. The policy implications are that security awareness messages should be carefully designed and piloted before they are implemented. The lack of effect of the messages on choosing a stronger password should be further examined. This result may be related to consumers lacking information on what a strong password is, or lacking knowledge that could help them to relate stronger passwords with more secure behaviour online.