EU Science Hub

The Effect of Warning Messages on Secure Behaviour Online: Results from a lab experiment

Abstract: 
Background Increasing safety and security online can help boost the opportunities for people and businesses to trade, innovate and interact in digital markets. The level of online security is affected by technical factors, natural events and human behaviour. This study contributes to policy initiatives aimed at getting consumers to increase their online security. It tests several warning messages, based on behavioural insights, which could persuade consumers to behave more securely while online, thus diminishing their chances of suffering a cyber-attack. Methods A lab experiment was conducted in Spain (n=600). Participants had to make some online shopping decisions, and were assigned a quantity of money. An additional variable incentive depended on how secure their behaviour was during the purchasing process. Five security behaviours were observed: choosing a safe connection, providing less information during the sign-up process, choosing a strong password, choosing a trusted vendor, and logging-out. Each decision could increase their chances of suffering a cyber-attack at the end of the experiment and losing part of their variable incentive. Other factors that could affect secure behaviour were measured through a pre-purchase and a post-purchase questionnaire. Findings Results show that long security messages and messages accompanied by a male anthropomorphic character led consumers to disclose less personal information when signing up to an e-commerce website. A loss-framed message made subjects more likely to choose a trusted vendor and to log out of a website after completing a purchase. It also made them behave more securely when security behaviour is treated as a composite indicator built on three behavioural measures (using trusted vendors, using secure passwords and logging out). None of the treatments was effective in making subjects choose a safe connection, or a stronger password. Conclusions The design of security messages has an effect on security behaviour. The policy implications are that security awareness messages should be designed based on behavioural insights and be piloted before implementation. The lack of effect of the security messages on choosing a stronger password should be further examined. This result may be related to consumers lacking information on what a strong password is, or lacking knowledge that could help them to relate stronger passwords with more secure behaviour online.