The Psychology of Malware Warnings (and UFOs redux)

I wrote a while back, but it seems apropos to re-post it:

“Security news seems to be getting progressively worse, faster.
I’m reminded of a quote: “There’s always an alien battle cruiser, or a Korilian death ray… or an intergalactic plague about to wipe out life on this planet.” –Tommy Lee Jones, “Men In Black”

Serious threats are the norm, not the exception. Don’t Panic. Life always seems to manage to keep on going.”

OK, so —

If you’re writing malware warnings, the warning text should:
a) include a clear and non-technical description of the horrible things that will happen if you disregard it


b) include an “informed direct warning given from a position of authority”

At least, that’s the conclusion from Ross Anderson’s latest paper. (which was actually first-authored by David Modic, but he’s not half as famous.)

Looking at which warnings were most effective at getting users to not infect their computers with malicious software, they found the phrasing mattered a lot.

Besides the above points, concrete warnings were more effective than vague ones, the “soft sell” worked better than “you’re gonna die!”, and social influence (“some of your friends may already have been scammed!” didn’t work well at all.

Speaking of alien battle cruisers and Korilian death rays. Are aliens the new terrorists? Will a “War on UFOs” be the new excuse for taking away even MORE civil liberties? Ronald Reagan seemed to think so!

“As president, Reagan more than once assured Soviet premier Mikhail Gorbachev that an interstellar threat would unite U.S. and Soviet societies.”

Apropos: “The people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked…” (

%d bloggers like this: