For most of us, security issues happen to "other people"—we block popup ads, we carefully examine dialog boxes and, for those of us on the Mac platform, we snicker when confronted with something that attempts to mimic a Windows system warning. But everyone knows that they are exceptional—what's the behavior of a more typical user like? Some researchers have tested how college students respond to fake dialog boxes in browser popup windows and found that the students are so anxious to get the dialog out of the way, they click right through obvious warning signs.

The authors, who work in the Psychology Department of North Carolina State University, crafted a set of four fake dialog boxes. All of them contained the following warning: "The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Click OK to terminate program." One of the warnings was indistinguishable from the standard Windows XP system dialog, but the remaining three were had a number of warning signs that should tip off users to potential malware.

In all cases, mousing over the "OK" button would cause the cursor to turn into a hand button, behavior more typical of a browser control; all dialogs also had minimize and maximize buttons, while a second added a browser status bar to the bottom of the window. Finally, the most blatant one alternated between black text and a white background and a white-on-black theme. All of these should metaphorically scream, "This is not safe!"

The researchers then created a Flash application that would mimic loading a series of medical websites. They told a panel of 42 college students that they were supposed to watch as the sites loaded and then would be asked a series of questions about the sites. Instead, the fake dialogs were loaded in a random order and the users' responses were tracked.

Of the 42 students, 26 clicked the OK button for the "real" dialog. But 25 clicked the same button for two of the fakes, and 23 hit OK on the third (the one with the status bar showing). Only nine of them closed the window—two fewer than had closed the real dialog. In all cases, a few of the users simply minimized the window or dragged it out of the way, presumably leaving the machine's next user at risk.





Even this warning might not have helped

The response time, which tracked how long it took the users to perform any action, was not significantly different among the different dialogs, indicating that there wasn't even any thought expended on evaluating the fakes.

Follow-up questions revealed that the students seemed to find any dialog box a distraction from their assigned task; nearly half said that all they cared about was getting rid of these dialogs. The results suggest that a familiarity with Windows dialogs have bred a degree of contempt and that users simply don't care what the boxes say anymore.

The authors suggest that user training might help more people recognize the risks involved with fake popups and the diagnostic signs of genuine Windows dialogs, but the fact that the students didn't appear to spend any more time evaluating the fake dialogs raises questions as to whether education is enough.

The study will appear in the Proceedings of the Human Factors and Ergonomics Society.