Have you seen the Google Analytics ad yet? I know it is meant to promote a Google service and have little to do with security, but I quite like the metaphor they use to illustrate how people are trying to just complete their task – buying bread in this example – and how everything else gets in the way.
Security can end up in the way too and it’s our job as security specialists to recognise that. Regardless of the industry you are working in, chances are people in your company are hired to deliver a productive task. It’s our job to make sure they perform that task in the most frictionless and secure way possible
Cyber criminals are also aware of this dynamic. I remember working on the case of an online banking trojan that played on people’s desire to use the service. Attackers introduced friction in this process and took advantage of victims’ willingness to click ‘Ok’ on any pop-up just to get to the screen they wanted. A lot of the phishing campaigns use this trick too.
There are grey areas too. Dark Patterns are techniques used in websites and applications that trick you into buying or signing up for things you didn’t want.
Why are they so effective?
Because our attention spans are limited. We tend to glance over a page rather than reading every word. It is natural to make assumptions and some companies trick us by making a page look like it is saying one thing when it is in fact saying something else.
The short video below sums it up well.