Effective Notification Campaigns on the Web: A Matter of Trust, Framing, and Support
share
Misconfigurations and outdated software are a major cause of compromised websites and data leaks. Past research has proposed and evaluated sending automated security notifications to the operators of misconfigured websites, but encountered issues with reachability, mistrust, and a perceived lack of importance. In this paper, we seek to understand the determinants of effective notifications. We identify a data protection misconfiguration that affects 12.7 Using a subset of 4754 websites, we conduct a multivariate randomized controlled notification experiment, evaluating contact medium, sender, and framing of the message. We also include a link to a public web-based self-service tool that is run by us in disguise and conduct an anonymous survey of the notified website owners (N=477) to understand their perspective. We find that framing a misconfiguration as a problem of legal compliance can increase remediation rates, especially when the notification is sent as a letter from a legal research group, achieving remediation rates of 76.3 compared to 33.9 about a privacy issue. Across all groups, 56.6 the issue, compared to 9.2 factors that lead website owners to trust a notification, show what framing of the notification brings them into action, and how they can be supported in remediating the issue.
READ FULL TEXT
