Email Warning Banners: Are We Using Them Effectively?

By Rob Lelewski, CISA, CRISC, CISM, CCE, CIPM CISSP-ISSMP, EnCE, GCIH

The Nexus  |  Monday, 14 October 2019

Being Warned: Every Day, Every Message

Imagine walking out to your mailbox on a sunny day. Most of us can relate to eagerly awaiting a package containing the latest gadget that you bought online. You reach into the mailbox, leaf though the contents and are likely disappointed that your postal carrier has deposited a pile of bills; it is a tragedy that occurs far too often. You go back inside your home performing some mental math, hoping that you have not broken your budget this month but realize that you spent far too much on classic Neil Diamond vinyl records.

The next day, you perform the same chore you have performed countless times in the past except, this time, there is a man outside your mailbox. He looks at you as you start to retrieve your mail and yells, "THERE MAY BE SOMETHING DANGEROUS IN THERE! BE CAREFUL!" Ignoring the social awkwardness of the situation, you may be more apt to take a closer look at your mail prior to opening it.

And then the next day, and the next, and almost every day thereafter, the same man is outside your mailbox. "THERE MAY BE SOMETHING DANGEROUS IN THERE! BE CAREFUL!"

How many days of this social oddity occurring until you largely ignore this man and show the same caution toward your mail that predated his arrival?


The Internet is littered with examples of major breaches that started with a phishing attack that successfully made it through an organization’s defenses…

The Danger Is Real

There is no question that phishing (and other email-based attacks) is a major information security issue. The Internet is littered with examples of major breaches that started with a phishing attack that successfully made it through an organization's defenses and, ultimately, was clicked on by an end user. As information security departments struggle with the endless wave of phishing attacks, a variety of tools are leveraged to curtail the efficacy of phishing attacks. These tools include leveraging more effective email filters, focusing on user education, and implementing advanced endpoint detection software and other tools.

And Then Came the Warning Banner

Increasingly, organizations have leveraged email warning banners to warn users about the origination of the email (e.g., outside of the organization) or the fact that it contains an attachment. You may have seen these banners, which are normally prepended to the email. A few examples:

  • "Caution: This email came from outside <Organization Name>. Do not open attachments or click on links if you do not recognize the sender."
  • "CAUTION: This email originated from outside of <Organization Name>. DO NOT click on links or open attachments unless you were expecting the email, recognize the sender, and know the content is safe."
  • "THINK BEFORE YOU CLICK ON ATTACHMENTS!"
  • CAUTION: This email originated from outside of the organization! Do not click links, open attachments or reply, unless you recognize the sender's email address and know the content is safe!

These warning banners run the gamut of formatting with some text bolded, highlighted in yellow, and text in red. Fortunately, none flash. Also, some warning banners are prepended to subject lines potentially in concert with a parallel warning banner in the message body.

There is nothing inherently flawed with a warning banner. The premise is simple: You receive an email, it is from an outside source and/or contains an attachment, and the warning banner provides you a nudge to think twice. It is a sound theory.

Groans

Recently, I was chatting with a client about strategies to defend against phishing attacks and, as a part of their defense-in-depth strategy, the client was leveraging warning banners that prepended both the email body and the subject line—standard stuff. The client had a few non-IT personnel who were a part of the meeting and, when the warning banner was described, a collective groan was elicited from the group. Curious, I prodded. It was revealed to me that the majority of email communication for the organization was with external parties and, according to the client (and happily volunteered by those who groaned), roughly 95% of the emails contained the warning banner.

When discussing phishing and warning banners with a different client, we realized that specific departments that are more likely to have communication with external entities, such as accounting (processing bills from external organizations) and sales (communicating with external prospects), saw the vast majority of their emails become flagged. During a conversation with the client, one information security professional confessed that "they pretty much ignore it after a while and it just ends up making their email inboxes larger."

Alarms. So Many Alarms.

In the workforce, users can become fatigued by the abundance of alarms. (Warning banners are one such form of alarm.) Alarm fatigue has been of interest in the medical field, where it remains a critical patient safety issue. Alarm fatigue is defined as desensitization to an alarm stimulus caused by sensory overload, which can cause an alert to be delayed or missed.1 If you have ever had the unfortunate luck to spend any time in a hospital emergency room or intensive care unit, the constant drone of beeps and alarms eventually becomes nothing more than background noise. While a missed alarm in the information security field may cause a breach or other major incident, alarm fatigue in the medical field may cause life-threatening consequences for a patient.

Another example of alarm fatigue involves automakers who, in an effort to make their cars safer, want to help reduce the impact of alarm fatigue.2 Automobiles provide a variety of data points (e.g., speed, fuel, mileage) and can provide alarms to drivers in the forms of low gas warnings, engine maintenance issues or warning of other vehicles in close proximity. These alarms may become drowned out in the process of driving and, as a result, may be ignored, thus making the car less safe. Automakers are attempting to balance the need for an alarm and providing too many alarms.

Connecting fatigue to the information security profession, security fatigue is real and relevant. According to researchers, "security fatigue" is "a threshold at which it simply gets too hard or burdensome for users to maintain security."3 One body of research demonstrated that, "users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security. All of this leads to security fatigue, which causes a sense of resignation and a loss of control."4 One quote from a participant within the aforementioned research speaks volumes about warnings,

I think I am desensitized to it—I know bad things can happen. You get this warning that some virus is going to attack your computer, and you get a bunch of emails that say don’t open any emails, blah, blah, blah. I think I don’t pay any attention to those things anymore because it’s in the past. 5

People get weary of being bombarded by “Watch out for this,” or “Watch out for that.” The result of all this? Research concludes that users are more likely to choose the easiest option and fail to follow security rules, among other less-than-desirable behaviors.

Further addressing the desensitization that can occur with warning banners, another researcher comments that,

One of the most predictable things about our brains is the tendency to adapt to sensory experience. We adapt to smells (ever have a friend who doesn’t know that their house smells like a dog?), we adapt to sounds (that car alarm will just fade from awareness with time until it’s the cessation of the alarm that surprises us), and we even adapt to sights (eventually, I’ll stop noticing the ever-present pile of laundry on the couch). When something is always there, always unchanging, we become desensitized and we stop paying attention.6

Where Does That Leave Us?

At this point, it is prudent to be perfectly clear on my position regarding warning banners. Email warning banners are a perfectly acceptable part of an organization's approach to stymie the risk posed by phishing emails and other email-related threats. It is just one of many ways to reduce the risk posed by phishing emails and, when coupled with user education, limiting privileges on accounts, and other strategies, warning banners find a home among an overall defense-in-depth security strategy.

However, we need to recognize that security fatigue is real, and research has demonstrated that, after a while, email warning banners become a part of the average noise of the workplace, likely to be ignored or discounted by the very people we hope will prioritize them. This may actually cause the inverse of what we hoped to achieve, and employees could become more likely to click on a suspicious email despite seeing a warning banner.

How can we reduce security fatigue while utilizing warning banners? Leveraging prior research, a key theme is to "Limit the decisions users have to make related to security."7 The more decision points faced by end users, the more likely security fatigue will take hold.

With this in mind:

  • First, leverage a risk-based approach when leveraging warning banners that prioritize suspicious domains or are utilized when documents and links are contained within the email. Avoiding an en masse warning banner strategy which would ultimately reduce the number of daily decision points for employees and the corresponding security fatigue.
  • Second, just like we tune our firewall and other alerting platforms, warning banners require periodic tuning to ensure that they are used at the appropriate times and with the appropriate volume. Business operations change and, depending on the impact to the workforce, tuning may be required.
  • Third, consider an employee’s job function and the number of warning banners it may generate. For example, if 95% of your emails come from external sources and a warning banner is applied to 95% of your inbox, prior research argues that leveraging an email warning banner may be counterproductive.

Tone Down That Man Outside Your Mailbox

Obviously, every environment is different; however, security fatigue is real. While email warning banners have their place in a defense-in-depth strategy, consider that a high number of warning banners actually may make your environment less secure, cause security fatigue and condition users to ignore warning banners, and, ultimately, impair the mission of information security.

Rob Lelewski, CISA, CRISC, CISM, CCE, CIPM, CISSP-ISSMP, EnCE, GCIH

Is a team lead for Secureworks’ proactive incident response consulting services and focuses on helping organizations prepare for cybersecurity incidents by creating and reviewing incident response plans, performing tabletop exercises, and conducting other activities to help improve his clients’ security posture. He is a regular contributor to The Nexus and muses about information security topics. All opinions expressed are his own.

Endnotes

1 McCartney, P. R.; “Clinical Alarm Management,” The American Journal of Maternal/Child Nursing, vol. 30, iss. 3, May 2012, p. 202
2 Newcomb, D.: “How Automakers Are Fighting ‘Alarm Fatigue,’” Wired, 25 February 2013
3 Furnell, S.; K. L. Thomson, “Recognising and Addressing ‘Security Fatigue,’” Computer Fraud and Security, vol 9, iss. 11, November 2009, p. 7-11
4 B. Stanton, B.; M. Theofanos; S. Prettyman; S. Furman; "Security Fatigue,” IT Professional, vol. 18, no. 5, September/October 2006, p. 26-32
5 Ibid.
6 Newton, T.; Email exchange, Associate Professor of Psychology, Lenoir-Rhyne University, Hickory, North Carolina, USA, 5 September 2019
7 Op cit Stanton et al.