Microsoft office macro warnings: A design comedy of errors with tragic security consequences

Abstract

The security threat emanating from macro viruses is currently on the rise. Macros are deactivated by default, but when opening a Microsoft Office document with embedded macros, users are presented with a warning message and a one-click option to activate the macro. The aim of the study was to investigate how users interact with this design, to what extent they are aware of the implications of their choices, and how much they know about macros at all. We designed a mixed-methods experiment - consisting of a set of benchmark tasks, knowledge questions, and interviews, which we conducted remotely. To avoid priming participants, the study was advertised as a performance test of a new Outlook Plugin. 36 participants were presented with a naturalistic workflow of emails, some of which contained attachments with macros. We captured how participants interacted with warning messages, and whether they enabled macros. In a subsequent interview, we explored their perception of what had happened, and why they had chosen to enable macros. We found out that 63.9 % of the participants unnecessarily enabled at least one macro when seeing the messages, and that most did not have an accurate mental model of how macros work or the risks associated with opening them. We discuss what elements lead to the enabling of macros and examine them from different perspectives.