Why People Ignore Software Security Warnings

Friday, August 19, 2016 @ 04:08 PM gHale


People say they multi-task all the time, but in reality, they are just not any good at it.

Take a software security warning as a good case in point.

If software developers want people to pay attention to security warnings on their computers or mobile devices, they need to make them appear at better times.

RELATED STORIES
Solid-State Batteries Boost Safety
Gathering Data from Smartphones
NoT Model Defines IoT
Fixing an Internet Security Threat

That is because warning messages appearing haphazardly — while people are typing, watching a video, uploading files, etc. — results in close to 90 percent of users disregarding them, according to a study from BYU, in collaboration with Google Chrome engineers.

Researchers found these times are less effective because of “dual task interference,” a neural limitation where even simple tasks can’t be simultaneously performed without significant performance loss. That means people are not good at multi-tasking.

“We found that the brain can’t handle multi-tasking very well,” said study coauthor and BYU information systems professor Anthony Vance. “Software developers categorically present these messages without any regard to what the user is doing. They interrupt us constantly and our research shows there’s a high penalty that comes by presenting these messages at random times.”

For example, 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code.

“But you can mitigate this problem simply by finessing the timing of the warnings,” said Jeff Jenkins, lead author of the study. “Waiting to display a warning to when people are not busy doing something else increases their security behavior substantially.”

For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found people pay the most attention to security messages when they pop up in lower dual task times such as:
• After watching a video
• Waiting for a page to load
• After interacting with a website

The authors realize this all seems pretty common sense, but timing security warnings to appear when a person is more likely ready to respond isn’t current practice in the software industry. Further, they’re the first to show empirically the effects of dual task interference during computer security tasks. In addition to showing what this multitasking does to user behavior, the researchers found what it does to the brain.

For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself.

The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.