Why people ignore security alerts up to 87% of the time

Developers, your security warnings are messing with people’s brains, and not in a good way.

In fact, given the poor timing of security warnings popping up, most people – we’re talking about up to 87% in some cases – ignore them.

Ignore, as in, researchers have found that scarcely any brain activity shows up when they measured test subjects via FMRI (functional magnetic resonance imaging) as security warnings interrupted those subjects while they were trying to do other things, such as input their login or enter a validation code.

The conclusion comes from a paper published in an Institute for Operations Research and the Management Sciences (INFORMS) journal on Thursday by researchers from Brigham Young University in Utah and the University of Pittsburgh in Pennsylvania.

The problem, more or less, is one of systems fatigue, the researchers said. As it is, “System-generated alerts are ubiquitous in personal computing,” as well as in our proliferating mobile devices.

Those systems are there to help users by providing timely information designed to protect us, but the researchers found that they come at a “high cost in terms of increased stress and decreased productivity.”

That’s due to what’s called dual-task interference (DTI), a “cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss.”

In other words, multitasking.

It’s important to understand when, exactly, security warnings are heeded and when they’re ignored, the researchers said, because not heeding such alerts can introduce critical vulnerabilities in information security and privacy.

Research has already established that when trying to do multiple tasks, people’s performance sags, even when the tasks are neither physically incompatible with each other nor intellectually challenging.

As it is, there are some security alerts that demand immediate attention, such as browser SSL warnings, and others that don’t, including alerts about software updates, backups, and malware scan notifications.

But regardless of how important an alert, it’s still often ignored.

Medial temporal lobe, we’re blaming this on you. Known as the MTL, this brain region is associated with what’s called long-term declarative memory, which is what we use to store information over long periods of time – longer than 15 to 30 seconds – without constantly repeating it to remember.

That’s the spot in our brain where security training, even very recent training, lives.

High DTI means we can’t meet the demands of multiple tasks in that part of our brains. It turns into a bottleneck.

The higher the DTI, the less the brain can spare time and effort for security alerts.

To test their hypotheses, they had participants respond to some security warnings that interrupted something else they’d been doing – a primary task – and some that didn’t interrupt.

The primary task in their tests was to have participants memorize or encode a 7-digit code. The researchers gave their subjects a short time to “rehearse” the code – i.e., repeat it until they had it down – and then asked them to recall it.

They chose this task because it mimics what we have to do on the computer: use our working memory to do things like read a web page or search for information, for example. (Working memory calls on MTL brain regions).

Here’s how people’s tendency to ignore security alerts climbs with DTI for specific tasks:

Percentage of disregard for each condition (ranked from lowest to highest DTI)

  • Low-DTI: Waiting for page load – 22.11% disregarded
  • Low-DTI: While processing – 24.47% disregarded
  • Low-DTI: After video – 43.75% disregarded
  • Low-DTI: On first page load – 44.79% disregarded
  • Low-DTI: Switching domains – 46.32% disregarded
  • High-DTI: On the way to close window – 74.47% disregarded
  • High-DTI: While typing – 77.89% disregarded
  • High-DTI: During video – 79.38% disregarded
  • High-DTI: While transferring information – 87.23% disregarded

The takeaway? Do not interrupt people on YouTube or when they’re inputting something!

In a nutshell, this is the researchers’ recommendation for…

How to issue alerts that don’t get ignored

Present security warnings at low-DTI times. You can figure out what those times are by using mouse cursor tracking, for example.

From the paper:

Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard.