Developers, your security warnings are messing with people’s brains, and not in a good way.
In fact, given the poor timing of security warnings popping up, most people – we’re talking about up to 87% in some cases – ignore them.
Ignore, as in, researchers have found that scarcely any brain activity shows up when they measured test subjects via FMRI (functional magnetic resonance imaging) as security warnings interrupted those subjects while they were trying to do other things, such as input their login or enter a validation code.
The conclusion comes from a paper published in an Institute for Operations Research and the Management Sciences (INFORMS) journal on Thursday by researchers from Brigham Young University in Utah and the University of Pittsburgh in Pennsylvania.
The problem, more or less, is one of systems fatigue, the researchers said. As it is, “System-generated alerts are ubiquitous in personal computing,” as well as in our proliferating mobile devices.
Those systems are there to help users by providing timely information designed to protect us, but the researchers found that they come at a “high cost in terms of increased stress and decreased productivity.”
That’s due to what’s called dual-task interference (DTI), a “cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss.”
In other words, multitasking.
It’s important to understand when, exactly, security warnings are heeded and when they’re ignored, the researchers said, because not heeding such alerts can introduce critical vulnerabilities in information security and privacy.
Research has already established that when trying to do multiple tasks, people’s performance sags, even when the tasks are neither physically incompatible with each other nor intellectually challenging.
As it is, there are some security alerts that demand immediate attention, such as browser SSL warnings, and others that don’t, including alerts about software updates, backups, and malware scan notifications.
But regardless of how important an alert, it’s still often ignored.
Medial temporal lobe, we’re blaming this on you. Known as the MTL, this brain region is associated with what’s called long-term declarative memory, which is what we use to store information over long periods of time – longer than 15 to 30 seconds – without constantly repeating it to remember.
That’s the spot in our brain where security training, even very recent training, lives.
High DTI means we can’t meet the demands of multiple tasks in that part of our brains. It turns into a bottleneck.
The higher the DTI, the less the brain can spare time and effort for security alerts.
To test their hypotheses, they had participants respond to some security warnings that interrupted something else they’d been doing – a primary task – and some that didn’t interrupt.
The primary task in their tests was to have participants memorize or encode a 7-digit code. The researchers gave their subjects a short time to “rehearse” the code – i.e., repeat it until they had it down – and then asked them to recall it.
They chose this task because it mimics what we have to do on the computer: use our working memory to do things like read a web page or search for information, for example. (Working memory calls on MTL brain regions).
Here’s how people’s tendency to ignore security alerts climbs with DTI for specific tasks:
Percentage of disregard for each condition (ranked from lowest to highest DTI)
- Low-DTI: Waiting for page load – 22.11% disregarded
- Low-DTI: While processing – 24.47% disregarded
- Low-DTI: After video – 43.75% disregarded
- Low-DTI: On first page load – 44.79% disregarded
- Low-DTI: Switching domains – 46.32% disregarded
- High-DTI: On the way to close window – 74.47% disregarded
- High-DTI: While typing – 77.89% disregarded
- High-DTI: During video – 79.38% disregarded
- High-DTI: While transferring information – 87.23% disregarded
The takeaway? Do not interrupt people on YouTube or when they’re inputting something!
In a nutshell, this is the researchers’ recommendation for…
How to issue alerts that don’t get ignored
Present security warnings at low-DTI times. You can figure out what those times are by using mouse cursor tracking, for example.
From the paper:
Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard.
10 comments on “Why people ignore security alerts up to 87% of the time”
As a systems administrator supporting around 80 people, I can attest that people ignore security alerts closer to 129% of the time.
Does that mean, “Everyone ignores them, and then 29% ignore them again” 🙂
I meant that they ignore cybersecurity an implausibly high quotient of the time.
But yes to your interpretation as well.
The problem for most people must be how do I identify a genuine alert or a scam? Unless I am as sure as I can be of its validity I ignore them as well. “You have malware on your computer – click here to remove it.’ Most users wouldn’t touch it with a barge pole but how do non savvy people respond? I only respond to warnings from my antivirus program, any other warnings I can’t identify but may need investigating I just close any programs and run a malware and antivirus scan. Not always, but mostly, scams can be spotted in the wording and phraseology.
Simple fix – you set an “inactivity timer”.
I ignore alerts in case they’re a scam.
Pet peeve: alert that says browser can’t verify the certificate of a site. Most of the time, it is just a lack of updated info, but in order to get to that site, I must ignore the alert or switch browsers. So it is teaching me to ignore alerts.
No, it is teaching you that the site has a problem. Outdated certificates are a real issue, and it needs to be fixed.
The fact that it’s common doesn’t make it wrong.
Reminds me of a scene from Futurama, where Bender is powering through junkmail, then outright dismisses an alert in the interest of getting to porn faster.
Those Futurama writers were so, *so* SO brilliant. Incisive social commentary on human behavior mixed with current (or archaic) pop culture references, contextually seamless and relevant to the point where each episode must receive repeat viewings to notice all of them.