People ignore software security warnings up to 90 percent of the time

Public Release: 17-Aug-2016

 

Why? Poor timing

Brigham Young University

IMAGE

IMAGE: A security message from the Google Chrome Cleanup Tool is shown.

Credit: Google Chrome

Software developers listen up: if you want people to pay attention to your security warnings on their computers or mobile devices, you need to make them pop up at better times.

A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly–while people are typing, watching a video, uploading files, etc.–results in up to 90 percent of users disregarding them.

Researchers found these times are less effective because of “dual task interference,” a neural limitation where even simple tasks can’t be simultaneously performed without significant performance loss. Or, in human terms, multitasking.

“We found that the brain can’t handle multitasking very well,” said study coauthor and BYU information systems professor Anthony Vance. “Software developers categorically present these messages without any regard to what the user is doing. They interrupt us constantly and our research shows there’s a high penalty that comes by presenting these messages at random times.”

For example, 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And a whopping 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code.

“But you can mitigate this problem simply by finessing the timing of the warnings,” said Jeff Jenkins, lead author of the study appearing in Information Systems Research, one of the premier journals of business research. “Waiting to display a warning to when people are not busy doing something else increases their security behavior substantially.”

For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found that people pay the most attention to security messages when they pop up in lower dual task times such as:

  • After watching a video
  • Waiting for a page to load
  • After interacting with a website

The authors realize this all seems pretty common sense, but timing security warnings to appear when a person is more likely ready to respond isn’t current practice in the software industry. Further, they’re the first to show empirically the effects of dual task interference during computer security tasks. In addition to showing what this multitasking does to user behavior, the researchers found what it does to the brain.

For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself.

The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.