Why We Disregard Security Warnings
Information systems researchers found nearly 90 percent of people ignore important security messages if they come at the wrong times
PROVO, Utah – Aug 18, 2016 – Software developers listen up: if you want people to pay attention to your security warnings on their computers or mobile devices, you need to make them pop up at better times.
A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly—while people are typing, watching a video, uploading files, etc.—results in up to 90 percent of users disregarding them.
Researchers found these times are less effective because of “dual task interference,” a neural limitation where even simple tasks can’t be simultaneously performed without significant performance loss. Or, in human terms, multitasking.
“We found that the brain can’t handle multitasking very well,” said study coauthor and BYU information systems professor Anthony Vance. “Software developers categorically present these messages without any regard to what the user is doing. They interrupt us constantly and our research shows there’s a high penalty that comes by presenting these messages at random times.”
For example, 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And a whopping 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code.
“But you can mitigate this problem simply by finessing the timing of the warnings,” said Jeff Jenkins, lead author of the study appearing in Information Systems Research, one of the premier journals of business research. “Waiting to display a warning to when people are not busy doing something else increases their security behavior substantially.”
For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found that people pay the most attention to security messages when they pop up in lower dual task times such as:
- After watching a video
- Waiting for a page to load
- After interacting with a website
The authors realize this all seems pretty common sense, but timing security warnings to appear when a person is more likely ready to respond isn't current practice in the software industry. Further, they’re the first to show empirically the effects of dual task interference during computer security tasks. In addition to showing what this multitasking does to user behavior, the researchers found what it does to the brain.
For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself.
The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.
Developers of the Chrome Cleanup Tool, a security message in Google Chrome for Windows, were so impressed with the BYU research they added improving the timing of the security message to the list of things to add to Chrome.
“A lot of things I do research on I think, someday, somebody might change some small thing,” Anderson said. “But this could really affect a lot of people if I have Google making changes to their Chrome browser based on my research. That’s really great.”
Media Contact: Todd Hollingshead (801) 422-8373
Writer: Todd Hollingshead