19 Aug 2016
by Lisa Vaas
Developers, your security warnings are messing with people’s brains, and not in a good way.
In fact, given the poor timing of security warnings popping up, most people – we’re talking about up to 87% in some cases – ignore them.
Ignore, as in, researchers have found that scarcely any brain activity shows up when they measured test subjects via FMRI (functional magnetic resonance imaging) as security warnings interrupted those subjects while they were trying to do other things, such as input their login or enter a validation code.
The conclusion comes from a paper published in an Institute for Operations Research and the Management Sciences (INFORMS) journal on Thursday by researchers from Brigham Young University in Utah and the University of Pittsburgh in Pennsylvania.
The problem, more or less, is one of systems fatigue, the researchers said. As it is, “System-generated alerts are ubiquitous in personal computing,” as well as in our proliferating mobile devices.
Those systems are there to help users by providing timely information designed to protect us, but the researchers found that they come at a “high cost in terms of increased stress and decreased productivity.”
That’s due to what’s called dual-task interference (DTI), a “cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss.”
In other words, multitasking.
Research has already established that when trying to do multiple tasks, people’s performance sags, even when the tasks are neither physically incompatible with each other nor intellectually challenging.
As it is, there are some security alerts that demand immediate attention, such as browser SSL warnings, and others that don’t, including alerts about software updates, backups, and malware scan notifications.
But regardless of how important an alert, it’s still often ignored.
That’s the spot in our brain where security training, even very recent training, lives.
High DTI means we can’t meet the demands of multiple tasks in that part of our brains. It turns into a bottleneck.
The higher the DTI, the less the brain can spare time and effort for security alerts.
To test their hypotheses, they had participants respond to some security warnings that interrupted something else they’d been doing – a primary task – and some that didn’t interrupt.
The primary task in their tests was to have participants memorize or encode a 7-digit code. The researchers gave their subjects a short time to “rehearse” the code – i.e., repeat it until they had it down – and then asked them to recall it.
They chose this task because it mimics what we have to do on the computer: use our working memory to do things like read a web page or search for information, for example. (Working memory calls on MTL brain regions).
Here’s how people’s tendency to ignore security alerts climbs with DTI for specific tasks:
Percentage of disregard for each condition (ranked from lowest to highest DTI)
Low-DTI: Waiting for page load – 22.11% disregarded
Low-DTI: While processing – 24.47% disregarded
Low-DTI: After video – 43.75% disregarded
Low-DTI: On first page load – 44.79% disregarded
Low-DTI: Switching domains – 46.32% disregarded
High-DTI: On the way to close window – 74.47% disregarded
High-DTI: While typing – 77.89% disregarded
High-DTI: During video – 79.38% disregarded
High-DTI: While transferring information – 87.23% disregarded
The takeaway? Do not interrupt people on YouTube or when they’re inputting something!
In a nutshell, this is the researchers’ recommendation for…
How to issue alerts that don’t get ignored
Present security warnings at low-DTI times. You can figure out what those times are by using mouse cursor tracking, for example.
From the paper: