Developers, your security warnings are messing with people’s brains, and not in a good way.
In fact, given the poor timing of security warnings popping up, most people we’re talking about up to 87%in some cases ignore them.
Ignore, as in, researchers have found that scarcely any brain activity shows up when they measured test subjects via FMRI (functional magnetic resonance imaging) as security warnings interrupted those subjects while they were trying to do other things, such as input their login or enter a validation code.
The conclusion comes from a paper published on Thursday by the Institute for Operations Research and the Management Sciences (INFORMS) at Brigham Young University (BYU) in the US state of Maryland.
The problem, more or less, is one of systems fatigue, the researchers said. As it is, “System-generated alerts are ubiquitous in personal computing,” as well as in our proliferating mobile devices.
Those systems are there to help users by providing timely information designed to protect us, but the researchers found that they come at a “high cost in terms of increased stress and decreased productivity.”
That’s due to what’s called dual-task interference (DTI), a “cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss.”
In other words, multitasking.
It’s important to understand when, exactly, security warnings are heeded and when they’re ignored, the researchers said, because not heeding such alerts can introduce critical vulnerabilities in information security and privacy.
Research has already established that when trying to do multiple tasks, people’s performance sags, even when the tasks are neither physically incompatible with each other nor intellectually challenging.
As it is, there are some security alerts that demand immediate attention, such as browser SSL warnings, and others that don’t, including alerts about software updates, backups, and malware scan notifications.
But regardless of how important an alert, it’s still often ignored.
Medial temporal lobe, we’re blaming this on you. Known as the MTL, this brain region is associated with what’s called long-term declarative memory, which is what we use to store information over long periods of time longer than 15 to 30 seconds without constantly repeating it to remember.
That’s the spot in our brain where security training, even very recent training, lives.
High DTI means we can’t meet the demands of multiple tasks in that part of our brains. It turns into a bottleneck.
The higher the DTI, the less the brain can spare time and effort for security alerts.
To test their hypotheses, they had participants respond to some security warnings that interrupted something else they’d been doing a primary task and some that didn’t interrupt.
The primary task in their tests was to have participants memorize or encode a 7-digit code. The researchers gave their subjects a short time to “rehearse” the code i.e., repeat it until they had it down and then asked them to recall it.
They chose this task because it mimics what we have to do on the computer: use our working memory to do things like read a web page or search for information, for example. (Working memory calls on MTL brain regions).
Here’s how people’s tendency to ignore security alerts climbs with DTI for specific tasks:
Percentage of disregard for each condition (ranked from lowest to highest DTI) Low-DTI: Waiting for page load 22.11% disregarded Low-DTI: While processing 24.47% disregarded Low-DTI: After video 43.75% disregarded Low-DTI: On first page load 44.79% disregarded Low-DTI: Switching domains 46.32% disregarded High-DTI: On the way to close window 74.47% disregarded High-DTI: While typing 77.89% disregarded High-DTI: During video 79.38% disregarded High-DTI: While transferring information 87.23% disregardedThe takeaway? Do not interrupt people on YouTube or when they’re inputting something!
In a nutshell, this is the researchers’ recommendation for…
How to issue alerts that don’t get ignoredPresent security warnings at low-DTI times. You can figure out what those times are by using mouse cursor tracking, for example.
From the paper:
Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard.
