Slashdot Mirror

← Back to Stories (view on slashdot.org)

MRIs Show Our Brains Shutting Down When We See Security Prompts

Posted by timothy on from the all-persons-in-this-area-subject-to-palpatio-per-anum dept.

antdude writes with this excerpt from Ars Technica: Magnetic Resonance Imaging (MRIs) show our brains shutting down when we see security prompts. The MRI images show a "precipitous drop" in visual processing after even one repeated exposure to a standard security warning and a "large overall drop" after 13 of them. Previously, such warning fatigue has been observed only indirectly, such as one study finding that only 14 percent of participants recognized content changes to confirmation dialog boxes or another that recorded users clicking through one-half of all SSL warnings in less than two seconds.

24 of 79 comments (clear)

  1. What kind of person did they study? by ArcadeMan · · Score: 5, Insightful

    Did they test with dumb regular users who don't understand or don't know better, or did they test people who actually know what those security warnings mean and the real consequences of ignoring them?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:What kind of person did they study? by Austerity+Empowers · · Score: 4, Insightful

      What is the purpose of security alerts if not to warn people who don't know any better? For the crowd that gets it, you could flash a brief icon featuring a guy fawkes mask and that'd be sufficient. I also wonder how many of them would click "proceed anyway" if the pr0ns were there...

    2. Re:What kind of person did they study? by duck_rifted · · Score: 4, Insightful

      People in general tend to tune out what they don't understand because they don't have thoughts available to process. We have ALL experienced that -- every last one of us. Doesn't it kind of feel like your brain is busy searching for the right file? Haven't you had instances where you get the same feeling, and then, "Oh yeah!" it clears up? It happens to me any time I'm already preoccupied with something, enter a room for a task, and then get distracted. "Wait... What was I doing?" And it will happen to you with increasingly frequency as you age.

      Let's not call people dumb for this. They need to be taught, or security warnings need to engage them better. I mean, come on, can't we do better than a little dialogue box that spews stuff people don't understand? Give people switches and buttons that have an effect they can SEE and they'll get it. A little graphic depicting what they're giving permission to that changes as the mark or clear a checkbox, with a chance to apply after the selection, would work perfectly. Give their brains the file they can't find.

    3. Re:What kind of person did they study? by khasim · · Score: 5, Insightful

      What is the purpose of security alerts if not to warn people who don't know any better?

      To shift the blame to the end-user when something goes wrong.

      Which is why the alerts are so useless. They, essentially, become a "click here to continue" button.

    4. Re:What kind of person did they study? by frinsore · · Score: 3, Insightful

      While I find the study surprising it is disturbingly logical. And I expect the article's solution would only be temporary (making random drastic changes to the prompts). Personally when I receive a windows escalation prompt I've already made the decision to run the program and the prompt just gets in the way of that, I already trust the program or I wouldn't have run it in the first place. Showing the prompt after the user has decided to run the program is already too late. The warning should be shown on the icon, if in a gui, and preferably the application should have a list of privileges that it needs, like android, instead of a generic "everything".

    5. Re:What kind of person did they study? by sjames · · Score: 2

      Short of tasering the user when they try to click past it, what would you have them do?

      There actually are legitimate reasons to bypass the warnings in most cases.

    6. Re:What kind of person did they study? by dcollins117 · · Score: 5, Interesting

      Did they test with dumb regular users who don't understand or don't know better, or did they test people who actually know what those security warnings mean and the real consequences of ignoring them?

      Hold on, TFA says they note a decrease in visual processing. Perhaps the decrease in visual processing is because the user is using another part of their brain to process the new information, and to appropriately decide what the best response is.

      They also note an "overall" decrease after repeated exposures to the same message, but that's what we do; we learn from experience. That's a feature, not a bug.

    7. Re:What kind of person did they study? by suutar · · Score: 5, Insightful

      Android apps request everything anyway. What I want is a way to say "yeah, I know you want this, but you ain't getting it. Install anyway, and the OS will just pretend that function returns nothing."

    8. Re:What kind of person did they study? by tlhIngan · · Score: 2

      What is the purpose of security alerts if not to warn people who don't know any better? For the crowd that gets it, you could flash a brief icon featuring a guy fawkes mask and that'd be sufficient. I also wonder how many of them would click "proceed anyway" if the pr0ns were there...

      The purpose is because the developer doesn't know how to do it properly.

      The problem is developers don't want to acknowledge the security problem and are just passing it off - it's called Dancing Pigs (or rabbits, whatever) and the basic concept is given a choice, a user will choose one that compromises security every time. If you ask them to click through a warning dialog to get to the pr0n, guess what? They will!

      Plus, there's also an over saturation of warnings. They're like EULAs - the vast majority of people just do not read them.They become just another obstacle in the way to accomplishing what they want.

      The reality is, Dancing Pigs is real, and it's really a tough choice in handling it. Walled gardens is one way, and it can be quite successful, but there's always the edge cases and the "but I wanna do this!" crowd - you can choose to ignore them, or handle them. But even handling them may not be a good choice - see Android's "Allow Non-Play Store Apps" checkbox that's all or nothing. With it checked, you can sideload, but what if you just want to use apps from another store, like say, Amazon? You can't just allow Amazon and block everyone else.

      It's even harder if you want to cater to the average user (who really wants to just get their work done) and those of developers (who want to play with the computer) - you can lock it down, let users get their work done, but the developers will complain of inflexibility. Or you can make it cater to developers, but then users will complain of complexity and "why do I have to learn all this just to do X? Why are you wasting my time making me learn all this extra crap just so I can produce this one report?"

      (Or, for a more cynical take - thank you Mr. Developer, because making me take an extra hour to learn it means I can bill you an extra hour! Yeah, not what you want to see from your lawyer, accountant, mechanic or other person - having that hour billed to YOU...)

    9. Re:What kind of person did they study? by BESTouff · · Score: 2

      There's one answer: CyanogenMod.

  2. Of course by heldal · · Score: 5, Funny

    I want titties, but these stupid alerts keep popping up

  3. Drives IT people nuts by TheReaperD · · Score: 3, Insightful

    I've witnessed this so many times as an IT tech that it's sickening. Even if we're standing there and try explaining it, our words just end up in "don't care" brain bin and they'll click on anything that makes the message go away the fastest. I've even had them click on "yes" then "Ok" on the install even when I was standing there and told them not to. It's like they're "listening" to their mother in law. Irritating as hell.

    --
    "Be particularly skeptical when presented with evidence confirming what you already believe." -
    1. Re:Drives IT people nuts by war4peace · · Score: 5, Insightful

      This behavior doesn't have IT roots. It has "the boy who cried wolf" roots.
      We're surrounded by warnings, all the time. Warning! Wet floor. Warning! 0.5 inches of snow tomorrow. Warning! This beverage might be hot. Warning! This battery might explode if you put it in a microwave.

      No wonder people have their responses to warnings (of all kinds) dulled to non-existence.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  4. new medical research read it cancel or allow? by Joe_Dragon · · Score: 2

    new medical research read it cancel or allow?

  5. In defense of users... by Anonymous Coward · · Score: 2, Interesting

    There have been too many times where I have gone to a website I frequent and find their certificate has expired. A couple days later, there may be a sheepish apology from them.

    Then there are warnings about reloading pages because whoever designed the website didn't handle the back button correctly.

    Then there are the redirection warnings because of yet another shitty web design.

    They start to get insensitive about those things. And some of the warnings come in such rapid succession -really? I've had to click away several warnings on top of one another until I just said, "Fuck it! These people are morons. Find someone else."

    Oh, and if a web developer is going to use an advertising company that does crazy shit that kicks off warnings (you know who they are), please, please, go to business school and stop developing.

  6. Information content by Livius · · Score: 4, Interesting

    Obviously their brains will shut down since 99% of 'security' prompts are mere nuisances with no value whatsoever. The brain notices patterns like that pretty quick.

    1. Re:Information content by Pentium100 · · Score: 5, Informative

      Also, the warnings all are very similar even though the problems they warn about are different. Let's take a look at SSL warnings. When a browser puts up the huge warning that there is a problem with SSL, it could mean one of a few things:
      1) The certificate is self-signed. A big problem except for internal sites.
      2) The certificate expired 10 minutes ago or you computer's clock is wrong (not that big a problem).
      3) The certificate is for a different domain. This could be a problem or not, depending on the domain (could be the certificate is issued for www.example.com and I am going to example.com or 127.0.0.1).
      4) The mobile browser does not understand wildcard certificates.

      The problem is that the warnings all look the same and to find out which problem it is, you have to click on the "Technical details" button.

  7. Reflex by Tablizer · · Score: 5, Informative

    Married men learn to ignore nagging.

    --
    Table-ized A.I.
  8. I expect even less brain activity when by burtosis · · Score: 3, Funny

    Slashdotters see a new summary. Gonna fess up here i made it about half way through, got bored and posted.

  9. Anecdotal evidence by jrumney · · Score: 4, Funny

    I was going to post something insightful, but I got a warning from my browser about sending data over an insecure channel to http://slashdot.org and my brain shut down.

  10. License click-throughs by Bing+Tsher+E · · Score: 2

    The more important thing to research is License click-throughs. If it can be determined that the normal human reaction to a License agreement click-through is to punch right through without reading, it won't be hard in a court of law to declare them void. I make it a practice to NEVER read them. Most other people do too. So I can testify to that in court if ever necessary.

  11. Popup messages are completely ineffective by Tony+Isaac · · Score: 4, Informative

    My company had a customer whose nightly backups were failing. Every time every user in the company (hundreds of them) logged in to the system, they were presented with a message pop-up warning that the backups had been failing. This went on for WEEKS before anyone bothered to notify the software vendor (who managed the backup system).

    There seem to be a couple of principles at work here:
    1. Not my job. Everybody at the company knew it wasn't their job to keep the backups working, so they ignored the warning.
    2. In the way. Everybody had something they needed to do, so they simply clicked whatever they had to (the OK button) to get past the prompt and do their work.

    It's like the license agreements on software installers. Everybody just clicks "I Agree" because they know they have to do so to get to the next screen, not necessarily because they actually agree.

    1. Re:Popup messages are completely ineffective by RuffMasterD · · Score: 2

      Doesn't help when software overuses such an annoying feature. A teacher at university actually insisted we respond to every user action with a popup acknowledging the action. User saves a file. Popup: "File saved". Well thank fuck you told me, because there is no way I would have noticed pressing the save button if you hadn't blocked me from doing my thing to show a popup! Or even worse: "Are you sure you want to action X?" where X is benign and completely reversable. Of course I fucking want to do X, I just told you I want to do X, why won't you do X already! I tried to explain to my teacher how I stop reading popups after the second one and how other people probably do the same, so it's better to use context based feedback. Disable the save button or something until there are changes to save again. Use popups only when it's absolutely critical to do so. But no, popups for everything. I see commercial software use this same braindead design. Needless to say, I ignore everything the software tells me, even the critical stuff.

      In the backup scenario you present the users don't care. They pay someone else to care. But if shit hits the fan and they need a recovery, they will demand blood if they don't get what they paid for. Best to send warnings somewhere else instead.

      --
      Human Rights, Article 12: Freedom from Interference with Privacy, Family, Home and Correspondence
  12. Don't give them the option by ebvwfbw · · Score: 2

    Really tired of us in the computer biz enabling people to do stupid things that we can prevent. SSL 3.0 is vulnerable, really sucks. Update it to disable/remove it. If it's disabled, make them swear to God that they really know what they are doing to get it back. Don't let them click through.

    We went through this with the Format command. At first you would type in format a:. Unfortunately format defaulted to your current drive so if you typed in format, it clobbered C:. So they added a "are you sure". C: got clobbered. Then they had us type in the volume name, c: still got clobbered. Fool proof, only idiot resistant.