People Ignore Software Security Warnings Up To 90% of the Time, Says Study

An anonymous reader quotes a report from Phys.Org: A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly -- while people are typing, watching a video, uploading files, etc. -- results in up to 90 percent of users disregarding them. Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking. For example, 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And a whopping 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code. For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found that people pay the most attention to security messages when they pop up in lower dual task times such as: after watching a video, waiting for a page to load, or after interacting with a website. For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself. The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.

It's because 90% of security warnings are rubbish

[El+Cubano]

In my experience, 90% of security warnings are rubbish. For example, I recall when UAC came to Windows Vista. I don't ever recall clicking deny/cancel/no (or whatever it was) with the possible exception of a situation like "oops, I meant to click the executable right next to that one."

Same deal with Java applets. My bank uses a Java applet for depositing checks. I get a warning from the browser every single time, despite selecting the "always trust applets from this publisher" (or something like that option).

Of course, there are lots of software packages with instructions like "Step 1: Disable your antivirus." or, worse, "Step 1: If you get any security warning dialogs just click to accept them."

In fact, I've never encountered a single person who can actually point to an occasion where a security dialog alerted them to a real threat that was then neutralized. Even worse, one of the more common warnings (the untrusted SSL certificate/issuer) has confused people even more into thinking that "red address bar means not secure and green lock means secure", when in fact your browser's trust of the certificate's issuer has exactly zero impact on how secure the connection is. We've been conditioned to treat all these warnings as noise. Incidentally, people ignore speed limit signs at least 90% of the time for exactly the same reason: we've been taught that they're meaningless.

It's because you can't right now.

[thedarb]

You have your documents up, half written, spread sheets with data you need for on-call, a long running backup in a window you forgot to run in Screen or tmux, and any other number of things that mean you can't reboot right now. Especially if it's going to be a reboot that says "don't turn off your computer, we're messing with shit for 30 minutes." We have boss' breathing down our necks for productivity, there's no time to reboot and wait.

Besides, it might make me lose my place when browsing imgur. Fuck that! :)

Developers are at fault

[mvdwege]

This is all the developers' fault. They are so fucking lazy that they think throwing up a dialog is a solution to the problem. After all, if the user clicks on it, they assented, right?

Microsoft is by far the worst offender, but they are not alone. And this abdication of responsibility by programmers has trained the users to just blindly click away warnings. And they are right: 99% of the time they are bullshit, a symptom of a problem the developers should have fixed.

Re:Do they really ignore them?

[Mr+D+from+63]

This says they ignore the warning 90% of the time, but the article says 90% of users ignore some warnings. Those are two different things. If you craft a study to show warnings that resemble the types of pop-ups crafted to look like warnings that we condition ourselves to ignore, the result is not surprising. If they are on a computer they are familiar with, and the warnings come from their known anti-virus software, the result would likely be different. Basically, people don't trust what they are unfamiliar with.