People Ignore Software Security Warnings Up To 90% of the Time, Says Study

An anonymous reader quotes a report from Phys.Org: A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly -- while people are typing, watching a video, uploading files, etc. -- results in up to 90 percent of users disregarding them. Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking. For example, 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And a whopping 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code. For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found that people pay the most attention to security messages when they pop up in lower dual task times such as: after watching a video, waiting for a page to load, or after interacting with a website. For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself. The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.

Do they really ignore them?

I get various security errors/warnings occasionally. Usually they are informing me that security that I did not care about is not present. For example, a warning about a self signed cert on a website that I wouldn't mind using over plain text: that still more secure than plain old http, so I click off the warning. If it is a site that I normally trust and give personal information to (like log in), I don't mind using it when the security is broken, but I won't hand over private data. Continuing despite a warning is not necessarily ignoring it.

Re:Do they really ignore them?

[ruir]

It is far more serious than being clunky...many are unnecessarily intrusive. Why should a warning steal the keyboard focus, specially while I am using it? Why could it not be a floating warning only? If some non fatal errors where not seen by the user as a nuisance to be dealt with, maybe more "brain power" could go into processing them?

Re:That's an easy one.

[DNS-and-BIND]

You laugh, but damn that is shockingly accurate. "Change your behavior so the software works right" used to be absurd, but today it is apparently the default response from support. Remember Apple's "you're holding it wrong" debacle?