Slashdot Mirror
People Ignore Software Security Warnings Up To 90% of the Time, Says Study (phys.org)
An anonymous reader quotes a report from Phys.Org: A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly -- while people are typing, watching a video, uploading files, etc. -- results in up to 90 percent of users disregarding them. Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking. For example, 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And a whopping 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code. For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found that people pay the most attention to security messages when they pop up in lower dual task times such as: after watching a video, waiting for a page to load, or after interacting with a website. For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself. The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.
I get various security errors/warnings occasionally. Usually they are informing me that security that I did not care about is not present. For example, a warning about a self signed cert on a website that I wouldn't mind using over plain text: that still more secure than plain old http, so I click off the warning. If it is a site that I normally trust and give personal information to (like log in), I don't mind using it when the security is broken, but I won't hand over private data. Continuing despite a warning is not necessarily ignoring it.
The "Check Engine Light" of the computer world.
There are just way too many of them and they are simply too hard for a normal user to evaluate whether the risk is truly severe or just another attempt of somebody to fleece them.
Health care example:
Monitor shows the patient is in asystole. On assessment the patient is alert, talking, and in no apparent distress. Diagnosis is it is the equipment, not the patient, who disturbed the night's routine. Outcome? You lecture the patient for exceeding the devices operating parameters and tell him/her to quit moving and perspiring so that the monitoring devices may correctly interpret typical human norms.
Time is what keeps everything from happening all at once.
In my experience, 90% of security warnings are rubbish. For example, I recall when UAC came to Windows Vista. I don't ever recall clicking deny/cancel/no (or whatever it was) with the possible exception of a situation like "oops, I meant to click the executable right next to that one."
Same deal with Java applets. My bank uses a Java applet for depositing checks. I get a warning from the browser every single time, despite selecting the "always trust applets from this publisher" (or something like that option).
Of course, there are lots of software packages with instructions like "Step 1: Disable your antivirus." or, worse, "Step 1: If you get any security warning dialogs just click to accept them."
In fact, I've never encountered a single person who can actually point to an occasion where a security dialog alerted them to a real threat that was then neutralized. Even worse, one of the more common warnings (the untrusted SSL certificate/issuer) has confused people even more into thinking that "red address bar means not secure and green lock means secure", when in fact your browser's trust of the certificate's issuer has exactly zero impact on how secure the connection is. We've been conditioned to treat all these warnings as noise. Incidentally, people ignore speed limit signs at least 90% of the time for exactly the same reason: we've been taught that they're meaningless.
Running wrong OS, get a security warning. Running on the wrong hardware, get a security warning. It's no wonder most users see security warnings as overblown BS.
Time is what keeps everything from happening all at once.
You have your documents up, half written, spread sheets with data you need for on-call, a long running backup in a window you forgot to run in Screen or tmux, and any other number of things that mean you can't reboot right now. Especially if it's going to be a reboot that says "don't turn off your computer, we're messing with shit for 30 minutes." We have boss' breathing down our necks for productivity, there's no time to reboot and wait.
Besides, it might make me lose my place when browsing imgur. Fuck that! :)
This sig intentionally left blank.
People ignore all sorts of warnings. It's how we do. There are still people smoking when every single pack of cigarettes they buy has a big sign that says, "These motherfuckers will kill you dead, dummy, and in a really horrible way". What was the last time anyone "closed cover before striking"? A Texas man sees a sign that says, "No Swimming - Alligators." He immediately says, "Man, fuck that alligator", jumps in the water and is instantly eaten by an alligator.
http://www.unilad.co.uk/video/...
Chinese-made fireworks have a big-ass label (in English) that says, "Set on ground, light fuse and GET AWAY". Did that stop this guy from putting one in his pants and then blowing himself up? No sir, it did not. Because for human beings, warnings are really just dares.
https://youtu.be/8Yagjf5B2tw
You are welcome on my lawn.
Warnings. Its a gimmick in social engineering, really. If we ignore our own security ever, then we can't blame the software for selling us short. It's more of a marketing gimmick and liability issue for the software vendors. They can't possibly save us from ourselves. They can manage to let us fool ourselves if that's our preferred frame of mind. Honestly, we always knew we are not in control, but like a fatal car crash, we just figured it only happened to somebody else. Welcome to denial, its all the rave - everybody is doing it.
A good example is the way keys are generated automatically for Windows Remote Desktop.
The system regenerates these automatically every 6 months. There is no way to manage this process (as far as I can tell, links welcome!) so as a user I get semi-regular warnings while connecting to regular hosts that the connection is not secure. At that point I have no way of knowing if the keys simply expired or I am being subjected to a MITM attack... :( What to do?
I use Sandboxie a lot for software evaluation purposes. However, when I right click an executable and want to choose "Run Sandboxed" that entry is right next to the "Run as Administrator" menu item. Late at night it's easy to click the wrong one, with potentially disastrous* consequences! The UAC prompt saved me a couple of times.
Since then I've found moving to virtual machines with snapshots has been an easier and safer way for testing unknown software.
*Time vs time. Everything is backed up and best practices are always followed. But it's always a question of how much time is available to recover.
The slightly less than average user can't (easily) tell the difference between a valid security message and a browser popup claiming that something dire will happen unless they click on this message and run this program, so they ignore them all.
Just last night I had to tell my mother that the browser complaining about being out of date and to upgrade was probably valid.
Also in the same call, had to try and reassure her that smart meters weren't going to burst into flame and/or make her sick with the power of wireless electromagnetic radiation. ...and she still decided not to get one because of all the random people on the internet claiming they were evil. "But this guy is a M.D. from England! He's got to know all about it right?"
This means all we need to do is to give the user 10 warnings and statistically they'll pay attention.
This is all the developers' fault. They are so fucking lazy that they think throwing up a dialog is a solution to the problem. After all, if the user clicks on it, they assented, right?
Microsoft is by far the worst offender, but they are not alone. And this abdication of responsibility by programmers has trained the users to just blindly click away warnings. And they are right: 99% of the time they are bullshit, a symptom of a problem the developers should have fixed.
"I know I will be modded down for this": where's the option '-1, Asking for it'?
What was the security warning about? And what was required of me?
To me this is kind of the important part in combination with this: "when security messages interrupted a task". As I have learned from my parents, you don't go haphazardly interrupting people with some kind of nonsense. If you do, you can expect to be ignored or be told off. If a security warning is about to inform me that a scheduled scan will start in an hour, or a patch will be downloaded. I'll ignore it. It doesn't require my attention at this time and I was busy with something. It interrupted me with nonsense so it's annoying me and I clicked it away. Another point of contention is if the message requires me to do something like restarting the system. If I'm in the process of doing something that needs up time (be it from watching a video, to copying files), I will complete that task first. Task prioritization is key here and interrupting me is again, annoying. Even if it does want me to do something.
So yeah, I get where these figures come from. Not at all astounding to me.
The 85% of cars would be driving faster, but since you can't literally drive through the car in front of you, you can only go as fast as the car in front of you.
The only way to correctly figure the 85th percentile would be to only measure car's speed that had no car around being impeded by another car. Counting two cars at the same mph (as the rubber counter does) is bad data as clearly the person following behind would be driving faster as they caught up to the person.
UAC was actually designed to be bad. Microsoft wanted to change developer's behaviour, stop them making every app install a background task that starts at boot, dumping files all over the place and generally behaving badly. But at the same time they didn't want to break backwards compatibility, so UAC was invented.
UAC annoys the user. Developers try to avoid creating UAC prompts that annoy their customers. By the time Windows 7 rolls around, most apps are better behaved. Unfortunately, people are also de-sensitized to UAC warnings.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Another completely obvious fact which somehow industry has overlooked.
How would this be?
Well, let's see: each person's career depends on making his boss feel good and not rocking the boat. So the programmer does what he is told, chuckling about how stupid it is every day. His boss does what the committee says is right, shrugging off his frustration. The committee does whatever it can achieve agreement on among its members, while being "safe" because committees are ruled by fear. Its members are doing what they think the CEO wants, and he does what he thinks the shareholder wants, which generally means whatever is easy and inoffensive.
In this way, we all play "follow the leader" and end up approving stupid ideas because each person is afraid to push back against accepted "knowledge."
Enjoy your dysfunctional GUIs, badly-conceived products, stupid movie sequels and other committee output.
Alternative Right.