On-screen security alerts don’t work

Ever dismiss a security alert because you’re busy doing something? You’re not alone.

On-screen security alerts don’t work
Brigham Young University

Pop-up alerts on computer screens don’t work because they arrive at the wrong times, scientists say.

Despite the popular belief—cultivated perhaps mainly by bosses—that humans can multitask, many believe they can’t. And that hypothesis may be proven, in part, by the discovery that on-screen alerts generally don’t achieve action if one is busy doing something else. The result is an increase in security vulnerabilities.

Computer users are engrossed in tasks when the randomly timed alerts arrive, and it makes them less likely to respond.

+ Also on Network World: How to craft a security awareness program that works +

As anyone in the IT sector knows, users aren’t interested in running a clean-up tool, say, at the best of times, and this new evidence proves that they certainly don’t want to do it when they’re in the middle of watching a video or writing an email, for example, researchers from Brigham Young University (BYU) say.

Interruptive security messages need to be timed better, they say. Three quarters (74 percent) of individuals in the BYU research study “ignored security messages that popped up while they were on the way to close a web page window,” the university’s press release says.

In addition, 79 percent disregarded the alert messages when they were gaping at videos. And, in the kicker for pro-multitasking bosses, almost 90 percent tuned out “while they were transferring information.” In that instance, the information was a confirmation code.

Sending security messages at busy times is “less effective because of ‘dual task interference (DTI).’” That’s “a neural limitation where even simple tasks can’t be simultaneously performed without significant performance loss. Or, in human terms, multitasking,” the release continues.

The solution: Time alerts better

The solution, and easy way to enhance security and reduce vulnerabilities, is “finessing the timing of the warnings,” Jeff Jenkins, lead author of BYU’s Information Systems Research-published study, says in the release. Software developers simply have to get their important, but not immediately imperative alert, to wait.

“Waiting to display a warning to when people are not busy doing something else increases their security behavior substantially,” he says.

And it wouldn’t be that hard. Low DTI times could be identified through mouse cursor-tracking in some cases. For the study, the researchers used a bulky headset MRI scanner.

The timings of automated tasks, such as running antivirus software, is becoming more sensitive to PC activity, though. Security software vendor Bitdefender, for example, claims to scan for malware only when the system is idle.

But as we all know, Microsoft bizarrely chooses to perform some time-consuming patch updates during system startup and shutdown—that’s conceivably when one is busy trying to get to work or busy trying to stop work. It’s not been accomplished during the PC operator’s idle times.

Sky, a European satellite TV provider, performs intrusive hardware updates on its set-top box in the middle of the night, whether the subscriber is watching TV then or not.

In the case of a non-intrusive PC security alert, the developer wouldn’t want the system to be too idle, though—the user could be fast asleep and miss the message.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10