On-screen security alerts don’t work

On-screen security alerts don’t work

Google’s Chrome team helped with the research.

Credit: Brigham Young University

Ever dismiss a security alert because you’re busy doing something? You’re not alone.

Pop-up alerts on computer screens don’t work because they arrive at the wrong times, scientists say.

Despite the popular belief—cultivated perhaps mainly by bosses—that humans can multitask, many believe they can’t. And that hypothesis may be proven, in part, by the discovery that on-screen alerts generally don’t achieve action if one is busy doing something else. The result is an increase in security vulnerabilities.

Computer users are engrossed in tasks when the randomly timed alerts arrive, and it makes them less likely to respond.

+ Also on Network World: How to craft a security awareness program that works +

As anyone in the IT sector knows, users aren’t interested in running a clean-up tool, say, at the best of times, and this new evidence proves that they certainly don’t want to do it when they’re in the middle of watching a video or writing an email, for example, researchers from Brigham Young University (BYU) say.

Interruptive security messages need to be timed better, they say. Three quarters (74 percent) of individuals in the BYU research study “ignored security messages that popped up while they were on the way to close a web page window,” the university’s press release says.

In addition, 79 percent disregarded the alert messages when they were gaping at videos. And, in the kicker for pro-multitasking bosses, almost 90 percent tuned out “while they were transferring information.” In that instance, the information was a confirmation code.

Sending security messages at busy times is “less effective because of ‘dual task interference (DTI).’” That’s “a neural limitation where even simple tasks can’t be simultaneously performed without significant performance loss. Or, in human terms, multitasking,” the release continues.

The solution: Time alerts better

The solution, and easy way to enhance security and reduce vulnerabilities, is “finessing the timing of the warnings,” Jeff Jenkins, lead author of BYU’s Information Systems Research-published study, says in the release. Software developers simply have to get their important, but not immediately imperative alert, to wait.

“Waiting to display a warning to when people are not busy doing something else increases their security behavior substantially,” he says.

And it wouldn’t be that hard. Low DTI times could be identified through mouse cursor-tracking in some cases. For the study, the researchers used a bulky headset MRI scanner.

The timings of automated tasks, such as running antivirus software, is becoming more sensitive to PC activity, though. Security software vendor Bitdefender, for example, claims to scan for malware only when the system is idle.

But as we all know, Microsoft bizarrely chooses to perform some time-consuming patch updates during system startup and shutdown—that’s conceivably when one is busy trying to get to work or busy trying to stop work. It’s not been accomplished during the PC operator’s idle times.

Sky, a European satellite TV provider, performs intrusive hardware updates on its set-top box in the middle of the night, whether the subscriber is watching TV then or not.

In the case of a non-intrusive PC security alert, the developer wouldn’t want the system to be too idle, though—the user could be fast asleep and miss the message.

This article is published as part of the IDG Contributor Network. Want to Join?

Must read: Hidden Cause of Slow Internet and how to fix it
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies