Skip to content ↓ | Skip to navigation ↓

If you speak to most experts in the field, they’ll agree on at least one thing: computer security isn’t really a technological problem.

Although the right software and hardware can help reduce the online threats your company might face, ultimately IT security is a human problem.

And humans, as we all know from personal experience, aren’t perfect and are prone to sometimes making bad judgements and mistakes.

You can have all the defences in the world in place to protect your organisation’s data, but if one of the fleshy human beings you have on your payroll makes a silly mistake, everything can come tumbling down like a deck of cards.

So I was interested to read that researchers at Brigham Young University (BYU) conducted a study into how much attention people take of the security alerts that appear on their PC – or any kind of pop-up message.

After all, if a good security system warns a computer user that something dangerous might have happened or might be about to occur, that’s not terribly helpful if the puny-brained human ignores the warning in its entirety.

The study, entitled “More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable”, describes how volunteers had their brain activity measured in an MRI scanner.

Brain activity

The problem it seems to me is that we built ourselves multi-tasking operating systems but never took the time to upgrade our own brains to cope.

System-generated alerts are ubiquitous in personal computing and, with the proliferation of mobile devices, daily activity. While these interruptions provide timely information, research shows they come at a high cost in terms of increased stress and decreased productivity. This is due to dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss.

It’s well-established that this ‘multi-tasking’ impacts your attention on the task that was interrupted by the security alert, but what the new study discovered is that there is also a significant impact on how the interrupting task (a security alert in this case) is received.

In short, if your focus is elsewhere when an important security warning pops up, there’s a good chance (up to 90%) it will be dismissed and completely ignored.

For instance, if a security alert appeared while a user was closing a webpage, 74% would dismiss the warning dialog.

Warning message

Interestingly, the researchers found that users were less likely to ignore/dismiss security warnings if they were timed to appear between primary tasks, rather than interrupting what the user was trying to do.

Of course, delaying all warning messages to appear only between the main tasks you perform on your computer is not a wholly satisfactory solution. After all, there are some security warnings that you really do want to inform the user about as quickly as possible.

My completely unscientific guess is that users may be so used to websites sneakily popping up a “Before you go, sign up for our offer” message that they’re habitually dismissing them without thinking. That or they’re frustrated by PCs constantly nagging them that new security updates are available for installation.

Despite it being 2016, there are still too many security messages asking users to make a decision rather than taking it themselves. Security software needs to stop passing the buck, asking an often untrained user to make decisions they’re not qualified to make.

If our software got smarter and were able to make good decisions without interrupting our normal computer activity, then we would be less bombarded by messages and less prone to reaching for the “Dismiss” or “Later” button.

In the meantime, good luck with improving your ability to multitask your modern life. It may have unexpected benefits in helping secure your data.

Hacking Point of Sale
  • craig kensek

    Good article. Most people are in denial about their productivity and efficiency going down due to multi-tasking. Those people won’t read this article, though. They’re busy playing Pokemon go

  • disqus_Tgv8PPb9Oy

    This article confirms what I’ve observed in my own behavior. When I’ve been deeply engrossed in some activity that required my full attention and someone phoned, I always tended to give the absolute minimum of attention to the call, and many times hung up without getting important information I could use to call back, like, say, the caller’s phone number. With the advent of computers, I just moved this behavior into the digital age by barely perceiving what a pop-up message is telling me. If I’m any example, the weakest link in IT security definitely IS the ugly bags of water using it.

  • Kevin Holley

    One of the major issues is that these pop-ups can arrive while you are busy typing away. In those circumstances you enter the next key in your text and that goes into the pop up message instead of going into your Word document (etc.). So not only do you dismiss the pop up in an uncertain way, there is also no way to find out what command you actually issued to the pop up, nor what the pop up was all about!

  • TibbyV

    Another problem, I believe, is that people have been trained to close popups without clicking on an action button – especially popups related to browsers – by the prevalence of malware masquerading as a warning message. That’s my personal experience, anyway.