Why do security warnings go unheeded? Users’ brains

If you think your users are terrible at noticing security issues, you may be right. But before you go blaming them, just know this: Most warnings go unheeded not because users aren’t paying attention, but because they’re focusing on something else – doing their jobs.

That may be an oversimplification, but a new study shows it could be a reason why system-generated alerts (such as pop ups warning of security issues) go unnoticed. Brigham Young researchers conducted MRI scans of users as they interacted with system-generated messages. The report, entitled More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable, takes a scientific approach to the age-old problem of users tuning out security messages.

The research was looking at how dual-task interference (DTI), a cognitive condition in which people can’t perform two tasks at the same time without significant performance loss, influences how users interact with these messages and whether there’s a better way to get them to pay attention to them.

Multi-tasking

This is nothing new: Researchers have long realized that security message disregard is likely when users are focused on a primary task. The popup or warning that tells them they’re about to do something dangerous is immediately disregarded because the user is focused on a primary task of doing something on a computer.

But this study differed in that it found ways the message could be made more effective. The researchers found that by timing their messages to present security warnings after or between critical tasks, users were less likely to disregard them.

In other words, “Don’t bother me, I’m busy,” isn’t just a phrase that applies to personal interactions in the office. It’s also what’s going through your mind when you’re getting security popups.

Possible takeaway

The researchers are the true experts here, and anything that follows is the opinion of a non-scientist. Seriously, take everything that’s written from here on out as non-scientific (and if you want good science, read the source paper, not this article).

Since you probably can’t control when security messages are delivered too much, try taking the gist of these findings and apply them in other areas.

If users are tuning out security training, it could be because it’s falling at an inconvenient time. Are they pressed by other deadlines? In the middle of a huge project? If so, your message could be an interruption to that primary task. Try getting a feeling of a good time to deliver your message from other department heads to get better buy-in.

Also, this is a good reminder that the best security is as unobtrusive as possible. The way to get users to follow policies and not work around your solutions is to make sure these solutions aren’t cumbersome. Think to yourself before settling on a security product, “Is this going to make users frustrated or interrupt their routine?” If so, it may not do much good.