If cyber people want us to pay attention to IT security warnings on computers or mobile devices, they have to pop up at better times, according to a study from a US university. A new study from Brigham Young University (BYU), with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly, while people are typing, watching a video, uploading files, and so on, results in up to 90 percent of users disregarding them.
Researchers found these times are less effective because of “dual task interference,” a neural limitation where even simple tasks can’t be simultaneously performed without significant performance loss. Or, in human terms, multitasking.
The study co-author and BYU information systems professor Anthony Vance said: “We found that the brain can’t handle multitasking very well. Software developers categorically present these messages without any regard to what the user is doing. They interrupt us constantly and our research shows there’s a high penalty that comes by presenting these messages at random times.”
For example, 74 percent of people in the study ignored security messages, that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And likewise 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code.
Jeff Jenkins was lead author of the study appearing in Information Systems Research, a journal of business research. He said: “But you can mitigate this problem simply by finessing the timing of the warnings. Waiting to display a warning to when people are not busy doing something else increases their security behavior substantially.”
For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found that people pay the most attention to security messages when they pop up in lower dual task times such as:
After watching a video
Waiting for a page to load
After interacting with a website
The authors realize this all seems pretty common sense, but timing security warnings to appear when a person is more likely ready to respond isn’t current practice in the software industry. Further, they’re the first to show empirically the effects of dual task interference during computer security tasks. In addition to showing what this multitasking does to user behavior, the researchers found what it does to the brain.
For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself. The researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.
Developers of the Chrome Cleanup Tool, a security message in Google Chrome for Windows, were so impressed with the BYU research they added improving the timing of the security message to the list of things to add to Chrome.
“A lot of things I do research on I think, someday, somebody might change some small thing,” Anderson said. “But this could really affect a lot of people if I have Google making changes to their Chrome browser based on my research. That’s really great.”
