If you speak to most experts in the field, they'll agree on at least one thing: computer security isn't really a technological problem. Although the right software and hardware can help reduce the online threats your company might face, ultimately IT security is a human problem. And humans, as we all know from personal experience, aren't perfect and are prone to sometimes making bad judgements and mistakes. You can have all the defences in the world in place to protect your organisation's data, but if one of the fleshy human beings you have on your payroll makes a silly mistake, everything can come tumbling down like a deck of cards. So I was interested to read that researchers at Brigham Young University (BYU) conducted a study into how much attention people take of the security alerts that appear on their PC - or any kind of pop-up message. After all, if a good security system warns a computer user that something dangerous might have happened or might be about to occur, that's not terribly helpful if the puny-brained human ignores the warning in its entirety. The study, entitled "More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable", describes how volunteers had their brain activity measured in an MRI scanner.
The problem it seems to me is that we built ourselves multi-tasking operating systems but never took the time to upgrade our own brains to cope.
System-generated alerts are ubiquitous in personal computing and, with the proliferation of mobile devices, daily activity. While these interruptions provide timely information, research shows they come at a high cost in terms of increased stress and decreased productivity. This is due to dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss.
It's well-established that this 'multi-tasking' impacts your attention on the task that was interrupted by the security alert, but what the new study discovered is that there is also a significant impact on how the interrupting task (a security alert in this case) is received. In short, if your focus is elsewhere when an important security warning pops up, there's a good chance (up to 90%) it will be dismissed and completely ignored. For instance, if a security alert appeared while a user was closing a webpage, 74% would dismiss the warning dialog.
Interestingly, the researchers found that users were less likely to ignore/dismiss security warnings if they were timed to appear between primary tasks, rather than interrupting what the user was trying to do. Of course, delaying all warning messages to appear only between the main tasks you perform on your computer is not a wholly satisfactory solution. After all, there are some security warnings that you really do want to inform the user about as quickly as possible. My completely unscientific guess is that users may be so used to websites sneakily popping up a "Before you go, sign up for our offer" message that they're habitually dismissing them without thinking. That or they're frustrated by PCs constantly nagging them that new security updates are available for installation. Despite it being 2016, there are still too many security messages asking users to make a decision rather than taking it themselves. Security software needs to stop passing the buck, asking an often untrained user to make decisions they're not qualified to make. If our software got smarter and were able to make good decisions without interrupting our normal computer activity, then we would be less bombarded by messages and less prone to reaching for the "Dismiss" or "Later" button. In the meantime, good luck with improving your ability to multitask your modern life. It may have unexpected benefits in helping secure your data.
