Browser and other types of security warnings generally don’t stop computer users in their tracks, especially when they’re in the middle of some task. Clicking through them seems to be the accepted response, rather than to halt and evaluate the situation.
Researchers at Brigham Young University recently published research looking at how computer users engage with and react to such alerts, and applied neuroscience to better understand why people click through to potential trouble ahead, and also to improve the quality of said alerts.
The conclusions reached in the BYU study aren’t much different than the experiences of IT security in response to breaches and malware infections. Users aren’t very proactive about security, and only when they’re face-to-face with trouble—such as being hacked—do they react accordingly.
“There are ways we can figure out what’s going in people’s brains and whether we can change the design of security messages or training, or what we can do once we realize the basic neurological responses that happen when people behave this way,” said Bonnie Anderson, associate professor of information systems at BYU. “What’s going on in their heads when they see these security warnings and choose to ignore them or heed them?”
The experiment, conducted by Anderson, Anthony Vance and Brock Kirwan, was carried out in two stages. The first was survey-based, and Anderson said that users generally swear up and down they will behave securely online, but reality doesn’t match those promises. In the second stage, using their own laptops, subjects were asked to take part in an image-classification study. They were asked to classify images as real or animated, and throughout the experiment, browser warnings similar to those thrown up by Google Chrome in advance of a phishing site, for example, were presented to users. Most ignored those warnings and decided to proceed until they were met with a screen telling them they’d been “hax0red.” An image similar to Anonymous’ Guy Fawkes mask was accompanied by animated skulls and a timer counting down to zero until the files on the machine were supposedly lost forever.
At that point, many subjects panicked, hastily shutting down the laptop, ripping Ethernet cables out or audibly yelling in fear.
“We found they behaved more securely after they’d been hacked,” Anderson said. “They remembered they’d seen these warnings, and to take them seriously. They really were concerned when that thing showed up on their computer.”
The first stage of the exam also included an EEG (electroencephalography) study using a psychological exam known as an Iowa Gambling Task that simulates decision making, in this case in order to build a risk profile on the subject.
“Most of the time, people are just trying to get through the task they’ve been assigned and these warnings just delay them from accomplishing that task,” Anderson said, adding that the EEG illustrated their neurological responses to fear and measurable changes in responses to the possibility of getting hacked.
“Most people said computer security is important, and it could be bad if [they were hacked] and I try to be safe,” Anderson said. “Then they didn’t do it, which is very common. People say they know what they should be doing, and then they don’t: ‘It’s not clear that if this is a valid warning that something bad would happen. I see a lot of warnings and I’m not sure if any of them are serious.'”
One issue with warnings is that they could be too technical for some users, or just don’t clearly spell out what trouble could lie ahead.
“People don’t know how bad it could be if they ignore this warning and how serious is the damage for any of those things,” Anderson said. “Even advanced computers users sometimes aren’t sure of the risks with any particular action.”
A follow up study is under review; that research tested different ways of showing subjects warnings and how the brain consumes those messages.
“Our next study found that the brain habituates, it’s seen this warning before and so it doesn’t visually process it like it’s new. It processes it from memory, essentially from cache, instead of re-loading from scratch because it’s saving energy,” Anderson said. “We propose 12 different variations for each of these 20 different messages, and found some more effective than others for retaining attention.”