Timing of Browser-Based Security Alerts Could Be Better

HTTP warnings

New academic research shows that security warnings should be better timed to pop up when computers users are less likely to be multitasking.

Multitasking may be the way of the connected world, but as it turns out, it’s not conducive to secure behavior online.

Academics from Brigham Young University and the University of Pittsburgh came to that conclusion after using functional magnetic resonance imaging (fMRI) to study how the brain reacts to dealing with more than one task simultaneously. The experiments were conducted under the context of browser-based security alerts and determined that poorly timed popup alerts are largely ignored.

The researchers put the blame on a limitation in the brain called dual-task interference (DTI), a scenario in which the brain suffers productivity loss when presented with simultaneous tasks and users subsequently focus on their primary task rather than the secondary one, which in the case of these experiments, were the security alerts.

Previous work, the researchers said in their paper, “More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable,” focused for the first time on how DTI affects these secondary tasks. The researchers concluded that by altering the timing on when warnings are shown—at low DTI times, for example—mitigates the effects of DTI.

“Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation,” wrote the researchers, Jeffrey L. Jenkins, Bonnie Brinton Anderson, Anthony Vance, and C. Brock Kirwan of BYU, and David Eargle of Pitt. “The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard.”

Using fMRI to measure the brain’s responses during high- (watching videos, right before closing webpages, or entering credentials), the researchers determined that 90 percent of alerts are ignored. By simply waiting for low-DTI times—determined by measuring mouse cursor movements and psychometric measures—such as until after videos are watched or waiting for pages to load, the results improved dramatically.

“The effects of DTI can be mitigated by finessing the timing of the interruption. We show that neural activation is substantially reduced under a condition of high DTI, and the degree of reduction in turn significantly predicts security message disregard,” the researchers wrote. “Interestingly, we show that when a message immediately follows a primary task, neural activity in the medial temporal lobe is comparable to when attending to the message is the only task.”

This isn’t the first time these BYU researchers have applied neuroscience to security alerts. In 2014, they studied how users engage and react to security alerts and why they click through them regardless of the content of the warning and potential trouble ahead.

In those experiments, users were asked to classify images as real or animated, and were presented with periodic security warnings. Most users ignored the warnings and continued with the task until they were shown a screen with an ominous figure informing them they were hacked. Only then did they react by shutting down the laptop, ripping out Ethernet chords, and yelling in fear.

For the most recent experiment, the BYU and Pitt researchers collaborated with Google security engineers and used the Google Chrome Cleanup Tool in the work. CCT is a Chrome extension that warns if malware is present and has changed any browser settings. CCT fires off warnings to the user if such an incident has occurred.

Details and methodology of the experiments are explained in detail in the paper, but the conclusion is prominent: DTI is to blame for users’ disregard of security alerts.

“Security message disregard has high practical implications—ignoring security messages often has more severe consequences than completing the primary task,” the researchers wrote. “Because our hypotheses are based on robust theory that is not specifically about security messages, we expect they will hold in other contexts involving security-generated alerts.”

Suggested articles