The researchers have a word of advice for software developers: for people to pay attention to security warnings, make them appear at more convenient times.
The study found that the current warning messages appear almost randomly, while people are typing, watching videos, or uploading files. But this method results in up to 90% of users disregarding them.
The findings showed that these times are less effective because of "dual-task interference," a biological limitation that does not allow for the simultaneous performance of even the simplest tasks without performance loss (otherwise known as multitasking).
"We found that the brain can't handle multitasking very well," said Anthony Vance, study coauthor and BYU information systems professor. "Software developers categorically present these messages without any regard to what the user is doing. They interrupt us constantly and our research shows there's a high penalty that comes by presenting these messages at random times."
To support this finding, the researchers discovered that 74% of people in the study ignored security messages that popped up while they were about to close a web page window. Another 79% ignored the messages if they were watching a video, and 87% disregarded the messages while they were transferring information.
According to Jeff Jenkins, lead author of the study appearing in Information Systems Research, one of the premier journals of business research, this problem can be lessened by being more deliberate with warning display times.
"Waiting to display a warning when people are not busy doing something else increases their security behavior substantially,” said Jenkins.
Jenkins, Vance and the team discovered that people paid the most attention to security messages when they pop up during lower dual-task times, such as after watching a video, while waiting for a page to load, or after any website interaction.
While the authors realize that this seems like common knowledge, timing security warnings to appear when a person is more likely ready to respond is not current practice in the software industry. They are also the first to demonstrate empirically the effects of dual-task interference during computer security tasks.
During the experiments the team employed a functional fMRI scanner to show neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself.
The team showed this data to a group of Google Chrome security engineers in order to identify better security display message times during the browsing experience.
Story via BYU.