PINDROP BLOG

Your Brain Is Bad at Security

OAKLAND–Security teams are frustrated constantly by users who ignore warnings about phishing sites, bad certificates, or malware, and just click through to get wherever they were going. It turns out that behavior probably isn’t the users’ fault. It’s just human nature.

There are many reasons why this behavior persists, even when users are told in no uncertain terms that continuing to a site or downloading a browser extension will harm their computer. Much of it has to do with the fact that humans aren’t very good at doing more than one thing at a time, despite the modern emphasis on multitasking. In fact, people are pretty terrible at handling multiple tasks.

“Most people think they’re good at multitasking, but the truth is we’re all bad at it, and in security that has serious implications,” Anthony Vance, an associate professor of information systems at Brigham Young University, said in a talk on neuroscience and usable security at the Enigma conference here Tuesday.

Vance studies the way that the brain responds to certain inputs, especially when there are more than one. When a person is trying to do two things at once, his effectiveness at doing those tasks can go down, a phenomenon known as dual-task interference (DTI). In his work, Vance has found that people are significantly worse at responding appropriately to a browser security warning message when they’re performing other tasks on the computer than they are when the warning comes while they’re idle. So he worked with engineers on Google’s Chrome team to find better times to display warnings, such as when a video has finished playing or while a page is loading.

“Our security UI should be compatible with the way our brains work.”

“Users in low DTI environments were significantly less likely to ignore the message,” Vance said. “The brain isn’t good at handling interruptions. The timing of a security warning really does make a difference.”

Another reason that users often ignore security warnings is just they’ve become inured to them. Vance said that as users become habituated to seeing a given warning, they are more and more likely to ignore it.

“With each display of a warning, we pay less and less attention to it,” he said. “Frequent notifications likely contribute to people ignoring rare warnings.”

Vance experimented with showing users security warnings that move in one way or another, zooming in or moving around the page, and found that it made quite a difference in how apt people are to pay attention to the warning.

“Habituation happens at a substantially slower rate when the warning moves somehow. Updating the appearance of a security UI makes a real difference,” he said. “We learn at any early age that the way to get things done on a computer is to dismiss any pop-ups. We need to design security messages to be visually distinct. Our security UI should be compatible with the way our brains work.”

Image: Dierk Schaefer, CC By license