People Ignore Software Security Warnings Up To 90% of the Time, Says Study (phys.org) 125
An anonymous reader quotes a report from Phys.Org: A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly -- while people are typing, watching a video, uploading files, etc. -- results in up to 90 percent of users disregarding them. Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking. For example, 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And a whopping 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code. For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found that people pay the most attention to security messages when they pop up in lower dual task times such as: after watching a video, waiting for a page to load, or after interacting with a website. For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself. The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.
Do they really ignore them? (Score:4, Interesting)
I get various security errors/warnings occasionally. Usually they are informing me that security that I did not care about is not present. For example, a warning about a self signed cert on a website that I wouldn't mind using over plain text: that still more secure than plain old http, so I click off the warning. If it is a site that I normally trust and give personal information to (like log in), I don't mind using it when the security is broken, but I won't hand over private data. Continuing despite a warning is not necessarily ignoring it.
Re: (Score:3)
I agree - and when I get a security warning for my own stuff signed with a self-signed certificate I also happily skip it.
The problem with security warnings is that they are too clunky.
Re:Do they really ignore them? (Score:4, Interesting)
Re: Do they really ignore them? (Score:3)
Re: (Score:2)
Oh, so you're manually inspecting the self signed certificate every time you visit your website? If not, then how do you know nobody is intercepting your communication, making your self signed certificate as useless as having no encryption at all.
99% of times when I get a signed certificate error, it's to a site where I don't care if it's encrypted. In the 1% of remaining cases, I do look at it and it's usually something like a slightly different domain owned by the same company, a company that forgot to renew their certificate, or some other mundane issue.
Re: (Score:2)
So, you "don't care if it's encrypted", why do you care about the warning?
I don't care about the warning. Most warnings are just an annoyance. There are plenty of sites that use encryption that really don't need to. If I'm connecting to a random untrusted site on the internet then what difference does it make that my connection to them is secure or even being intercepted by a second random untrusted site?
Re: (Score:2)
If not, then how do you know nobody is intercepting your communication, making your self signed certificate as useless as having no encryption at all.
It's because I don't give a fuck if someone sees my ridiculously banal "communication" with some model railroading site or the data that goes back and forth while I research shit like piano hinges or crosscut saw blades.
For more sensitive stuff, no, but for crap like that I just can't be bothered to give a fuck.
Re: (Score:3)
No, and he didn't imply that. Here are several situations, in increasing order of security.
1) The connection is not encrypted or signed. No certs exist. Nobody knows who they're talking to. An active attacker on the network between the two parties, can proxy and im
Re: (Score:2)
Re: (Score:2)
If nothing else, a self-signed certificate presents a smaller attack surface, and it's a single point of verification if I do care about secure communications.
Re:Do they really ignore them? (Score:4, Insightful)
Re: (Score:2)
The reduced neural activity (when warnings interrupted a task) indicates they are ignoring/dismissing the warning rather than assessing it and deeming it unreasonable.
If they were giving it consideration like you do, there would be roughly equal activity regardless of whether it interrupted their activity.
Along those lines, if that's what you normally do then you are not a typical user.
Re: (Score:2)
There's classes of warnings I deliberately ignore for considered reasons. If I think running something is safe, I just click through UAC warnings without further thought.
Re: (Score:2)
Software Security Warnings: (Score:5, Funny)
The "Check Engine Light" of the computer world.
Re:Software Security Warnings: (Score:5, Funny)
Yup - the engine is still there.
Re: (Score:1)
Check your other engine also. [nocookie.net]
That's an easy one. (Score:5, Funny)
There are just way too many of them and they are simply too hard for a normal user to evaluate whether the risk is truly severe or just another attempt of somebody to fleece them.
Health care example:
Monitor shows the patient is in asystole. On assessment the patient is alert, talking, and in no apparent distress. Diagnosis is it is the equipment, not the patient, who disturbed the night's routine. Outcome? You lecture the patient for exceeding the devices operating parameters and tell him/her to quit moving and perspiring so that the monitoring devices may correctly interpret typical human norms.
Re: (Score:3, Interesting)
Re: (Score:2)
"You're holding it wrong" has nothing to do with "change your behavior so the software works right". The reference was to holding the iPhone so that the hardware worked right. As far as I could tell, while the design was dumb, the issue was not as serious as the press made it out to be, and it is true that some other phones will have problems if you hold them in certain ways.
When I got into the field, more than forty years ago, software was normally written on spec for specific organizations. Where I
Re: (Score:2)
Yeah, because responding with sarcasm to your customer's legitimate issues with a poorly designed product is the right response.
http://www.dslreports.com/show... [dslreports.com]
Also, clearly, the Apple response wasn't sarcasm at least in writing, and it was a silly response too.
Re: (Score:3)
There are just way too many of them and they are simply too hard for a normal user to evaluate whether the risk is truly severe or just another attempt of somebody to fleece them.
This. Most users just click thru popups. The almost always just click "OK". If you want them to actually read the message then maybe "OK" should default to turning off the computer. Even adults do this but for kids it's even worse. Adults will typically pause if there is a dollar sign somewhere. Kids will happily click along and click buy on inapp purchases, etc... if it means they can get back to their game.
Re: (Score:2)
There are just way too many of them
And some of them are fake. There are a lot of ads and malware that mimic a security alert in some way, which only trains users to ignore them faster.
Also, not only do users not know how to evaluate the risk, they don't know how to fix the problem. If an alert pops up and says, "You may have a virus", the user can't tell if that's a scam, a false alarm, or a real problem. Regardless of whether it's real, false, or fraudulent, they don't have any idea what to do about it.
Re: (Score:1)
Because Microsoft started it all.
Re: (Score:1)
From "Genuine Advantage" during the XP days, to UAC of Vista/Win7/Win8/Win10.
Re: (Score:3)
A good example is the way keys are generated automatically for Windows Remote Desktop.
The system regenerates these automatically every 6 months. There is no way to manage this process (as far as I can tell, links welcome!) so as a user I get semi-regular warnings while connecting to regular hosts that the connection is not secure. At that point I have no way of knowing if the keys simply expired or I am being subjected to a MITM attack... :( What to do?
Re: (Score:2)
If you have network-level authentication enabled, RDP requires a certificate.
If you have an enterprise CA that the machine can autoenroll with, it will request one. If not, it will generate a self-signed cert with a 6-month expiration period.
You would have to hit TechNet and read several articles to get it squared away. There are articles that address setting up a primary/intermediate CA infrastructure, configuring autoenrollment, and using Group Policy to configure RDP.
This is for enterprise, of course. Yo
Re: (Score:2)
Thanks, you've inspired me to look into it in more detail, cheers.
Re: (Score:2)
What does the OS and virus possess? And why should we worry about it?
It's because 90% of security warnings are rubbish (Score:5, Insightful)
In my experience, 90% of security warnings are rubbish. For example, I recall when UAC came to Windows Vista. I don't ever recall clicking deny/cancel/no (or whatever it was) with the possible exception of a situation like "oops, I meant to click the executable right next to that one."
Same deal with Java applets. My bank uses a Java applet for depositing checks. I get a warning from the browser every single time, despite selecting the "always trust applets from this publisher" (or something like that option).
Of course, there are lots of software packages with instructions like "Step 1: Disable your antivirus." or, worse, "Step 1: If you get any security warning dialogs just click to accept them."
In fact, I've never encountered a single person who can actually point to an occasion where a security dialog alerted them to a real threat that was then neutralized. Even worse, one of the more common warnings (the untrusted SSL certificate/issuer) has confused people even more into thinking that "red address bar means not secure and green lock means secure", when in fact your browser's trust of the certificate's issuer has exactly zero impact on how secure the connection is. We've been conditioned to treat all these warnings as noise. Incidentally, people ignore speed limit signs at least 90% of the time for exactly the same reason: we've been taught that they're meaningless.
Re: (Score:2)
Here they only lower the speed limit, but they rarely enforce it so people drive as they see fit.
The few that follows the speed limit causes some "interesting" driving.
Re: (Score:3)
The 85% of cars would be driving faster, but since you can't literally drive through the car in front of you, you can only go as fast as the car in front of you.
The only way to correctly figure the 85th percentile would be to only measure car's speed that had no car around being impeded by another car. Counting two cars at the same mph (as the rubber counter does) is bad data as clearly the person following behind would be driving faster as they caught up to the person.
Re: (Score:2)
Completely off-topic, but shockingly insightful.
Re: (Score:2)
Re: (Score:2)
I'm a civil engineer and I call bullshit. That's how engineering studies recommend speed limits that are then completely ignored by government officials who insist on keeping a stupidly low speed limit "for the children" and for revenue generation.
Re: (Score:3)
I use Sandboxie [sandboxie.com] a lot for software evaluation purposes. However, when I right click an executable and want to choose "Run Sandboxed" that entry is right next to the "Run as Administrator" menu item. Late at night it's easy to click the wrong one, with potentially disastrous* consequences! The UAC prompt saved me a couple of times.
Since then I've found moving to virtual machines with snapshots has been an easier and safer way for testing unknown software.
*Time vs time. Everything is backed up and best practi
Re: (Score:1)
Take your "browser's trust of the certificate's issuer has exactly zero impact on how secure the connection is". That feels pretty true to you, right? Except, if the browser doesn't trust the certificate issuer the connection isn't "secure" in any meaningful way.
Imagine if your local bank has a great new scheme they'll keep your valuables 100% secure. They have a steel bank vault, with armed guards and you can keep your stuff in it entirely free of charge. Brilliant right? And it's also really convenient, y
Re: (Score:2)
Even worse, one of the more common warnings (the untrusted SSL certificate/issuer) has confused people even more into thinking that "red address bar means not secure and green lock means secure", when in fact your browser's trust of the certificate's issuer has exactly zero impact on how secure the connection is.
So umm... how else would one... you know....um...ah... be able to tell how secure the connection actually is? Are they supposed to guess? Check to see if the evil bit is set? What do you recommend?
Re: (Score:3)
UAC was actually designed to be bad. Microsoft wanted to change developer's behaviour, stop them making every app install a background task that starts at boot, dumping files all over the place and generally behaving badly. But at the same time they didn't want to break backwards compatibility, so UAC was invented.
UAC annoys the user. Developers try to avoid creating UAC prompts that annoy their customers. By the time Windows 7 rolls around, most apps are better behaved. Unfortunately, people are also de-se
Re: (Score:2)
When Windows 7 came out, the first thing a gamer did was to disable UAC.
Maybe the dim-witted ones.
Most games trigger UAC because they want to write to the Program Files directory, either to change their config files or to store saves. Installing them to any other directory avoids this problem.
Some really legacy games require admin rights because they make system calls that are privileged, write to the HKLM registry hive (instead of the user hive), or write to the Windows directory. Very very few fall into this category, and they can be tweaked by configuring them to always run
Re: (Score:2)
For example, I recall when UAC came to Windows Vista.
The UAC prompt isn't a warning in the typical sense. It is a request for elevated privileges. The system must receive a response to determine whether or not the process is granted those privileges. The warning text is supposed to discourage users, but the prompt is necessary because the process will not be granted those privileges in the absence of user consent.
I get a warning from the browser every single time, despite selecting the "always trust applets from this publisher" (or something like that option).
Agree here. Either the browser is stupid, or the publisher is stupidly using different certificates every time.
Of course, there are lots of software packages with instructions like
They are working around false positiv
90% Of Security Warnings Are Bullshit. (Score:2)
Running wrong OS, get a security warning. Running on the wrong hardware, get a security warning. It's no wonder most users see security warnings as overblown BS.
It's because you can't right now. (Score:4, Insightful)
You have your documents up, half written, spread sheets with data you need for on-call, a long running backup in a window you forgot to run in Screen or tmux, and any other number of things that mean you can't reboot right now. Especially if it's going to be a reboot that says "don't turn off your computer, we're messing with shit for 30 minutes." We have boss' breathing down our necks for productivity, there's no time to reboot and wait.
Besides, it might make me lose my place when browsing imgur. Fuck that! :)
"Hey, watch this!" (Score:5, Informative)
People ignore all sorts of warnings. It's how we do. There are still people smoking when every single pack of cigarettes they buy has a big sign that says, "These motherfuckers will kill you dead, dummy, and in a really horrible way". What was the last time anyone "closed cover before striking"? A Texas man sees a sign that says, "No Swimming - Alligators." He immediately says, "Man, fuck that alligator", jumps in the water and is instantly eaten by an alligator.
http://www.unilad.co.uk/video/... [unilad.co.uk]
Chinese-made fireworks have a big-ass label (in English) that says, "Set on ground, light fuse and GET AWAY". Did that stop this guy from putting one in his pants and then blowing himself up? No sir, it did not. Because for human beings, warnings are really just dares.
https://youtu.be/8Yagjf5B2tw [youtu.be]
Re: (Score:2)
Ask any IT security folks what the biggest threat is to security.
They'll tell you, "The loose nut behind the keyboard!".
Hmm . . . maybe MTV could film a series titled, "Computer Jackass" . . . ? All the IT support folks that I've talked to privately have hilariously stories of people doing . . . well, stuff that they should have enough common sense not to do:
"I couldn't find the shutdown button, so I just pulled the power plug."
Re: (Score:2)
Computers would be so secure if people just didn't try to use them!
It's silly to blame security problems on the fact that people are involved. Developers and admins blame users when those developers and admins can't be bothered to design (or deploy) practices and procedures that address the blind spots and habits that users pick up when they use a system.
Re: (Score:2)
Developers and admins blame users when those developers and admins can't be bothered to design (or deploy) practices and procedures that address the blind spots and habits that users pick up when they use a system.
For a few years, this was exactly my job.
The end result is always users bitching to management, and then management has to decide between what their favorite employees say and what IT says. In the absence of an intelligible business need for security, the users win.
I have seen IT security guys win most often in the finance, healthcare, and defense industries. Outside of those three, no one else cares.
So don't blame developers or admins. Developers put the security infrastructure there, and admins configured
Re: (Score:2)
A Texas man sees a sign that says, "No Swimming - Alligators." He immediately says, "Man, fuck that alligator", jumps in the water and is instantly eaten by an alligator.
Surprising that it wasn't a Florida man.
Software ignores customer security all of time (Score:3)
Warnings. Its a gimmick in social engineering, really. If we ignore our own security ever, then we can't blame the software for selling us short. It's more of a marketing gimmick and liability issue for the software vendors. They can't possibly save us from ourselves. They can manage to let us fool ourselves if that's our preferred frame of mind. Honestly, we always knew we are not in control, but like a fatal car crash, we just figured it only happened to somebody else. Welcome to denial, its all the rave - everybody is doing it.
Calling Captain Morgan (Score:1)
We all have a little Hillary in us ;-)
[ OK ] (Score:2)
This program has successfully erased your bootable hard drive. Erase another?
[ OK ]
Why do I have to click 'OK' to every disastrous pop-up warning on my screen?
It's NOT OK!
I'm not allowed to click GODDAMMIT or WTF, I have to click OK or forever look at the stupid dialog box. This box appears only at times of greatest inconvenience and always cheerfully asks for an 'OK'. I'm not usually feeling cheerful after these fatal crashes and I'm reluctant to say OK. Whoever designed the OK dialog for unpleasant events
Re: (Score:2)
Maybe it is because not everybody enjoys profanity as much as you do? Could you think of anything that could be on that button and still be culturally neutral, recognisable, and not offensive?
Re: (Score:2)
%<----------
Something really bad has happened
[ ] OK
[ ] Oh, Shit
%<-----------
I always clicked the second button. I don't suppose it made a lot of difference to what happened, but it definitely demonstrated great UI design skills.
Is the lameness filter there to demonstrate lameness?
Another reason people ignore stuff. (Score:2)
Re: (Score:2)
Windows 7 and above has a MAJOR problem with this (Score:1)
And even worse the cretins at Microsoft took out the functionality from Windows 7 and above that allowed you to stop popups staling focus.
Every single week at work I end up clicking an unknown button on a prompt because I'll be in the middle of typing something and a dialogue will pop up, steal focus, and whatever keystrokes I'm doing at the time ends up clicking a button on a prompt I don't even get a chance to read as by the time I notice it's stolen focus I've already typed ahead causing me to inadverten
Trainer to be so (Score:3)
The slightly less than average user can't (easily) tell the difference between a valid security message and a browser popup claiming that something dire will happen unless they click on this message and run this program, so they ignore them all.
Just last night I had to tell my mother that the browser complaining about being out of date and to upgrade was probably valid.
Also in the same call, had to try and reassure her that smart meters weren't going to burst into flame and/or make her sick with the power of wireless electromagnetic radiation. ...and she still decided not to get one because of all the random people on the internet claiming they were evil. "But this guy is a M.D. from England! He's got to know all about it right?"
Re: (Score:2)
Makes you think somewhere out there is a doctor that graduated at the bottom of his class.
This is great news! (Score:2)
Developers are at fault (Score:5, Insightful)
This is all the developers' fault. They are so fucking lazy that they think throwing up a dialog is a solution to the problem. After all, if the user clicks on it, they assented, right?
Microsoft is by far the worst offender, but they are not alone. And this abdication of responsibility by programmers has trained the users to just blindly click away warnings. And they are right: 99% of the time they are bullshit, a symptom of a problem the developers should have fixed.
Re: (Score:2)
99% of the time they are bullshit
So are seatbelts.
But perhaps you can enlighten us with examples of 'problems the developers should have fixed'?
Re: (Score:2)
How about not executing files from the Internet, instead of throwing up a 'this may be dangerous, are you sure' dialog?
For fuck's sake, where have you been the past thirty years?
Re: (Score:2)
That is a counterexample.
What you propose would be superannoying, namely having to take an extra step to go to the downloads folder and then run the file. At that point the OS doesn't even know that it was a file just downloaded from the internet which would make showing a warning dialog at that point even more annoying as it would have to do so for every executable, always.
Also, please keep your ad hominems to yourself.
Re: (Score:2)
What you propose would be superannoying, namely having to take an extra step to go to the downloads folder and then run the file. At that point the OS doesn't even know that it was a file just downloaded from the internet which would make showing a warning dialog at that point even more annoying as it would have to do so for every executable, always.
The OSs I'm familiar with can in many cases retain a "this was downloaded" tag of some sort. Certainly there's a warning message in OSX the first time you run a new app; I dunno how WIndows7 tags files downloaded from some places (Sharepoint) but not others (Outlook), but I do get warnings about "This Word document came from THE INTERNET [wtf that means]..." .
Re: (Score:2)
If you are too stupid to know what an expression means, you should not use it. The rest of your post is of the same level, so fuck off, idiot.
Re: (Score:2)
I can see you're much better at swearing than at reasoning or even basic civility.
You waste my time.
Goodbye.
Re: (Score:2)
Yes, as a dev, I choose to pop up a mostly useless dialog asking the user how to proceed when something seems amiss. I know for a fact that the users almost never actually read them, because when I get a call and ask them what the error said, they invariable need to go try to reproduce the error - And I make a point of writing human-readable error messages like "Your file vanished after I saved it, Dave", nothing like "Error 102, sprongle interface not
10% margin for error (Score:2)
- *Study has a 10% margin for error...
(I'm joking but.. you know).
There and gone (Score:1)
I've lost count of the number of times something popped up while I'm typing, just as I'm about to press the Enter or ESC keys, leaving me wondering what I just broke or signed up to.
In Windows 10, non-critical messages are signaled in the status bar. A flashing icon could be less destructive than an easily-dismissed dialog.
Missing some context (Score:3)
What was the security warning about? And what was required of me?
To me this is kind of the important part in combination with this: "when security messages interrupted a task". As I have learned from my parents, you don't go haphazardly interrupting people with some kind of nonsense. If you do, you can expect to be ignored or be told off. If a security warning is about to inform me that a scheduled scan will start in an hour, or a patch will be downloaded. I'll ignore it. It doesn't require my attention at this time and I was busy with something. It interrupted me with nonsense so it's annoying me and I clicked it away. Another point of contention is if the message requires me to do something like restarting the system. If I'm in the process of doing something that needs up time (be it from watching a video, to copying files), I will complete that task first. Task prioritization is key here and interrupting me is again, annoying. Even if it does want me to do something.
So yeah, I get where these figures come from. Not at all astounding to me.
Re: (Score:1)
I can't fucking STAND when shit pops up in my face while I am focused because 99.999999999% of the time it's some fucking bullshit message.
What I can't stand is people who exaggerate by many orders of magnitude. A little exaggeration is okay, but when you pound on the '9' key like that, you're clearly not even thinking. For your above statement to be literally true, you'd have had to have experienced one trillion popups (~1050 per second, every second of your life, 24x7, for 30 years), of which exactly one was useful.
Too many unnecessary warnings (Score:1)
Notice the world hasn't ended despite people ignoring security warnings. They were unnecessary. People tend to ignore spam.
Some of this sounds perfectly rational (Score:2)
Ignoring messages (read: popups) "when going to close a web page"? Of course I'm going to ignore those--I don't think I've ever seen a legitimate security warning when I was trying to close a page, but I have seen a lot of sleazy attempts to prevent me from leaving someone's web site. What action is it that I'm performing by closing the web page that I might be making a mistake with? What alternative path is being suggested to me there, just leave the page up forever?
In the other direction, paying attent
Don't care != multitasking is hard. (Score:2)
So my browser tells me something-something-Flash-something, do I really want to watch that YouTube video? That question has only one possible answer: "Kittens". No one, ever, not even the most paranoid of security researchers, has ever intentionally said "no, never mind, I don't really need to see kittens, thanks for the warning, Firefox!".
The real problem here (if any) comes from too damned much
Why is our society so stupid? (Score:2)
Another completely obvious fact which somehow industry has overlooked.
How would this be?
Well, let's see: each person's career depends on making his boss feel good and not rocking the boat. So the programmer does what he is told, chuckling about how stupid it is every day. His boss does what the committee says is right, shrugging off his frustration. The committee does whatever it can achieve agreement on among its members, while being "safe" because committees are ruled by fear. Its members are doing what t
Research results will be used by advertisers (Score:2)
Don't use "Up to x%" (Score:2)
Why even bother? (Score:2)
Re: (Score:2)
He thinks his computer is 'secure'
laughinggirls.jpg [eduncovered.com]
Uh, there are other reasons... (Score:2)
For instance, I freeze certain apps on my phone and unfreeze them only when I want to use them (games, etc) because updates cause the Wool and Placation Affect (call it WPA if you want):
Wool = pulling the wool over consumers' eyes with the new "SECURITY ALERT OMG OMG" version update that suddenly may 1) not have a security issue and adds other "features" like ads, lockouts of old free features, new pay-teaser features, etc, or 2) has a real security issue but bundles 1)'s items in.
Placation = Tries to add a
Is it really a warning or a shakedown to sell? (Score:2)
Seems to me all these are all "computer security has expired! click here to update [and pay money]."
However, multiple warnings lead to "alarm fatigue" i.e. part of a situation that caused a B1 in flight test to crash. Lots of warning lights for low/moderate stuff, crew acknowledge the alarms and proceed on. Then comes CG warning but they didn't pay much attention to it, until the aircraft tilts and stalls. from http://www.nasa.gov/connect/eb... [nasa.gov]
Not every warning services the user (Score:2)
TLS certificate not trusted.
Most the time this is IMPORTANT.
But too often, it just tells me "somebody did not setup the right CA certificates for you".
And try to root your nexus phone. On every boot you get a "This device is inscure, read more at goo.gl/blablub" warning, because i have an unlocked bootloader.
Fuck you, i choose to have one. Please notice me, when something actually replaced something without my command.