Anthony Vance, Brigham Young University – Security Warnings

1009-50 Vance, Tony 05 Portraits for the Marriott School of Management. September 20, 2010 Photo by Kirsten Gudmundson/BYU © BYU PHOTO 2010 All Rights Reserved photo@byu.edu  (801)422-7322

Not everyone pays attention to security warnings on their computer.

Anthony Vance, associate professor of information systems at Brigham Young University, discusses when the best time may be for people to act on these notifications.

Anthony Vance is an Associate Professor of Information Systems in the Marriott School of Management of Brigham Young University. He has earned Ph.D. degrees in Information Systems from Georgia State University, USA; the University of Paris—Dauphine, France; and the University of Oulu, Finland. He received a B.S. in IS and Masters of Information Systems Management (MISM) from Brigham Young University, during which he was also enrolled in the IS Ph.D. preparation program. He currently is an associate editor at MIS Quarterly and serves on the editorial board of the Journal of the Association for Information Systems.

His previous experience includes working as a visiting research professor in the Information Systems Security Research Center at the University of Oulu. He also worked as an information security consultant and fraud analyst for Deloitte. His work is published in outlets such as MIS Quarterly, Journal of Management Information Systems, Journal of the Association for Information Systems, European Journal of Information Systems, Journal of the American Society for Information Science and Technology, and Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). His research focuses on behavioral and neuroscience applications to information security.

Security Warnings

AM-favicon-pink

Warning messages are one of the last lines of defense in computer security. Unfortunately, research shows that people consistently ignore security messages. One of the reasons why this happens is because security warnings usually interrupt what we are doing on the computer. This forces us to juggle the task we are working on and the information that the security message is presenting.

This is a problem because although many people believe they are good multitaskers, the truth is that the human brain is lousy at it. When two or more tasks are attempted at the same time, they interfere with each other in the brain. This is called dual-task interference, or DTI.

In our research, we used functional magnetic resonance imaging (or fMRI) to show that this is exactly what happens when security messages interrupt us. We found that brain activity was substantially reduced when a user received a security message while in the middle of another task, compared to when responding to the security message was the only task. Reduced brain activity in turn predicts that the user will disregard the warning.

So how can dual-task interference be avoided with security messages? Good timing makes a big difference. We performed a large online experiment in which some users received a security message at high DTI times (such as while typing or watching a video online). Other users received the same security message at low DTI times (such as waiting for a page to load or after a video finishes). We found that up to 87% of users ignored the message at high DTI times compared to as low as 22% of users for low DTI times.

What does this mean for you? You may have the best of intentions to heed security warnings, but if they interrupt what you are doing, your brain will be working against you.

 

Share