
People disregard security warnings on computers because they come at bad times - Errorcod3
https://news.byu.edu/news/most-people-disregard-security-warnings-when-they-pop-our-computer-screen-why-they-come-bad
======
initram
This is fascinating research! It's one of those things that seems obvious in
retrospect, but if it was obvious, why has nobody addressed it before?

I have to say, though, the example security alert they show looks like spam to
me. I'm not a regular user of Chrome, so maybe that's how they all look, but
it looks like it's trying to sell me some seedy 3rd party tool that will
"clean up" my settings while really installing malware to show me more ads.

~~~
deargle
> I'm not a regular user of Chrome, so maybe that's how they all look

Interestingly, that's an exact replica of the real Chrome Cleanup Tool that
was/is in use when we ran the research (I'm a coauthor). The news article only
reports overarching "did they heed the warning" stats, but in the published
paper we actually didn't care whether they heeded it or not. We cared how much
they deliberated over their decision before making a choice. We measured
deliberation, or attention, via mouse cursor movement tracking. For example,
straight-line trajectories towards the dismiss button indicate less cognitive
attention than do less-than-straight-line trajectories (wavering, hover time,
click latency, etc.). If someone deliberated for a long time, they might
decide in the end that they thought it was spam. But at least they deliberated
instead of making an automatic, hasty decision! Users were more likely to show
signs of deliberation when the prompts were shown at low-interference times
than they were at high-interference times.

------
ci5er
Interesting.

I can't imagine that I'm alone in this, but when I use the computer, I'm
usually trying to get something done. Now, I realize that my security systems
are often trying to help keep me from doing something foolish, but much like
software updates, I'm not interested in taking my off of the task at hand.

I'm not sure how the software is supposed to wait until after I've done
something stupid, but I agree that I would be more available (attention-wise)
to take note of it afterwards.

~~~
flukus
They could have passive indicators, like the warning lights in a car. You
aren't supposed to stop driving the second they come on, yet they're
persistent enough that you don't forget.

Chrome updates seem to be doing this lately, it indicates there is an update
(and it's already been downloaded) and that you need to restart.

Windows on the other hand is in your face when you don't want it to be (from
annoying dialog to attempting to restart itself), but then after you dismiss
the dialog it gets hidden in the notification tray. It expects you to
remember.

I wonder if it would be better to follow the chrome/car approach and have
something like a red windows menu button.

~~~
ci5er
That sounds a lot better than their dark patterns tricking my distracted self
into accidentally OK-ing an upgrade to Windows 10!

~~~
flukus
I actually have the opposite problem. Windows 7 updates that refuse to install
so I can't upgrade to windows 10. I think it's related to when I installed
silverlight (for netflix or something) which decided then decided that my OEM
copy of windows was pirated.

Shit like that has me eyeing up a return to ubuntu.

~~~
ci5er
I hear you. I spend probably half of my time in a Unix-ey dev environment, and
way too much of the other half in Microsoft Office. When I tried running
Windows in a VM on RHEL (maybe it was Fedora) and then Ubuntu or Fedora in a
VM on Windows, I just found that Linux played nicer in the guest VM than
Windows did, so I still find myself with a Windows host. But, I tell you: if
they ever make MS Excel work nicely on Linux - I'm done with Windows! :-)

~~~
flukus
I had that experience installing docker recently, the home edition of windows
10 doesn't support it properly because of arbitrary feature limitations.

Generally I stick with windows for work related activities, but with .net and
soon sql server being cross platform and my favorite games already there I
don't have much of a reason to stay.

------
bsbechtel
So do requests to install updates...

------
tedunangst
Are people who receive warnings from the chrome cleanup tool representative of
people in general? It seems to me they've preselected for a high risk
population.

------
wildpeaks
It would be interesting to redo this study with multiple designs for the
dialog box, because as others pointed out, the one pictured in the article
looks like sketchy spam (although that doesn't invalidate the claim that
people disreguard the dialog when it comes at a bad time if, for a given
design, there is a difference in click rate).

------
Retra
Just as people catch overly-generic exceptions because they don't want to stop
to think about exceptions when they're righting the normal code path. Thus we
have one of the tragic failures of Java's checked exception mechanism: it
fights against human instinct rather than complimenting it.

------
dredmorbius
As with many UI/UX failures, this one has a long pedigree. A Greek interface
analyst some years back identified the canonical case:
[http://etc.usf.edu/lit2go/35/aesops-fables/375/the-boy-
who-c...](http://etc.usf.edu/lit2go/35/aesops-fables/375/the-boy-who-cried-
wolf/)

I'm a long-time computer professional, I've used systems for decades. I've got
a security mindset. Which is to say, I'm the furthest thing from a typical
user.

 _I consistently dismiss and get rid of security alerts._

There are a whole host of problems with the general process of _conveying
information to people in a method likely to result in the desired action_. It
is a very broad and general problem. It ties into various areas of alerting,
alerts overload, cognitive processing, psychological biases (of both users and
developers), and more.

Among the elements:

1\. Users are generally trying to do something. Something _other_ than what
the developer is trying to alert them of.

2\. Users are often trying to do _several_ things. The more so with mobile
computing. Hopefully they're not operating heavy machinery (lawn mowers, cars,
aircraft), _but that happens._

3\. The local user environment is often hostile. _Never underestimate the
hostility of the operating environment._
[https://ello.co/dredmorbius/post/ef662JsTwbGM_zH1s8qGZg](https://ello.co/dredmorbius/post/ef662JsTwbGM_zH1s8qGZg)

4\. The user, not some remote developer or site, is in ultimate control over
their system. Perhaps not _perfect_ control, but control.

5\. _Systems are insanely shitty at preserving user state._ And pretty much
always have been. _Especially_ GUIs. In my physical office, items remain where
I leave them. Though the appearance may seem chaotic to others, _it has a
logic to me_ , even if that's only happenstance and temporary. _Things moved,
even only slightly, are maddening._

Our desktops often have little or no respect for our organisation. They don't
have sufficient space, they don't retain order. File managers reorder files,
desktops reorder windows and icons. Applications, closed, don't restore to
original state.

Curiously, it's limited and simple systems which tend to fare far better.
Commandline and console tools don't have this state to be interferred with.
Directory listings don't re-order themselves spontaneously. Screen, or tmux,
or vim, or emacs sessions are surprisingly effective at retaining state. The
old PalmOS didn't afford a great many capabilities, _but those it did it
afforded well_. Android, by contrast, fares far worse, and a constant
frustration is loss of content-in-process edited in a browser session.

The upshot: _users hate restarting or updating systems, because everything
changes, and systems don 't respect user state._

So even _if_ an update could be run quickly and effectively, it's avoided.

6\. Systems don't provide an option for rescheduling maintenance work for a
truly opportune time. Office cleaners don't work during core business hours.
Maintenance work is, where possible, scheduled for off-peak hours or days. Our
computers don't generally follow these practices, _if only because the
maintenance processes themselves aren 't self-contained_. User prompts or
queries (often utterly meaningless) need to be addressed. Updates cannot
happen in a single contained session. Multiple reboots and restarts occur.

7\. Vendors don't limit system security updates to system security changes. In
far too many instances, other changes are piggybacked in -- crapware
installations, _feature removals_ , and more, which past experience has often
shown _cannot be effectively rolled back._

This gets _directly_ to the fable I started this with and its message: trust
is a very, very fragile commodity, and abused is lost often forever. _Do not
fuck with your users ' trust, you will die._ Maybe not quickly, and often only
slowly and painfully.

8\. Programmers' and users' priorities for alerts differ hugely. A
programmer's primary concern is covering their own ass -- not failing to alert
for something which might possibly go wrong. A user's concern is _getting
their job done_ and _being alerted if the building is on fire_. For pretty
much anything else, _they simply do not care, nor should they_. Psychological
limits on attention, and practical limits on expertise, mean that _querying_
users for actions is almost always wrong. _Do the right thing, do it without
fucking with what the user 's activity, do it without fucking with the user's
state._

I've written previously on alerms and alerting in hospital and Google
settings:

[https://www.reddit.com/r/dredmorbius/comments/1x0p1b/npr_sil...](https://www.reddit.com/r/dredmorbius/comments/1x0p1b/npr_silencing_hospital_alarms_results_in_better/)

[https://www.reddit.com/r/dredmorbius/comments/2j9xri/alertin...](https://www.reddit.com/r/dredmorbius/comments/2j9xri/alerting_response_google_site_reliability/)

Repacking this, what _should_ alerts do?

1\. If an action is harmful, _disable it._

2\. If it's not possible to tell if an action is harmful or not _figure out
what the underlying threat is and fix the flaw exposing it._

3\. Create stateless systems -- operating systems, applications, etc., should
simply _revert to previous state when respawned, without user action._ (A
"wipe slate" feature might also be useful, though think through that.) This
calls for a pretty solid re-think of just what applications and environments
are.

4\. _Schedule maintenance for times the user isn 't actively using the
system._ The only exception is for maintenance which can occur without
violating user space.

5\. _Do not overload security and bugfix updates._ The Windows 10 forced
migration is a key instance of this. Virtually any carrier- or vendor-based
smartphone or tablet update likewise. There are reasons I have bought my last
Android device. Samsung and Google have both violated my trust repeatedly.

~~~
reitanqild
> 7\. Vendors don't limit system security updates to system security changes.
> In far too many instances, other changes are piggybacked in -- crapware
> installations, feature removals, and more, which past experience has often
> shown cannot be effectively rolled back.

Hi Sony, that would be you, wouldn't it?

I was a living billboard for Sony Z series until they decided to push ads
(Amazon shopping link) at me that I couldn't figure out how to remove.

Edit: no so much about the annoyance but the fact that it shows exactly how
little they care about even flagship phone owners.

