What's the difference between you and a sea slug? When it comes to IT security, nothing Several academics have been using brain scanning methods to see how people handle computer security, and the resounding result is that our brains are biochemically working against us in this realm. In a talk at the Enigma 2017 security conference, Anthony Vance, professor of information systems at Brigham Young University in …
Psychologists have known this stuff for decades. It's Psychology 101 in American terminology. The classic demonstration of attention and observation is the subjects were shown a video of a game of catch and asked to count how many times the ball is passed along failed to notice the gorilla (just bloke in gorilla suit - damn you healthandsafety) walk across the screen.
The trick is not calling it "kicking people in the knackers" when you try and get management to give you permission, you need some buzzwordy name that means nothing, but sounds exciting, how about:
"holistic approach to percussive user empowerment training"? Or, "maximising shareholder value via prioritising physical approaches to employees' digital experiences".
Just go read some business magazines whilst huffing ether* and you'll soon be in the right frame of mind.
(* it's in the IT cupboard, in the bottle marked "R/W head cleaner")
interaction with anything biologic...Otherwise they would have chosen sales or marketing
I'm sorry - you are telling me people in corporate marketing departments are biological?
There's a reason for the term "marketing droids". If they were human, people surely wouldn't be complaining so much about products.
Of course. Otherwise how could they be so imperfect, clueless, arrogant, self-interested, still prone to follow the herd?
That's extremely depressing because it suggests that natural selection favours this kind of behaviour, since marketing and sales people tend to reproduce more than engineers.
Why otherwise a movie like "Idiocracy" - which is based exactly on that assumption - ends with solving a worldwide famine created by marketing (irrigating fields with a beverage because the ads told it was "better than water")?
you are telling me people in corporate marketing departments are biological?
If Futurama taught me anything about robots, I'd say advertising is entirely devoid of human life; the sector is run of alcohol.
Speaking of which, I need to grab some wholesome nutritious alcohol before I head into the office...
This is why the first step in designing new software should always be to mock up screens and reports on paper, then pass them in front of a user review panel.
If something is wrong (or even just slightly misshapen), they're cheap as all get-out to revise, among other advantages such as needing no software or hardware to display.
Next step is to mock up inputs and expected outputs. Final acceptance then depends on matching the expected results for specified input. When I used to do IT for a living, I always told user test panels "don't input something just to see what happens; figure out what is supposed to happen, then see if it does."
So, it's a fact that we're wired to ignore things that are repetitious. Well, ok, that's not terribly surprising, leaving us with the task of making the things not repetitious, right?
Our options aren't good for that. We've got:
None of these are good.
1 will make people angry. Especially if there's any possibility for false positives. Not to mention the fact that most users will be incapable of following the instructions presented, even if they're 2 lines long, in big letters and don't use any words of more than 2 syllables. 2 will work for a while, but then cease to be effective anyway, and 3 is basically giving up.
What we really need to address is that users should never see security warnings, because they should be being protected by their operating environment from things going wrong in the first place. When one does appear it needs to be a surprising once-a-month-if-that sort of event.
I think the most important option is more or less mentioned in the article: Stop spamming users with too many unnecessary and attention-seeking alerts.
A good human interface is a form of art, and it's not just about the color of your window title bars. When the machine has to communicate something to the human, it should be done in the appropriate way. Why is the launch screen of certain Adobe products more prominent than a critical security warning? Why is the overlay alert on certain websites asking me to subscribe to their newsletter bigger and flashier than my software update UI notifying me about a critical security update?
You can make security alerts red, pink, flashing, wobbling and whistling all you want; sooner or later the flashiness of your Sudoku app's "Like us on Facebook!" alert will be just as flashy.
"What we really need to address is that users should never see security warnings, because they should be being protected by their operating environment from things going wrong in the first place."
EXCEPT that while you can TRY to make things FOOLproof (and likely fail, according to Douglas Adams), you simply CANNOT make something IDIOTproof. The difference being that fools will go off the beaten path on a whim while idiots will see the "Do Not Enter" sign and think, "Ooh, something COOL!" Basically, you just can't save some people from themselves; worse, these people tend to take others with them.
@RW
I have, just once. It was a little figurine of a character from an animated show I like, that happened to be advertised in a (quiet, discreet, and definitely NOT flashing and jumping all over the place to attract attention) sidebar on a fan page I was browsing related to that particular show. So I guess relevant, appropriate advertising that is respectful of the viewer - rare as that is - can sometimes work if it's simply making known the existence of a product that the viewer would likely be interested in buying anyway.
You're an exception. Experience dating back over a century shows that unobtrusive ads, 99 times out of 100 (more nines when online), simply get ignored and overlooked as background noise. For ad people, the mantra soon becomes, "love me or hate me, as long as you know me" since they can employ subconscious cues to get your attention (and these don't have to rely on emotion).
99 times out of 100 being overlooked is exactly how advertising should be. If one view in ten thousand results in a sale then the ad is doing extremely well. Getting louder and flashier alienates potential customers in a fruitless quest for higher profit. People may remember, but no study I've ever heard of can show that means higher sales and if anything peopel will remember that this particular brand annoys them even if they can't remember exactly why.
In short, advertisers need to put down the coke straw.
"99 times out of 100 being overlooked is exactly how advertising should be. If one view in ten thousand results in a sale then the ad is doing extremely well."
Nope, I hear it's LOSING them money, so they NEED a higher hit rate. Otherwise, their rates get forced down and they'll eventually end up in the red.
Sort of unrelated topic, but yesterday I was trying to help a friend who was getting e-mails and calls from colleagues about a message that he has (apparently) sent.
Messages were asking for people to contact him in a Gmail e-mail address that is very similar to his own, except for a double character: [email protected] . Contents of the e-mail were a subtle scam, but I bet some people felt for it because they didn't noticed that the e-mail was bogus. The sender was faked but credible.
I spent almost an hour trying to find a way to report this to Google -- probably because it wasn't from a company, it wasn't sent to a Gmail account and it didn't had anything to do with content from Google. All I wanted is to ask to check and maybe remove that account. The closest I got was a form asking for way too much information. Maybe there is a simple way to do that, but I Googled (ha!) several keywords and combinations and nothing.
Back to the original topic: I can't really blame non-technical users for confusing security alerts, but making them in different colors and wobble? It'll be like those flash-based "you're the 1.000.000.000.000.000.000 visitor to this site, click to claim prize" ads.
There are two major issues involved in this problem, and neither one is human attention span - so please stop fantasizing about randomly decorating my security dialogs RIGHT NOW, thankyouverymuch.
First, it's that there isn't so much "a" ratio of false positives, but rather that the ratio of false positives is 100% (and when it isn't, it's 99.99%). Your experience may be different, but I don't ever remember seeing a a security warning of any kind that notified me of an actual, present, confirmed, real threat. They are always of the "security is not guaranteed to be secure" variety, not so much detecting a threat but rather making sure they cover their own asses complaining that it cannot be guaranteed that there isn't one. Well whoopty-doo, cry me a river - no fucking thing in real life is ever guaranteed! I'd love to live in a perfect world where certainties are always absolute, but out here in the real world things are almost always messy, and deflecting any potential responsibility whenever something might be unsafe (except it never actually causes any issues) onto me then expecting me to treat all that whining with my full attention every single damn time is Not Good Enough. Crying wolf incessantly is NOT a "security solution".
Second, there is zero point in nagging me about things I cannot do a single damned thing about. If a website's certificate expires, can I fix it? NO! How about them using a cert for another one of their domains than it was issued for? NO! Maybe a broken auth chain due to a cert authority with dodgy practices suddenly being rejected wholesale...? NO! All I can do is abort the action completely, and that's not an actual option. EVER. In a home setting, the task at hand always, always, always far outweighs in priority any nebulous "potential threat". EVEN IF there actually IS a problem (there isn't), the practical consequences for the user are almost certainly zero (unless you catch a crypto-nastie - that's a special case) - so John Smith won't care about hosting a botnet as it will not impact him at all; on the other hand, John Smith will definitely care about not being able to get on Amazon or Ebay to order what he wants - keeping him "secure" while preventing the main task is like making sure a newborn stays impeccably sterile by keeping it in formaldehyde.
And I'm saying the above as someone who often causes consternation with his outlandishly paranoid stance on security and privacy. I simply have to recognize that current "security" warnings are only ever a nuisance to me and never of any actual help, use or value in actually dealing with whatever's "suspicious" this time. I may decide I want to put in place any number of extra security measures simply because I'm paranoid or I may not, and they might actually protect me from something or they might not; but none of that will happen merely because a "security warning" popped up - there's only one thing I can do about that when it happens: cancel the dialog and continue about my business.
This post has been deleted by its author
"Each window has an unforgeable coloured titlebar so you can see what level of security it is operating at. The colours can be customized but only from the hypervisor --- nothing in the VM can alter the colour of that titlebar."
You bet your life? It's pretty certain someone will develop a VM escape (a red pill) at some point in the near future. After all, they developed sandbox escapes quickly enough.
"Well whoopty-doo, cry me a river - no fucking thing in real life is ever guaranteed!"
But that's what the customers WANT, like it or not. So if you cry a river, they'll be happy to send you down it. Which would you rather have? Hundreds of false positives...or one false negative?
"Second, there is zero point in nagging me about things I cannot do a single damned thing about. If a website's certificate expires, can I fix it? NO!"
But it WOULD be prudent to, you know, NOT GO THERE.
"so John Smith won't care about hosting a botnet as it will not impact him at all"
Not impact him at all? What about steal his information and use his identity to commit illegal activities putting the law on them?
"there's only one thing I can do about that when it happens: cancel the dialog and continue about my business."
Oh? What about "Perhaps what you are about to do is stupid. DON'T DO IT!" Like I said, I'll take hundreds of false positives over one false negative because they only have to get through ONCE to make it Game Over.
most of the peeps I know who use a device of any nature, are not computer scientists, or any sort of technical savant, so I have to assist them with the nerdy issue which is stopping my mate from completing their objectives of the moment.
Why they can't do it, isn't what they want to take on board right now or any time soon. Their brains are already saturated with sorting out the stuff which is related to their own professional interests, AND the essential electronic machine which they paid gpood money for .... isn't working .......... they aren't working ......... and need the assistance of another specialist (plumbertype) to fix issue........
All they know is that, it's broke and they hopefully, know a bloke (often but not always) who can fix problem quickly and not too expensively.
To expect the same person to - whilst in middle of doing something important - is side tracked by v.important notice speaking in a language which cannot be defined owing to the semantic lexicon of technowordz, also take on board any action required by the fucking popup.
Is it surprising then that some people take longer than others to get the fix for this particular issue, especially considering the number and variety of techical issues arising during any one session on a fucking computer !!!!!!!!!!!!!!!!
These computer thingies are used by intelligent people, not just idiots.
For a warning that is likely to be repeated make the first one vanish before the user has time to comprehend it. eg
!!We've noticed an anomaly with your system!!
Then Yak yak yak..... etc falling of the bottom of the too tiny scroll window.
Moving the mouse over the window to operate the scroll closes the window.
The object of this is to stimulate curiosity..
Turns out the study is just like many I have read before. I'm sure it had a perfectly valid point in it somewhere (likely amidst a sea of crap) but it was so boring I couldn't be bothered. Blah blah blah. I just clicked it away. After all, I have important work to do writing my security software suite for BeOS...
Okay, not really. But you get the point.
The problem is not that the average user gets bored seeing the same security notice over and over and over and over and over. THE PROBLEM IS EXPECTING USERS TO BE SYSADMINS!
Seriously. Bob from accounting just got caught looking at smut on his work PC AGAIN and Lucy the office temp just began to suspect that her Praba handbag MIGHT be a cheap knockoff. Daryl ran out of gas on the way to work, again, as if the dashboard has neither a dial indicating fullness nor a big red idiot light. And Chufty the Clown's daytime ratings just went up phenomenally after her "wardrobe malfunction".
In other words, the world is full of people who are just not sysadmins. So why on Earth would anyone put the responsibility of computer security squarely in their hands? Recipe for failure much?
"In other words, the world is full of people who are just not sysadmins. So why on Earth would anyone put the responsibility of computer security squarely in their hands? Recipe for failure much?"
Because with something as "personal" as a computer, you can't trust someone else to do it, either. That trust WILL (not MAY) be betrayed, so it becomes like the front door. You need to keep intruders out (and there are more of them due to the cyberspace angle), so people have to learn to do some hoop jumping if they want to keep their computer safe. It's unavoidable, much like house burglary.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
