Fox School of BusinessIdea Marketplace

Ignoring Software Security Warnings is Natural, but Dynamic Warnings Could Change That

January 14th, 2020

Posted in:

Fox School of Business MIS professor examines how the introduction of dynamic security warnings could lead to safer online behavior, ultimately eliminating hackers.

Student at computer in Capital Markets Room

PHILADELPHIA, Jan. 13, 2020—Surf the net or play with your phone for any decent amount of time, and it’s inevitable that you’ve seen this familiar message before. 

“Important update available. Install now.” 

Yet, how often have you actually dropped what you’re doing to install the update? If you’re like the average technology user, you probably just ignore the message or ask to be reminded at a later date. However, a researcher at Temple University’s Fox School of Business says that could be a mistake.

“Our brains are wired to tune things out over time,” says Anthony Vance, an associate professor of management information systems in the Fox School. “The thing is, software updates fix security vulnerabilities that hackers know about and can take advantage of. As soon as Apple or Microsoft publishes these security updates, the whole world knows what needs fixing. Hackers start writing attacks to take advantage of these holes.”

Past research has outlined how it’s important to be proactive when it comes to updating software, but that’s easier said than done. Old habits die hard, and a person cannot be expected to immediately start paying close attention to software updates.

Vance’s new research could offer a solution. Recently published in MIS Quarterly, “Tuning Out Security Warnings: A Longitudinal Examination of Habituation through fMRI, Eye Tracking, and Field Experiments” investigates how changing the design of security warnings might help stop users from ignoring them. The research was presented last year in Santa Clara, Calif., during the Fifteenth Symposium on Usable Privacy and Security. 

As part of the research, Vance and his research colleagues altered the design of typical security warnings and then tracked user reactions to the new designs over the course of five days through fMRIs and eye-tracking. These were not your run-of-the-mill security warnings. One featured a yellow, triangle-shaped warning sign. Another had a jiggle animation with it. One even quickly zoomed in and out.

The new designs seemed to have a positive effect.

“Those treatments sustained attention across the whole week,” Vance says.

Vance and his colleagues further tested these new security warnings during a field experiment. More than 100 participants were recruited to evaluate apps on, unbeknownst to them, a fake Android store. Out of a list of ten apps, participants were asked to download and evaluate three of them over a three-week period.

The permission warnings and visual displays varied, depending on the app. For some apps, the warnings were in line with a typical generic security warning. Others were more elaborate, similar to what users saw during the first part of the experiment.

“The people who saw the variations in warning designs had more secure behavior over time,” Vance says. “These designs are more resistant to us just doing the natural thing where we tune them out. By the end of the three-week period, nearly 80% of the folks who saw the dynamic security messages were still adhering to safe behavior compared to just 55% of those who saw the static warnings.”

Does this mean that we can expect our next security warning to come in the form of a flashing, luminous red light? Not necessarily.

“In this research, we were careful to design warnings that do not annoy people, like a blinking warning. We wanted to show that we could reduce habituation without making people’s computing experience worse. We found that even our comparatively restrained designs made a big improvement and that this improvement held over time,” Vance says. “Together, these findings provide the most complete view yet of how people habituate to security warnings over time, and the significant impact this can have on the effectiveness of warnings, the last line of defense in cybersecurity.”

About the Fox School of Business

The vision of Temple University’s Fox School of Business is to transform student lives, develop leaders and impact our local and global communities through excellence and innovation in education and research.  

The Fox School’s research institutes and centers and 200+ full-time faculty provide access to market-leading technologies and foster a collaborative and creative learning environment that offers more than curriculum—it offers an experience. Coupled with its leading student services, the Fox School ensures that its graduates are fully prepared to enter the job market. 

The school’s knowledge-creating research faculty affords it the flexibility and responsiveness to address the needs of industry and generate courses and programs in emerging fields of study. As a leader in business research, the Fox School values interdisciplinary approaches and translational research that advance actionable insights to solve real-world problems. Our research informs an adaptive curriculum, supports innovation in teaching and prepares students for the changing nature of work.

See All Idea Marketplace Posts