MRIs Show Our Brains Shutting Down When We See Security Prompts

antdude writes with this excerpt from Ars Technica: Magnetic Resonance Imaging (MRIs) show our brains shutting down when we see security prompts. The MRI images show a "precipitous drop" in visual processing after even one repeated exposure to a standard security warning and a "large overall drop" after 13 of them. Previously, such warning fatigue has been observed only indirectly, such as one study finding that only 14 percent of participants recognized content changes to confirmation dialog boxes or another that recorded users clicking through one-half of all SSL warnings in less than two seconds.

What kind of person did they study?

[ArcadeMan]

Did they test with dumb regular users who don't understand or don't know better, or did they test people who actually know what those security warnings mean and the real consequences of ignoring them?

Re:

[war4peace]

Average Joes, as most researches focus on.

Re:What kind of person did they study?

[Austerity Empowers]

What is the purpose of security alerts if not to warn people who don't know any better? For the crowd that gets it, you could flash a brief icon featuring a guy fawkes mask and that'd be sufficient. I also wonder how many of them would click "proceed anyway" if the pr0ns were there...

Re:What kind of person did they study?

[khasim]

What is the purpose of security alerts if not to warn people who don't know any better?

To shift the blame to the end-user when something goes wrong.

Which is why the alerts are so useless. They, essentially, become a "click here to continue" button.

Re:

[sjames]

Short of tasering the user when they try to click past it, what would you have them do?

There actually are legitimate reasons to bypass the warnings in most cases.

Re:

[ewibble]

Write systems allow you to bypass them safely, like automatically spawn a VM to run the code in.

If you think about it, the question is a stupid one. Do you wish look at naked women? Warning there is a chance that something bad may happen to your computer.

The answer is clearly yes, they probably knew that before they started looking. People will risk a real virus that can kill them to have sex they not going to say no the risk of a computer virus.

Porn aside, every piece of software I install, is dangerous. L

Re:

[sjames]

Did you really just suggest that the safetys should have a safety in case they get bypassed? What if someone bypasses the safety safety? Another safety? Admittedly, that will eventually work when the many layers of safeties keep the machine from doing anything and the user loses interest, but it's not that practical.

No amount of sandboxing will help you if you click past the warning that 'your bank' appears to be protected by a self-signed cert. At the same time, there are plenty of sites where a self-signe

Re:

[allo]

Maybe let the user pay 50 cent to bypass the security warning.

Re:What kind of person did they study?

[frinsore]

While I find the study surprising it is disturbingly logical. And I expect the article's solution would only be temporary (making random drastic changes to the prompts). Personally when I receive a windows escalation prompt I've already made the decision to run the program and the prompt just gets in the way of that, I already trust the program or I wouldn't have run it in the first place. Showing the prompt after the user has decided to run the program is already too late. The warning should be shown on the icon, if in a gui, and preferably the application should have a list of privileges that it needs, like android, instead of a generic "everything".

Re:What kind of person did they study?

[suutar]

Android apps request everything anyway. What I want is a way to say "yeah, I know you want this, but you ain't getting it. Install anyway, and the OS will just pretend that function returns nothing."

Re:

[youn]

Somebody mod parent insightful... I fully agree

Re: What kind of person did they study?

[Anonymous Coward]

That would be "App Ops". You'll need a custom rom on most Android versions though

Re:

[BESTouff]

There's one answer: CyanogenMod.

Re:

[dinfinity]

There are more answers: https://github.com/M66B/XPriva... [github.com]

I've also used PDroid and LBE Privacy Guard: https://play.google.com/store/... [google.com]
The latter seems to have gone to shit, though. It always was ran at a layer too high to allow it to catch everything reliably anyway.

PDroid was great if your ROM supported it. The original version isn't maintained anymore, but replacements seem to have popped up:
https://play.google.com/store/... [google.com]

In general though, using a CyanogenMod ROM with privacy features is definitely th

Re:

[IamTheRealMike]

Then the app will check for the fake data on first run and pop up another prompt that says, "Guess what - I really need this".

That isn't the fix you're looking for. A way to delay acquisition of a priviledge until the point it's needed is a better fix. These apps aren't actually maliciously asking for useless permissions. Almost always they ask for lots of permissions because they have lots of features.

Re:

[suutar]

I'm really curious what feature causes my Kindle app to need phone access. I was curious why FitBit needed camera access until I realized it had a barcode scanner. But I don't use its barcode scanner, so I'd be perfectly fine with denying it camera access permanently, and if that means having the OS lie to it about the existence or state of the hardware, so be it. Is fitbit going to refuse to install on anything that doesn't have a camera (there's gotta be something out there without a camera...)?

Re: What kind of person did they study?

[phocion]

If your phone is rooted, then install the Xposed framework and Xprivacy. Does exactly what you're describing.

Re:

[thunderclap]

Which is why the UAC was useless to begin with and a primary contributor of the problem mentioned. Once we decide to do something, a innocuous box warning of nebulousness isn't effective. Its annoying and intrusive. I don;t have UAC enabled for that reason. I have tools enabled that simply do the job windows claimed UAC does without being inconvenient and pointless. That is the solution. Knowledge of whether the program is bad too begin with. Blocking of known bad actors beforehand. Prevention of said insta

Re:

[AmiMoJo]

Often the purpose is to cover the developer's arse. If the user was warned any dire consequences are their fault. Hence, warning overload.

Re:

[tlhIngan]

What is the purpose of security alerts if not to warn people who don't know any better? For the crowd that gets it, you could flash a brief icon featuring a guy fawkes mask and that'd be sufficient. I also wonder how many of them would click "proceed anyway" if the pr0ns were there...

The purpose is because the developer doesn't know how to do it properly.

The problem is developers don't want to acknowledge the security problem and are just passing it off - it's called Dancing Pigs (or rabbits, whatever) [wikipedia.org] and

Re:What kind of person did they study?

[duck_rifted]

People in general tend to tune out what they don't understand because they don't have thoughts available to process. We have ALL experienced that -- every last one of us. Doesn't it kind of feel like your brain is busy searching for the right file? Haven't you had instances where you get the same feeling, and then, "Oh yeah!" it clears up? It happens to me any time I'm already preoccupied with something, enter a room for a task, and then get distracted. "Wait... What was I doing?" And it will happen to you with increasingly frequency as you age.

Let's not call people dumb for this. They need to be taught, or security warnings need to engage them better. I mean, come on, can't we do better than a little dialogue box that spews stuff people don't understand? Give people switches and buttons that have an effect they can SEE and they'll get it. A little graphic depicting what they're giving permission to that changes as the mark or clear a checkbox, with a chance to apply after the selection, would work perfectly. Give their brains the file they can't find.

Re:What kind of person did they study?

[dcollins117]

Did they test with dumb regular users who don't understand or don't know better, or did they test people who actually know what those security warnings mean and the real consequences of ignoring them?

Hold on, TFA says they note a decrease in visual processing. Perhaps the decrease in visual processing is because the user is using another part of their brain to process the new information, and to appropriately decide what the best response is.

They also note an "overall" decrease after repeated exposures to the same message, but that's what we do; we learn from experience. That's a feature, not a bug.

Re:

[sudon't]

On today's web sites you're faced with a multitude of useless things popping up that you have to click away. Of course you begin to ignore them. Then, when some actually useful information comes along, you pay it no attention. I do wish web sites would stop spamming us with their various pop ups, or whatever they call that junk sliding in and out and over the page.

Re:

[K. S. Kyosuke]

The study was confounded by the porn pages in the background that weren't decorrelated from the security warnings. It's the former that made the brains shut down.

Re:

[gl4ss]

well even knowing users might have had to deal with them enough that their brain shuts down.

I mean, if daily launch a program that brings up a security prompt yes/no and you press yes every day and you know it's ok, it teaches you that there's nothing to think in that prompt and that it's mainly annoying.

windows uac pops to mind. yes, yes, I want to update the graphics driver.....

Of course

[heldal]

I want titties, but these stupid alerts keep popping up

Drives IT people nuts

[TheReaperD]

I've witnessed this so many times as an IT tech that it's sickening. Even if we're standing there and try explaining it, our words just end up in "don't care" brain bin and they'll click on anything that makes the message go away the fastest. I've even had them click on "yes" then "Ok" on the install even when I was standing there and told them not to. It's like they're "listening" to their mother in law. Irritating as hell.

In defense of users...

[Anonymous Coward]

There have been too many times where I have gone to a website I frequent and find their certificate has expired. A couple days later, there may be a sheepish apology from them.

Then there are warnings about reloading pages because whoever designed the website didn't handle the back button correctly.

Then there are the redirection warnings because of yet another shitty web design.

They start to get insensitive about those things. And some of the warnings come in such rapid succession -really? I've had to click

Re:Drives IT people nuts

[war4peace]

This behavior doesn't have IT roots. It has "the boy who cried wolf" roots.
We're surrounded by warnings, all the time. Warning! Wet floor. Warning! 0.5 inches of snow tomorrow. Warning! This beverage might be hot. Warning! This battery might explode if you put it in a microwave.

No wonder people have their responses to warnings (of all kinds) dulled to non-existence.

Re:

[Anonymous Coward]

they can't be bothered to pay attention because they suffer warning fatigue.

Re:

[Anonymous Coward]

Warning! Stupid AC detected!

Re:

[martin-boundary]

[Ok]

new medical research read it cancel or allow?

[Joe_Dragon]

new medical research read it cancel or allow?

Doesn't the screen black out?

[The New Guy 2.0]

For those using other platforms, just a reminder that Windows turns the monitor black for a few seconds before showing a security warning or request...

Re:

[Billly Gates]

Under 8 yes. 7 no as it is more classical skuemorphic design supports gradients and 3d and back shadows

Worker Bees vs Problem Solvers

[BoRegardless]

Many just want to get through the day w/o serious thought, which is also why they pick 1111 for passwords.

Wonder same with Metro on 8

[Billly Gates]

One thing that infuriates me is everything HAS to go full screen and hide all in the name of anti skuemorphic design

Re:

[duck_rifted]

Windows 10 changes that. I look forward to that change. An option during installation, to get rid of Metro completely and just use the old interface, would be even better. But when we use a new version of Windows, they want us to feel like it's new and shiny. Marketing.

Information content

[Livius]

Obviously their brains will shut down since 99% of 'security' prompts are mere nuisances with no value whatsoever. The brain notices patterns like that pretty quick.

Re:

[Anonymous Coward]

Completely agree.

Adobe Flash Player updater craps out always at 25% on Mac OS, their support is shit, and when you can find the actual update buried in some asinine place on their servers, it creates a the warning about running something off of the internet. Flash should just die ad any web developer using should be shot to death with a beanbag gun.

It's incompetence and stupidity like that has users not taking security warnings seriously.

Re:Information content

[Pentium100]

Also, the warnings all are very similar even though the problems they warn about are different. Let's take a look at SSL warnings. When a browser puts up the huge warning that there is a problem with SSL, it could mean one of a few things:
1) The certificate is self-signed. A big problem except for internal sites.
2) The certificate expired 10 minutes ago or you computer's clock is wrong (not that big a problem).
3) The certificate is for a different domain. This could be a problem or not, depending on the domain (could be the certificate is issued for www.example.com and I am going to example.com or 127.0.0.1).
4) The mobile browser does not understand wildcard certificates.

The problem is that the warnings all look the same and to find out which problem it is, you have to click on the "Technical details" button.

...DUMMY MODE

[TigerPlish]

in BOFH speak, from a couple of decades ago.

What is old is new again?

This explains all my speeding tickets...

[Anonymous Coward]

Serisously though, most people tune out warnings because once read, its the same info. There is no point for the brain to waste time trying to correlate a message that is already understood and unchanging.

It takes one time to recognize the skull and crossbones on say bleach, so you just tune it out the next time. Your mind already got the message its deadly. Unfortunetly this is also what happens when people become careless and through cosh into the wind. (like the giant munition explosion a few years back

Reflex

[Tablizer]

Married men learn to ignore nagging.

Re:

[Tablizer]

That's where they use their spells on you.

I expect even less brain activity when

[burtosis]

Slashdotters see a new summary. Gonna fess up here i made it about half way through, got bored and posted.

Anecdotal evidence

[jrumney]

I was going to post something insightful, but I got a warning from my browser about sending data over an insecure channel to http://slashdot.org and my brain shut down.

License click-throughs

[Bing Tsher E]

The more important thing to research is License click-throughs. If it can be determined that the normal human reaction to a License agreement click-through is to punch right through without reading, it won't be hard in a court of law to declare them void. I make it a practice to NEVER read them. Most other people do too. So I can testify to that in court if ever necessary.

Popup messages are completely ineffective

[Tony Isaac]

My company had a customer whose nightly backups were failing. Every time every user in the company (hundreds of them) logged in to the system, they were presented with a message pop-up warning that the backups had been failing. This went on for WEEKS before anyone bothered to notify the software vendor (who managed the backup system).

There seem to be a couple of principles at work here:
1. Not my job. Everybody at the company knew it wasn't their job to keep the backups working, so they ignored the warning.
2. In the way. Everybody had something they needed to do, so they simply clicked whatever they had to (the OK button) to get past the prompt and do their work.

It's like the license agreements on software installers. Everybody just clicks "I Agree" because they know they have to do so to get to the next screen, not necessarily because they actually agree.

Re:

[dinfinity]

#1: De managing company should have made sure that the "failure" messages would reach them without the intervention of a human. Maybe by just emailing them.

Exactly, if you need to rely on end users for receiving failure messages for an absolutely essential service, you have failed horribly.

Re:

[RuffMasterD]

Doesn't help when software overuses such an annoying feature. A teacher at university actually insisted we respond to every user action with a popup acknowledging the action. User saves a file. Popup: "File saved". Well thank fuck you told me, because there is no way I would have noticed pressing the save button if you hadn't blocked me from doing my thing to show a popup! Or even worse: "Are you sure you want to action X?" where X is benign and completely reversable. Of course I fucking want to do X, I jus

Re:

[ebvwfbw]

I remember a chick sending out notices on what was being backed up. For years. A guy lost around 6 TB of data. HUH? Not backed up? Turned out she had just sent it a week before. He didn't even bother to look at it. She said - TS. Read your e-mail next time. It took him about 6 months to get that data back.

Years ago me and a bunch of other guys were thinking of offering an idiots class. Where they can ignore things and deal with the consequences of their stupidity. Never went anywhere. We'd have to do the

Re:

[RyoShin]

We had a similar thing at my workplace. We have a number of network drives assigned by GP, to all accounts, but over time most have become obsolete. Two years ago we migrated to from WinServer2003 to 2008. In 2008 or an update installed shortly thereafter, you couldn't assign a username/password when making a network connection through GP due to it being a big security hole, and without that one of the network drives always failed to connect. However, that drive was not used anymore, so it wasn't a problem

W

It's normal

[tgv]

This repetition suppression (as it's called) is normal in BOLD responses (the thing fMRI measures). It happens for every stimulus. It also happens when someone reads a word for the second time, and guess what: when reading it for the second time, processing is faster and less error prone. This is called the priming effect. It's hypothesized that it actually shows an accumulation of neural activity. So a "precipitous drop" is nothing to worry about: it's a symptom of the underlying processes, and moreover: i

A Warning should be connected with actual ...

[allo]

consequences.

This means, if i get a TLS-Warning, it's mostly safe to click it away. Usually its a browser to stupid to ship the CACert Certificate.
This is no problem, because the warning is not neccessary, as the site is secured and the access does not need to be encrypted anyway, because i just want to read something. Nevertheless, the browser panics.
Now i come across some confidential page, which wants me to enter my credit card number. Now i need to awake my brain "hey, maybe i do not want to ignore the

Don't give them the option

[ebvwfbw]

Really tired of us in the computer biz enabling people to do stupid things that we can prevent. SSL 3.0 is vulnerable, really sucks. Update it to disable/remove it. If it's disabled, make them swear to God that they really know what they are doing to get it back. Don't let them click through.

We went through this with the Format command. At first you would type in format a:. Unfortunately format defaulted to your current drive so if you typed in format, it clobbered C:. So they added a "are you sure". C: go