Should Developers Compensate For End Users Who Dismiss Security Alerts?

Digital security is confusing to users. Experts don’t always agree on how to stay secure, and users don’t have time to figure it out. The security space is too complex to create an absolute standard set of rules to follow, although Google has come close.

Many people believe maintaining application security is entirely the developer’s job; they carelessly log into their email and bank accounts on unsecured Wi-Fi networks. They ignore crucial system-generated security alerts and wait too long to upgrade or install patches. When a user fails to maintain security on their end, they often end up falling prey to hackers and data breaches. Most security breaches wouldn’t happen if users would engage the security alerts instead of ignoring them.

Can a developer get end users to engage the security warnings that pop up on their screen? The answer is yes, and it’s all about timing.

Why users largely ignore security alerts: Bad timing

The majority of computer users perceive system-generated alerts, including security alerts, as an interruption. For example, a BYU study revealed 74% of participants ignored security messages that popped up when they were in the process of closing a browser window; 79% ignored alerts if they were watching a video; 87% ignored alerts while copying and pasting a confirmation code.

Despite people who seem to be able to do everything at once, the human brain isn’t capable of giving attention to multiple tasks at once. Most people call this multi-tasking. In the scientific community, it’s called Dual Task Interference Theory (DTI). The result isn’t getting more done – the result is poorly performed tasks, exhaustion, and overwhelm.

The BYU study found that timing is one of the three main factors that influence the severity of an interruption. The other elements are the delay of interruption and the complexity of the interrupting secondary task.

DTI can be reduced significantly by timing interruptions intelligently, which will make users more likely to engage system-generated security alerts.

What is “good timing” for sending digital security alerts?

What is the best time to present an interruption, and can a developer present an alert at that specific time? Colleagues involved in the BYU study found that people pay the most attention to security alerts when they pop up after watching a video, while waiting for a webpage to load, and after interacting with a website. It makes sense, but it’s not standard practice in the software industry. At least not yet.

Google, on the other hand, redesigned Chrome’s security alerts when it discovered 70% of users clicked “proceed anyway” after getting a message that the website’s security certificate isn’t trusted.

Today, software developers can no longer ignore the fact that users ignore their responsibility in maintaining security. Developers must do everything possible to get users to do their part. The software itself should be easy to use and frequently updated, but it’s time for developers to make well-timed system-generated alerts part of the development process.

What if your application collects payments: More responsibilities

Developing and maintaining an application that handles financial data comes with the extra responsibility to get users to engage security alerts. For example, say you’ve developed an application for landlords to collect rent online. Your customers (landlords) are bound by the PCI security standards and will look for software that best supports these standards.

Developing PCI compliant software isn’t enough. You have an additional responsibility to get users to engage system-generated alerts required to maintain security, like updates. Users who ignore security alerts are putting themselves at risk, and if something goes wrong, they’re going to point the finger at the software developers.

Even when it's not the developer's fault, he or she is still responsible

It’s never a developer’s fault when a user fails to perform updates and install patches. However, it’s always a developer’s responsibility to do everything possible to get users to perform updates and install patches. Consumers don’t usually understand the risks of ignoring security alerts until it’s too late.

It’s not a developer’s job to educate the general public regarding application security. Such a task would be impossible. Dealing with security issues is too complex for most users, and they’d rather not think about it.

Taking responsibility in this sense doesn’t mean you’re legally responsible for users who fail to maintain security on their end; it means you’re committed to doing everything you can to give users the best experience with your software, including making security less burdensome for the user.