Ignoring Cyber Security Warnings: Disrupting the Norm

Despite the continual emergence of new malware, hackers, and data breaches, people continue to ignore security warnings. Researchers have suggested this all comes down to our brains.

With most successful cybersecurity attacks, we are constantly seeing it come down to basic human errors. From opening phishing emails to using weak passwords to running outdated software, people have long been compromising their own – or their employers’ – security. Cyber-criminals are always looking to exploit this flaw.

Most People Are Ignoring Cyber Security Warnings

We tend to blame people for clicking on links to malware or not following policies or training. Unfortunately, we are training people to ignore warnings. Think about your own experience – how often do you ignore a security warning that a website is not secure? We often believe, correctly, that it is an expired certificate and nothing is wrong. Also, with all the scam security warnings that pop up, we have allowed people to become accustomed to believing that the warnings are not valid.

At several organizations, I have seen people accessing internal information through web services where a warning pops up that everyone knows to ignore. Rather than fixing the issue, it is “easier” to just tell people to ignore it.

Also, the timing of the warnings or the activity being performed have an impact on why they are ignored. A 2016 BYU study showed more than 70% of people ignored warnings if they were closing a window or watching a video. More than 80% of people ignored the warning if they were transferring data.

Stop “Crying Wolf”

This is the classic crying wolf or the sky is falling scenario. We send out communication after communication about being careful about what links or information we share. Then we tell staff and others to ignore our training when it is convenient. We send the messages when people are least likely to act on them. The BYU study found that messages tend to be sent at times which cause “dual task interference” whereby performing even a simple action we lose performance – think multi-tasking.

What can you do?

1. Train people on the difference between legitimate warnings and scams or “scareware” messages.
2. Try to send warnings when individuals are less likely to ignore them. A good example is while waiting for a page to load.
3. Offer rewards or incentives for desired behaviors. Consider recognizing the fastest or most actions performed. It is amazing how making a game or competition of it helps facilitate behavior.
4. Frequent and consistent training and communication.

We must constantly consider what improvements and changes we need to make to ensure that our organizations are more resilient and prepared. What worked even five years ago may not be effective today. Because business processes and priorities change, our security and resiliency measures must be continually evaluated to make sure they match our current needs. For areas where people are the weak link, such as security, we need to take into account behaviors, actions, and reasons for those actions so that we can make the necessary modifications to the process and minimize human error, whether intentional or unintentional. People really are the most important line of protection in your organization’s security program. Rather than letting your users go on ignoring cyber security warnings, it is your job to help them see and act on them. Encouraging your users to head warnings will only maximize the strength of your program.