(Not to suggest that could or should be the solution in this particular case — obviously undo doesn’t seem like the right fit once the alert has gone out).
> “Even though the menu option still required confirmation that the user really wanted to send an alert, that wasn’t enough, on this occasion, to prevent the worker from robotically clicking onwards.”
> “It was too easy — for anyone — to make such a big mistake,” Rapoza told the Post.
Is the "ballistic missile alert technician" role filled by freaking interns or something? HEMA is a part of the DoD, so is this not a military role of some sort where discipline is impressed upon people?
> HEMA has also added a requirement for a second person to confirm the message to be sent, hopefully preventing the first from simply clicking through mistakenly.
But don't worry, we'll just double the humans required (and likely, the cost) since you can't actually trust one human to read confirmation boxes when they're dealing with a first-line defense system that impacts millions of people.
Certainly UX can always be improved, but doing so without proper training and making the operator ultimately responsible for their actions is just ridiculous.
Sure the buttons could have been named something different, but with a confirmation box, this UX passes what should be considered reasonable to prevent a literate and aware individual (the only type that should be approved for this position) from making a mistake like this.
I'm really astonished at the need to defend my position on this... it's almost like everyone replying here is thinking that they, too, would treat a legitimate missile defense drill (in the era of saber-rattling between Trump and Kim) the same way they treat installing a software EULA or an update to their FB ToS.
You're staking out some pretty tough ground, there. Human error can be unconscious or reflexive, and that type of UI element is sometimes barely a speedbump, cognitively.
Occasionally I reflexively click-through a confirmation dialogue box and regret it. I feel like I've been trained by the software industry for decades to bludgeon my way through these confirmations, many of which are unnecessary to begin with. I basically have muscle memory for it, the skids are greased for clicking-through. I know I'm not the only one.
So, I could see myself making this type of slip. It's really hard to know the balance between human and system error for this incident, but to me it looks like the system naively assumes a perfect human. Even if the incident turns out to have been an intentionally malicious act, the problem with the system would still remain.
Agreed, click-through should be nigh impossible. You need to do something that deviates so much from the normal routine that you don't accidentally do it.
One way to do this is to let the operator do a simple task that can't be clicked through.
Then we're truly fucked because the UX is designed and built by humans, tested by humans, approved by humans and then taught and learned by other humans. That's a whole chain of humans that need to not make a mistake, but I'm guessing if any of them do, they have their own technology or chain of "other' humans, they can blame it on.
"It's not my fault, we just followed the design, QA should have caught it!" --> "It wasn't in our test spec!" --> "Well, certainly trained military personnel aren't so dense as to not read the dialog, even if they somehow forget which of 2 buttons does what... I mean, you can only plan for so much stupid, right?"
But hey, The future is now! Nobody has to be responsible for anything! Ready or not, Singularity, here we come!
It's not the operator's fault if two completely separate sets of functionality have been designed almost identically, have been placed right next to each other, have the exact same fail-safes (regardless of priority), and have no option to undo a mistaken selection.
They also had to robotically click through a dialog box to confirm... it is ABSOLUTELY the operators fault.
Do they run drills every 2 minutes? No, I doubt it, if you're running a drill on an actual attack scenario, how are you not being mindful of what you're doing and just acting robotically?
We train people in the military to act without thinking, but usually they aren't put in a position to use that training until they reflexively perform the correct action reliably in training.
If the UX is new, then they should have had training on it before doing a live drill and it's managements fault. If it isn't, then they fucked up and it's the operators fault.
Humans have agency and they're ultimately responsible. We really want the ultimate authority for whether our missile defense is effective to be whatever UX shop that HEMA/DoD outsource to?
I guess they're just added for tradition then? Superstition maybe? Obviously it's not for liability since everyone seems to hold the UX designers liable here.
They're meaningless when they're meaningless, context matters.
As I said in another comment, if you are approaching a missile strike drill the same way you approach your FB ToS then YOU are the problem.
Ok, then the UX for launching a missile warning should be 2 people performing a simultaneous key turning action after decoding the missile defense warning key code coming from management.
Launching ICBMs has a completely different reason for requiring multiple people and a hierarchy, because 1 person shouldn't be able to unilaterally destroy a city.
That is a completely different problem than "someone can't be bothered to remember what button to push, or to read and comprehend a simple dialog box".
Sorry, I’m not buying it. It takes supervisor approval to void a duplicate scan of a $3 item at Trader Joe’s. No way in hell does an emergency alert system allow just anyone sitting at the computer to send one just because they want to.
In the event of an emergency, do you really want it to come down to asking a supervisor?
It’s literally a worse case scenario and you can’t expect multiple people to be there. The off chance that trying to get supervisor approval taking 10+ mins means that no one gets notified in time.
I got the message. I’m mad it was sent out but it’s better they learn these problems now rather than during an emergency. I don’t think having another person approve it would be a better situation. Just make the interface more clear or even add a buffer of 5 seconds to cancel the alert before it even gets sent.
22 comments
[ 2.9 ms ] story [ 56.4 ms ] thread(Not to suggest that could or should be the solution in this particular case — obviously undo doesn’t seem like the right fit once the alert has gone out).
> “It was too easy — for anyone — to make such a big mistake,” Rapoza told the Post.
Is the "ballistic missile alert technician" role filled by freaking interns or something? HEMA is a part of the DoD, so is this not a military role of some sort where discipline is impressed upon people?
> HEMA has also added a requirement for a second person to confirm the message to be sent, hopefully preventing the first from simply clicking through mistakenly.
But don't worry, we'll just double the humans required (and likely, the cost) since you can't actually trust one human to read confirmation boxes when they're dealing with a first-line defense system that impacts millions of people.
Sure the buttons could have been named something different, but with a confirmation box, this UX passes what should be considered reasonable to prevent a literate and aware individual (the only type that should be approved for this position) from making a mistake like this.
I'm really astonished at the need to defend my position on this... it's almost like everyone replying here is thinking that they, too, would treat a legitimate missile defense drill (in the era of saber-rattling between Trump and Kim) the same way they treat installing a software EULA or an update to their FB ToS.
Occasionally I reflexively click-through a confirmation dialogue box and regret it. I feel like I've been trained by the software industry for decades to bludgeon my way through these confirmations, many of which are unnecessary to begin with. I basically have muscle memory for it, the skids are greased for clicking-through. I know I'm not the only one.
So, I could see myself making this type of slip. It's really hard to know the balance between human and system error for this incident, but to me it looks like the system naively assumes a perfect human. Even if the incident turns out to have been an intentionally malicious act, the problem with the system would still remain.
One way to do this is to let the operator do a simple task that can't be clicked through.
Any system that depends on humans never making a mistake is going to fail.
"It's not my fault, we just followed the design, QA should have caught it!" --> "It wasn't in our test spec!" --> "Well, certainly trained military personnel aren't so dense as to not read the dialog, even if they somehow forget which of 2 buttons does what... I mean, you can only plan for so much stupid, right?"
But hey, The future is now! Nobody has to be responsible for anything! Ready or not, Singularity, here we come!
It's not the operator's fault if two completely separate sets of functionality have been designed almost identically, have been placed right next to each other, have the exact same fail-safes (regardless of priority), and have no option to undo a mistaken selection.
This is a system problem, not a staffing problem.
Do they run drills every 2 minutes? No, I doubt it, if you're running a drill on an actual attack scenario, how are you not being mindful of what you're doing and just acting robotically?
We train people in the military to act without thinking, but usually they aren't put in a position to use that training until they reflexively perform the correct action reliably in training.
If the UX is new, then they should have had training on it before doing a live drill and it's managements fault. If it isn't, then they fucked up and it's the operators fault.
Humans have agency and they're ultimately responsible. We really want the ultimate authority for whether our missile defense is effective to be whatever UX shop that HEMA/DoD outsource to?
They're meaningless when they're meaningless, context matters.
As I said in another comment, if you are approaching a missile strike drill the same way you approach your FB ToS then YOU are the problem.
Launching ICBMs has a completely different reason for requiring multiple people and a hierarchy, because 1 person shouldn't be able to unilaterally destroy a city.
That is a completely different problem than "someone can't be bothered to remember what button to push, or to read and comprehend a simple dialog box".
It was easy to unintentionally send a false alarm, but difficult to intentionally send a correction. Not a great system...
It’s literally a worse case scenario and you can’t expect multiple people to be there. The off chance that trying to get supervisor approval taking 10+ mins means that no one gets notified in time.
I got the message. I’m mad it was sent out but it’s better they learn these problems now rather than during an emergency. I don’t think having another person approve it would be a better situation. Just make the interface more clear or even add a buffer of 5 seconds to cancel the alert before it even gets sent.