22 comments

[ 2.9 ms ] story [ 56.4 ms ] thread
This will be an incredibly useful, accessible case study the next time I need to push back on "can we add a confirmation popup?" with corporate bods.
The answer here is to make the action easily reversible if possible.
or at least allow a second-round of vetting for the "Everybody Panic!" option
> “Even though the menu option still required confirmation that the user really wanted to send an alert, that wasn’t enough, on this occasion, to prevent the worker from robotically clicking onwards.”

> “It was too easy — for anyone — to make such a big mistake,” Rapoza told the Post.

Is the "ballistic missile alert technician" role filled by freaking interns or something? HEMA is a part of the DoD, so is this not a military role of some sort where discipline is impressed upon people?

> HEMA has also added a requirement for a second person to confirm the message to be sent, hopefully preventing the first from simply clicking through mistakenly.

But don't worry, we'll just double the humans required (and likely, the cost) since you can't actually trust one human to read confirmation boxes when they're dealing with a first-line defense system that impacts millions of people.

Id say such critical actions always warrant confirmation by a second pair of eyes
Why don't we just redesign the system with good UX? I want to send a copy of "The Design of Everyday Things" to the Hawaiian government now.
Certainly UX can always be improved, but doing so without proper training and making the operator ultimately responsible for their actions is just ridiculous.

Sure the buttons could have been named something different, but with a confirmation box, this UX passes what should be considered reasonable to prevent a literate and aware individual (the only type that should be approved for this position) from making a mistake like this.

I'm really astonished at the need to defend my position on this... it's almost like everyone replying here is thinking that they, too, would treat a legitimate missile defense drill (in the era of saber-rattling between Trump and Kim) the same way they treat installing a software EULA or an update to their FB ToS.

You're staking out some pretty tough ground, there. Human error can be unconscious or reflexive, and that type of UI element is sometimes barely a speedbump, cognitively.

Occasionally I reflexively click-through a confirmation dialogue box and regret it. I feel like I've been trained by the software industry for decades to bludgeon my way through these confirmations, many of which are unnecessary to begin with. I basically have muscle memory for it, the skids are greased for clicking-through. I know I'm not the only one.

So, I could see myself making this type of slip. It's really hard to know the balance between human and system error for this incident, but to me it looks like the system naively assumes a perfect human. Even if the incident turns out to have been an intentionally malicious act, the problem with the system would still remain.

Agreed, click-through should be nigh impossible. You need to do something that deviates so much from the normal routine that you don't accidentally do it.

One way to do this is to let the operator do a simple task that can't be clicked through.

(comment deleted)
That people—even highly trained people—click through confirmation dialogs without reading them is HCI 101.

Any system that depends on humans never making a mistake is going to fail.

Then we're truly fucked because the UX is designed and built by humans, tested by humans, approved by humans and then taught and learned by other humans. That's a whole chain of humans that need to not make a mistake, but I'm guessing if any of them do, they have their own technology or chain of "other' humans, they can blame it on.

"It's not my fault, we just followed the design, QA should have caught it!" --> "It wasn't in our test spec!" --> "Well, certainly trained military personnel aren't so dense as to not read the dialog, even if they somehow forget which of 2 buttons does what... I mean, you can only plan for so much stupid, right?"

But hey, The future is now! Nobody has to be responsible for anything! Ready or not, Singularity, here we come!

Bad UX can kill people.

It's not the operator's fault if two completely separate sets of functionality have been designed almost identically, have been placed right next to each other, have the exact same fail-safes (regardless of priority), and have no option to undo a mistaken selection.

This is a system problem, not a staffing problem.

They also had to robotically click through a dialog box to confirm... it is ABSOLUTELY the operators fault.

Do they run drills every 2 minutes? No, I doubt it, if you're running a drill on an actual attack scenario, how are you not being mindful of what you're doing and just acting robotically?

We train people in the military to act without thinking, but usually they aren't put in a position to use that training until they reflexively perform the correct action reliably in training.

If the UX is new, then they should have had training on it before doing a live drill and it's managements fault. If it isn't, then they fucked up and it's the operators fault.

Humans have agency and they're ultimately responsible. We really want the ultimate authority for whether our missile defense is effective to be whatever UX shop that HEMA/DoD outsource to?

A single dialog box is meaningless, as any UX designer (and IT professional) knows.
I guess they're just added for tradition then? Superstition maybe? Obviously it's not for liability since everyone seems to hold the UX designers liable here.

They're meaningless when they're meaningless, context matters.

As I said in another comment, if you are approaching a missile strike drill the same way you approach your FB ToS then YOU are the problem.

Right. That's why you only need one person to launch an ICBM. Oh wait.
Ok, then the UX for launching a missile warning should be 2 people performing a simultaneous key turning action after decoding the missile defense warning key code coming from management.

Launching ICBMs has a completely different reason for requiring multiple people and a hierarchy, because 1 person shouldn't be able to unilaterally destroy a city.

That is a completely different problem than "someone can't be bothered to remember what button to push, or to read and comprehend a simple dialog box".

>On Saturday, sending that second “false alarm” alert required extraordinary permission, delaying it for 38 minutes.

It was easy to unintentionally send a false alarm, but difficult to intentionally send a correction. Not a great system...

Sorry, I’m not buying it. It takes supervisor approval to void a duplicate scan of a $3 item at Trader Joe’s. No way in hell does an emergency alert system allow just anyone sitting at the computer to send one just because they want to.
In the event of an emergency, do you really want it to come down to asking a supervisor?

It’s literally a worse case scenario and you can’t expect multiple people to be there. The off chance that trying to get supervisor approval taking 10+ mins means that no one gets notified in time.

I got the message. I’m mad it was sent out but it’s better they learn these problems now rather than during an emergency. I don’t think having another person approve it would be a better situation. Just make the interface more clear or even add a buffer of 5 seconds to cancel the alert before it even gets sent.