Using fMRI to Measure Stimulus Generalization of Software Notification to Security Warnings

This paper examines how habituation to frequent software notifications may carry over to infrequent security warnings. This general process—known as stimulus generalization or simply generalization—is a well-established phenomenon in neurobiology that has clear implications for information security. Because software user interface guidelines call for visual consistency, software notifications and security warnings have a similar look and feel. Consequently, through frequent exposure to notifications, people may become habituated to security warnings they have never seen before. The objective of this paper to propose an fMRI experimental design to measure the extent to which this occurs. We also propose testing security warning designs that are resistant to generalization of habituation effects.

[1]  Bonnie Brinton Anderson,et al.  It All Blurs Together: How the Effects of Habituation Generalize Across System Notifications and Security Warnings , 2017 .

[2]  Bonnie Brinton Anderson,et al.  How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study , 2015, CHI.

[3]  Donald A. Wilson,et al.  Habituation revisited: An updated and revised description of the behavioral characteristics of habituation , 2009, Neurobiology of Learning and Memory.

[4]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[5]  Bonnie Brinton Anderson,et al.  Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments , 2018, MIS Q..

[6]  Diana K. Smetters,et al.  In search of usable security: five lessons from the field , 2004, IEEE Security & Privacy Magazine.

[7]  D. Rumelhart Schemata: The Building Blocks of Cognition , 2017 .

[8]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[9]  K. Grill-Spector The neural basis of object perception , 2003, Current Opinion in Neurobiology.

[10]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[11]  Ryan West,et al.  The psychology of security , 2008, CACM.

[12]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[13]  P. Groves,et al.  Habituation: a dual-process theory. , 1970, Psychological review.

[14]  José Carlos Brustoloni,et al.  Improving security decisions with polymorphic and audited dialogs , 2007, SOUPS '07.

[15]  Jo-Mae B. Maris,et al.  Signal Words and Signal Icons in Application Control and Information Technology Exception Messages - Hazard Matching and Habituation Effects , 2006, J. Inf. Syst..

[16]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[17]  R. F. Thompson,et al.  Habituation: a model phenomenon for the study of neuronal substrates of behavior. , 1966, Psychological review.

[18]  Rainer Böhme,et al.  Trained to accept?: a field experiment on consent dialogs , 2010, CHI.

[19]  C Brock Kirwan,et al.  Overcoming interference: an fMRI investigation of pattern separation in the medial temporal lobe. , 2007, Learning & memory.