Your memory is working against you: How eye tracking and memory explain habituation to security warnings

Security warnings are critical to the security of end users and their organizations, often representing the final defense against an attack. Because warnings require users to make a contextual judgment, it is critical that they pay close attention to warnings. However, research shows that users routinely disregard them. A major factor contributing to the ineffectiveness of warnings is habituation, the decreased response to a repeated warning. Although previous research has identified the problem of habituation, the phenomenon has only been observed indirectly through behavioral measures. Therefore, it is unclear how habituation develops in the brain in response to security warnings, and how this in turn influences users' perceptions of these warnings.This paper contributes by using eye tracking to measure the eye movement-based memory (EMM) effect, a neurophysiological manifestation of habituation in which people unconsciously scrutinize previously seen stimuli less than novel stimuli. We show that habituation sets in after only a few exposures to a warning and progresses rapidly with further repetitions. Using guidelines from the warning science literature, we design a polymorphic warning artifact which repeatedly changes its appearance. We demonstrate that our polymorphic warning artifact is substantially more resistant to habituation than conventional security warnings, offering an effective solution for practice. Finally, our results highlight the value of applying neuroscience to the domain of information security behavior. Eye tracking is used to measure habituation to security warnings.Habituation sets in after a few exposures to a warning.A polymorphic warning is designed to reduce habituation.The polymorphic warning reduces habituation compared to conventional warnings.

[1]  Neurois: Challenges and solutions , 2010, ICIS.

[2]  Joseph H. Goldberg,et al.  Eye tracking in web search tasks: design implications , 2002, ETRA.

[3]  Mark S. Sanders,et al.  Human Factors in Engineering and Design , 1957 .

[4]  Wanda J. Orlikowski,et al.  Research Commentary: Desperately Seeking the "IT" in IT Research - A Call to Theorizing the IT Artifact , 2001, Inf. Syst. Res..

[5]  S. Liversedge,et al.  Saccadic eye movements and cognition , 2000, Trends in Cognitive Sciences.

[6]  Joe Armstrong,et al.  The Design of Child Restraint System (CRS) Labels and Warnings Affects Overall CRS Usability , 2004, Traffic injury prevention.

[7]  José Carlos Brustoloni,et al.  Improving security decisions with polymorphic and audited dialogs , 2007, SOUPS '07.

[8]  Charan Ranganath,et al.  Distinguishing highly confident accurate and inaccurate memory: Insights about relevant and irrelevant influences on memory confidence , 2012, Memory.

[9]  Alan R. Dennis,et al.  Conducting Experimental Research in Information Systems , 2001, Commun. Assoc. Inf. Syst..

[10]  Thomas S. Tullis,et al.  Generation Y & Web Design: Usability Through Eye Tracking , 2008, AMCIS.

[11]  K. Rayner Eye movements in reading and information processing: 20 years of research. , 1998, Psychological bulletin.

[12]  Jo-Mae B. Maris,et al.  Signal Words and Signal Icons in Application Control and Information Technology Exception Messages - Hazard Matching and Habituation Effects , 2006, J. Inf. Syst..

[13]  P. Groves,et al.  Habituation: a dual-process theory. , 1970, Psychological review.

[14]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[15]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[16]  Michael S. Wogalter,et al.  The Influence of Pictorials on Evaluations of Prescription Medication Instructions , 1997 .

[17]  Craig E. L. Stark,et al.  High-resolution structural and functional MRI of hippocampal CA3 and dentate gyrus in patients with amnestic Mild Cognitive Impairment , 2010, NeuroImage.

[18]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  S. Shimojo,et al.  Gaze bias both reflects and influences preference , 2003, Nature Neuroscience.

[20]  Tommy Strandvall,et al.  Eye Tracking in Human-Computer Interaction and Usability Research , 2009, INTERACT.

[21]  L. Squire,et al.  Experience-Dependent Eye Movements Reflect Hippocampus-Dependent (Aware) Memory , 2008, The Journal of Neuroscience.

[22]  Kent P. Vaubel,et al.  The Noticeability of Warnings on Alcoholic Beverage Containers , 1993 .

[23]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[24]  Ramona O. Hopkins,et al.  Experience-Dependent Eye Movements, Awareness, and Hippocampus-Dependent Memory , 2006, The Journal of Neuroscience.

[25]  R. F. Thompson,et al.  Habituation: a model phenomenon for the study of neuronal substrates of behavior. , 1966, Psychological review.

[26]  Ryad Titah,et al.  Precision is in the Eye of the Beholder: Application of Eye Fixation-Related Potentials to Information Systems Research , 2014, J. Assoc. Inf. Syst..

[27]  B. Verplanken,et al.  Reflections on past behavior: A self-report index of habit strength , 2003 .

[28]  W Park,et al.  So long , 1991, The Lancet.

[29]  B. Verplanken,et al.  Habit, attitude, and planned behaviour : is habit an empty construct or an interesting case of goal-directed automaticity? , 1999 .

[30]  René Riedl,et al.  Fundamentals of NeuroIS , 2016, Studies in Neuroscience, Psychology and Behavioral Economics.

[31]  R. O’Reilly,et al.  Modeling hippocampal and neocortical contributions to recognition memory: a complementary-learning-systems approach. , 2003, Psychological review.

[32]  Michael S. Wogalter,et al.  Hazard Level Perceptions of Current and Proposed Warning Sign and Label Panels , 1995 .

[33]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[34]  Catharine H. Rankin,et al.  Introduction to special issue of neurobiology of learning and memory on habituation , 2009, Neurobiology of Learning and Memory.

[35]  Kirstie Hawkey,et al.  On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings , 2011, SOUPS.

[36]  Angelika Dimoka,et al.  Research Commentary - NeuroIS: The Potential of Cognitive Neuroscience for Information Systems Research , 2011, Inf. Syst. Res..

[37]  MICHEAL S. WOGALTER* WILLIAM J. VIGILANTE,et al.  Effects of label format on knowledge acquisition and perceived readability by younger and older adults , 2003, Ergonomics.

[38]  Deborah E. Hannula,et al.  Worth a Glance: Using Eye Movements to Investigate the Cognitive Neuroscience of Memory , 2010, Front. Hum. Neurosci..

[39]  Matthew L. Jensen,et al.  Evaluation of Competing Candidate Solutions in Electronic Networks of Practice , 2014, Inf. Syst. Res..

[40]  Curt C. Braun,et al.  Differences in Behavioral Compliance as a Function of Warning Color , 1994 .

[41]  Angelika Dimoka,et al.  On the Use of Neuropyhsiological Tools in IS Research: Developing a Research Agenda for NeuroIS , 2012, MIS Q..

[42]  Joseph E. McGrath,et al.  Dilemmatics: The Study of Research Choices and Dilemmas , 1981 .

[43]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[44]  Jennifer D. Ryan,et al.  The Effects of Prior Exposure on Face Processing in Younger and Older Adults , 2011, Front. Ag. Neurosci..

[45]  M. Wogalter,et al.  Comprehension and Memory of Instruction Manual Warnings: Conspicuous Print and Pictorial Icons , 1990 .

[46]  Donald A. Wilson,et al.  Habituation mechanisms and their importance for cognitive function , 2015, Front. Integr. Neurosci..

[47]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[48]  D. Shore,et al.  More efficient scanning for familiar faces. , 2008, Journal of vision.

[49]  C. Brock Kirwan,et al.  Resolving Interference: The Role of the Human Hippocampus in Pattern Separation , 2016 .

[50]  Alice M. Tybout,et al.  The Concept of External Validity , 1982 .

[51]  Dmitry Zhdanov,et al.  Special issue introduction: A comprehensive perspective on information systems security - technical advances and behavioral issues , 2016, Decis. Support Syst..

[52]  Angelika Dimoka,et al.  Incorporating Social Presence in the Design of the Anthropomorphic Interface of Recommendation Agents: Insights from an fMRI Study , 2010, ICIS.

[53]  Jing Wu,et al.  The ongoing quest for the IT artifact: Looking back, moving forward , 2013, J. Inf. Technol..

[54]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[55]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[56]  Michael S. Wogalter,et al.  Pharmaceutical container labels: enhancing preference perceptions with alternative designs and pictorials , 1996 .

[57]  N. C. Silver,et al.  Interaction of signal word and colour on warning labels: differences in perceived hazard and behavioural compliance. , 1995, Ergonomics.

[58]  Jill Annette Strawbridge The Influence of Position, Highlighting, and Imbedding on Warning Effectiveness , 1986 .

[59]  M. Çevik Habituation, sensitization, and Pavlovian conditioning , 2014, Front. Integr. Neurosci..

[60]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[61]  Michael S. Wogalter,et al.  Failure to Recognize Fake Internet Popup Warning Messages , 2008 .

[62]  N. Cohen,et al.  Amnesia is a Deficit in Relational Memory , 2000, Psychological science.

[63]  Stephen Lee Young,et al.  Increasing the Noticeability of Warnings: Effects of Pictorial, Color, Signal Icon and Border , 1991 .

[64]  Paul Benjamin Lowry,et al.  Increasing Accountability Through User-Interface Design Artifacts: A New Approach to Addressing the Problem of Access-Policy Violations , 2015, MIS Q..

[65]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[66]  E. N. Sokolov Higher nervous functions; the orienting reflex. , 1963, Annual review of physiology.

[67]  Michael S. Wogalter,et al.  Broadening the Range of Signal Words , 1989 .

[68]  D. Bates,et al.  Fitting Linear Mixed-Effects Models Using lme4 , 2014, 1406.5823.

[69]  Donald A. Wilson,et al.  Habituation revisited: An updated and revised description of the behavioral characteristics of habituation , 2009, Neurobiology of Learning and Memory.

[70]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[71]  Mani Ramaswami,et al.  Network Plasticity in Adaptive Filtering and Behavioral Habituation , 2014, Neuron.

[72]  D. Ballard,et al.  Eye movements in natural behavior , 2005, Trends in Cognitive Sciences.

[73]  Milena M. Head,et al.  Exploring human images in website design: a multi-method approach , 2009 .

[74]  Lorrie Faith Cranor,et al.  Improving Computer Security Dialogs , 2011, INTERACT.

[75]  R. Clark,et al.  The medial temporal lobe. , 2004, Annual review of neuroscience.

[76]  Michael S. Wogalter,et al.  Handbook of Warnings , 2006 .

[77]  B. Knowlton,et al.  Learning and memory functions of the Basal Ganglia. , 2002, Annual review of neuroscience.

[78]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[79]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[80]  K. Grill-Spector,et al.  Repetition and the brain: neural models of stimulus-specific effects , 2006, Trends in Cognitive Sciences.

[81]  J. Colombo,et al.  Infant visual habituation , 2009, Neurobiology of Learning and Memory.