Users Aren't (Necessarily) Lazy: Using NeuroIS to Explain Habituation to Security Warnings

Warning messages are one of the last lines of defense in information security, and are fundamental to users’ security interactions with technology. Unfortunately, research shows that users routinely ignore security warnings. A key contributor to this disregard is habituation, the diminishing of attention through frequent exposure. However, previous research has examined habituation indirectly by observing its influence on security behavior, rather than measuring habituation itself. We contribute by using functional magnetic resonance imaging (fMRI) to directly observe habituation as it occurs in the brain. Our results show that with repeated exposure to warnings, neural activity in the visual processing centers sharply decreases. We also show that this process occurs for images of both security warnings and general software applications, although habituation is more severe for security warnings. Our findings suggest that habituation is not due to users’ laziness or carelessness, but is a natural consequence of how the brain works.

[1]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[2]  R. Clark,et al.  The medial temporal lobe. , 2004, Annual review of neuroscience.

[3]  C. Stark,et al.  Pattern Separation in the Human Hippocampal CA3 and Dentate Gyrus , 2008, Science.

[4]  Ratvinder Singh Grewal,et al.  Neurophysiological correlates in interface design: An HCI perspective , 2010, Comput. Hum. Behav..

[5]  Michael S. Wogalter,et al.  Failure to Recognize Fake Internet Popup Warning Messages , 2008 .

[6]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[7]  H. Aarts,et al.  Habits as knowledge structures: automaticity in goal-directed behavior. , 2000, Journal of personality and social psychology.

[8]  K. Grill-Spector,et al.  Repetition and the brain: neural models of stimulus-specific effects , 2006, Trends in Cognitive Sciences.

[9]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[10]  Andrew C. Heusser,et al.  The ups and downs of repetition: Modulation of the perirhinal cortex by conceptual repetition predicts priming and long-term memory , 2013, Neuropsychologia.

[11]  Thomas E. Nichols,et al.  Optimization of experimental design in fMRI: a general framework using a genetic algorithm , 2003, NeuroImage.

[12]  R. Desimone,et al.  Inferior temporal mechanisms for invariant object recognition. , 1994, Cerebral cortex.

[13]  Angelika Dimoka,et al.  Incorporating Social Presence in the Design of the Anthropomorphic Interface of Recommendation Agents: Insights from an fMRI Study , 2010, ICIS.

[14]  Angelika Dimoka,et al.  Research Commentary - NeuroIS: The Potential of Cognitive Neuroscience for Information Systems Research , 2011, Inf. Syst. Res..

[15]  R W Cox,et al.  AFNI: software for analysis and visualization of functional magnetic resonance neuroimages. , 1996, Computers and biomedical research, an international journal.

[16]  José Carlos Brustoloni,et al.  Improving security decisions with polymorphic and audited dialogs , 2007, SOUPS '07.

[17]  Michael S. Wogalter,et al.  Handbook of Warnings , 2006 .

[18]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[19]  Angelika Dimoka,et al.  How to Conduct a Functional Magnetic Resonance (fMRI) Study in Social Science Research , 2012, MIS Q..

[20]  Shauna M. Stark,et al.  Distinct pattern separation related transfer functions in human CA3/dentate and CA1 revealed using high-resolution fMRI and variable mnemonic similarity. , 2010, Learning & memory.

[21]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[22]  Naresh K. Malhotra,et al.  Research Note - Two Competing Perspectives on Automatic Use: A Theoretical and Empirical Comparison , 2005, Inf. Syst. Res..

[23]  Craig E. L. Stark,et al.  High-resolution structural and functional MRI of hippocampal CA3 and dentate gyrus in patients with amnestic Mild Cognitive Impairment , 2010, NeuroImage.

[24]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[25]  Alex Martin,et al.  Long-lasting cortical plasticity in the object naming system , 2000, Nature Neuroscience.

[26]  C. Brock Kirwan,et al.  A Parametric Investigation of Pattern Separation Processes in the Medial Temporal Lobe , 2012, The Journal of Neuroscience.

[27]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[28]  L. Tugan Muftuler,et al.  Multiple repetitions reveal functionally and anatomically distinct patterns of hippocampal activity during continuous recognition memory , 2008, Hippocampus.

[29]  R. Desimone,et al.  Neural mechanisms for visual memory and their role in attention. , 1996, Proceedings of the National Academy of Sciences of the United States of America.

[30]  J. R. Baker,et al.  The hippocampal formation participates in novel picture encoding: evidence from functional magnetic resonance imaging. , 1996, Proceedings of the National Academy of Sciences of the United States of America.

[31]  Angelika Dimoka,et al.  On the Use of Neuropyhsiological Tools in IS Research: Developing a Research Agenda for NeuroIS , 2012, MIS Q..

[32]  Brad S. Minnery,et al.  FEATURENeuroscience and the future of human-computer interaction , 2009, INTR.

[33]  D. Grupe,et al.  Uncertainty and anticipation in anxiety: an integrated neurobiological and psychological perspective , 2013, Nature Reviews Neuroscience.

[34]  E. Kandel The Molecular Biology of Memory Storage: A Dialogue Between Genes and Synapses , 2001, Science.

[35]  Scott T. Grafton,et al.  Wandering Minds: The Default Network and Stimulus-Independent Thought , 2007, Science.

[36]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[37]  Angelika Dimoka,et al.  The Potential of Neuroscience for Human-Computer Interaction Research , 2010 .

[38]  D. Elliott,et al.  Movement Trajectories in the Presence of a Distracting Stimulus: Evidence for a Response Activation Model of Selective Reaching , 2004, The Quarterly journal of experimental psychology. A, Human experimental psychology.

[39]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[40]  Craig E. L. Stark,et al.  When zero is not zero: The problem of ambiguous baseline conditions in fMRI , 2001, Proceedings of the National Academy of Sciences of the United States of America.

[41]  M. Torrens Co-Planar Stereotaxic Atlas of the Human Brain—3-Dimensional Proportional System: An Approach to Cerebral Imaging, J. Talairach, P. Tournoux. Georg Thieme Verlag, New York (1988), 122 pp., 130 figs. DM 268 , 1990 .

[42]  Larry R Squire,et al.  Medial temporal lobe activity can distinguish between old and new stimuli independently of overt behavioral choice , 2009, Proceedings of the National Academy of Sciences.

[43]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[44]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[45]  Kirstie Hawkey,et al.  On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings , 2011, SOUPS.

[46]  Deborah E. Hannula,et al.  Worth a Glance: Using Eye Movements to Investigate the Cognitive Neuroscience of Memory , 2010, Front. Hum. Neurosci..

[47]  Kevin J. Williams,et al.  Behavioral Compliance: Theory, Methodology, and Results. , 2006 .

[48]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[49]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[50]  David T. Neal,et al.  A new look at habits and the habit-goal interface. , 2007, Psychological review.