Our paper, “Neural Correlates of Gender Differences and Color in Distinguishing Security Warnings and Legitimate Websites: A Neurosecurity Study” has been accepted to the Journal of Cybersecurity, a new journal published by Oxford University Press. In this exploratory study, we used electroencephalography (EEG) to examine how two fundamental biological factors—gender and color perception—influence users’ reception of security warnings (see image of a BYU student participant below).
Our results showed that women exhibit higher brain activity than men when viewing malware warnings. However, we found that there was no change in brain activity when viewing red warnings (such as the Chrome phishing warning below) compared to grayscale warnings.
This paper is significant to our lab because it was the first neurosecurity study we conducted together. It also led to our expanded EEG study that was published last year in the Journal of the Association for Information Systems (JAIS).
From the abstract:
Users have long been recognized as the weakest link in security. Accordingly, researchers have applied knowledge from the fields of psychology and human–computer interaction to understand the security behaviors of users. However, many cognitive processes and responses are unconscious or obligatory and yet still have a profound effect on users’ security behaviors. With this in mind, researchers have begun to apply methods and theories of neuroscience to yield greater insights into the “black box” of user cognition. The goal of this approach—termed neurosecurity—is to better understand and improve users’ behaviors.
This study illustrates the potential for neurosecurity by investigating how two fundamental biological factors—gender and color perception—affect users’ reception of security warnings. This is important to determine because research has shown that users frequently fail to appropriately respond to security warnings. We conducted a laboratory experiment using electroencephalography (EEG), a proven method of measuring neurological activity in temporally sensitive tasks. We found that the amplitude of the P300—an event-related potential (ERP) component indicative of decision-making ability—was higher for all participants when viewing malware warning screenshots relative to legitimate website shots. Additionally, we found that the P300 was greater for women than for men, indicating that women exhibit higher brain activity than men when viewing malware warnings. However, we found that there was no change in the P300 when viewing red warnings compared to grayscale warnings. Together, our results demonstrate the value of applying neurosecurity methods to the domain of cybersecurity and point to several promising avenues for future research.