Neurosecurity Lab at USENIX Enigma 2017

Tony presented recent work of the Neurosecurity Lab at USENIX Enigma 2017, a TED-style security conference held annually in the San Francisco Bay Area.

USENIX Enigma is interesting because its attendees and presenters are equal parts security academics and practitioners, with significant representation from Silicon Valley companies. It also has a strong emphasis on presentation quality.

Presentation Video

The talk received news coverage in a number of outlets, including:

Three New Research Articles on Habituation to Security Warnings

The Neurosecurity Lab has three recently published or accepted research articles on habituation to security warnings: (1) Journal of Management Information Systems (JMIS), (2) Decision Support Systems (DSS), and (3) ACM Conference on Human Factors in Computing Systems (CHI) 2017.

Journal of Management Information Systems

Our article, “From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done About It,” was published in December. It is an expanded version of our 2015 CHI paper. JMIS is widely recognized as one of the top three journals of the field of Information Systems.

The article reports the findings of two separate laboratory experiments that used fMRI and mouse cursor tracking to show how users habituate to security warnings. The fMRI experiment showed how neural activity in the visual processing center of the brain decreases precipitously with repeated exposures to a warning. We also found that a polymorphic warning design that repeatedly changed its appearance was resistant to the effects of habituation.

From the abstract:

Warning messages are fundamental to users’ security interactions. Unfortunately, research has shown that they are largely ineffective. A key contributor to this failure is habituation: decreased response to a repeated warning. Previous research has inferred the occurrence of habituation to warnings or measured it indirectly, such as through the proxy of a related behavior. Therefore, there is a gap in our understanding of how habituation to security warnings develops in the brain. Without direct measures of habituation, we are limited in designing warnings that can mitigate its effects.

In this study, we use neurophysiological measures to directly observe habituation as it occurs in the brain and behaviorally. We also design a polymorphic warning artifact that repeatedly changes its appearance in order to resist the effects of habituation. In an experiment using functional magnetic resonance imaging (fMRI; n = 25), we found that our polymorphic warning was significantly more resistant to habituation than were conventional warnings in regions of the brain related to attention.

In a second experiment (n = 80), we implemented the top four most resistant polymorphic warnings in a realistic setting. Using mouse cursor tracking as a surrogate for attention to unobtrusively measure habituation on participants’ personal computers, we found that polymorphic warnings reduced habituation compared to conventional warnings. Together, our findings reveal the substantial influence of neurobiology on users’ habituation to security warnings and security behavior in general, and we offer our polymorphic warning design as an effective solution to practice.

Article Download

Download a PDF of the article here.

Decision Support Systems

Our article, “Your Memory Is Working Against You: How Eye Tracking and Memory Explain Habituation to Security Warnings,” was published in December. This study examines habituation to security warnings in a laboratory experiment using eye tracking.

Habituation was measured in terms of the eye movement-based memory (EMM) effect, a neurophysiological manifestation of habituation in which people unconsciously scrutinize previously seen stimuli less than novel stimuli. Consistent with our JMIS findings, we also found that participants habituated less in terms of eye fixations to a polymorphic warning compared to conventional warnings.

From the abstract:

Security warnings are critical to the security of end users and their organizations, often representing the final defense against an attack. Because warnings require users to make a contextual judgment, it is critical that they pay close attention to warnings. However, research shows that users routinely disregard them. A major factor contributing to the ineffectiveness of warnings is habituation, the decreased response to a repeated warning. Although previous research has identified the problem of habituation, the phenomenon has only been observed indirectly through behavioral measures. Therefore, it is unclear how habituation develops in the brain in response to security warnings, and how this in turn influences users’ perceptions of these warnings.

This paper contributes by using eye tracking to measure the eye movement-based memory (EMM) effect, a neurophysiological manifestation of habituation in which people unconsciously scrutinize previously seen stimuli less than novel stimuli. We show that habituation sets in after only a few exposures to a warning and progresses rapidly with further repetitions. Using guidelines from the warning science literature, we design a polymorphic warning artifact which repeatedly changes its appearance. We demonstrate that our polymorphic warning artifact is substantially more resistant to habituation than conventional security warnings, offering an effective solution for practice. Finally, our results highlight the value of applying neuroscience to the domain of information security behavior.

Article Download

Download a PDF of the article here.

CHI 2017

Our article, “What Do We Really Know about How Habituation to Warnings Occurs Over Time? A Longitudinal fMRI Study of Habituation and Polymorphic Warnings,” is forthcoming at CHI 2017, held this year in Denver, Colorado. CHI is widely considered the premier conference in the field of human–computer interaction.

Whereas previous studies on habituation (including our JMIS and DSS studies above) examined habituation at a single point in time, this study observed habituation over the course of a workweek in five daily experimental sessions. We measured habituation using fMRI and eye tracking simultaneously, validating that eye tracking is a useful, non-obtrusive method for measuring habituation.

We found that people habituated rapidly to repeated warnings within a single laboratory session (both in terms of decreased neural activity and fewer eye fixations). However, we observed a recovery effect of attention from one day to the next when warnings were withheld. Unfortunately, this recovery effect wasn’t enough to offset the overall pattern of habituation across the workweek. More positively, we found that a polymorphic warning with only four variations was able to significantly sustain attention over time.

From the abstract:

A major inhibitor of the effectiveness of security warnings is habituation: decreased response to a repeated warning. Although habituation develops over time, previous studies have examined habituation and possible solutions to its effects only within a single experimental session, providing an incomplete view of the problem. To address this gap, we conducted a longitudinal experiment that examines how habituation develops over the course of a five-day workweek and how polymorphic warnings decrease habituation. We measured habituation using two complementary methods simultaneously: functional magnetic resonance imaging (fMRI) and eye tracking.

Our results show a dramatic drop in attention throughout the workweek despite partial recovery between workdays. We also found that the polymorphic warning design was substantially more resistant to habituation compared to conventional warnings, and it sustained this advantage throughout the five-day experiment. Our findings add credibility to prior studies by showing that the pattern of habituation holds across a workweek, and indicate that cross-sectional habituation studies are valid proxies for longitudinal studies. Our findings also show that eye tracking is a valid measure of the mental process of habituation to warnings.

Article Download

Download a PDF of the article here.

Future Work on Habituation

Despite the publication of these three articles, we’re not done with the topic of habituation yet. We recently completed a three-week field experiment that examines habituation in terms of reduced warning adherence behavior. This study is currently under peer review. We have also begun a pilot test to examine how the effects of habituation generalize from familiar notifications to novel warnings that share visual similarities. Across all of these studies, we’re seeking to find ways to reduce habituation so that warnings don’t lose their efficacy over time.

Bruce Schneier Visits the BYU Neurosecurity Lab

We recently had the pleasure of hosting author and security thought-leader, Bruce Schneier, at the Neurosecurity Lab. We know Bruce from presenting at the Workshop on Security and Human Behavior (2014, 2015, and 2016), which he co-chairs. Bruce has also featured our work on his blog, Schneier on Security.

We gave Bruce a tour of the MRI Facility:

Bruce_at_Facility

As part of the tour, we scanned Bruce’s brain in the MRI scanner:

Bruce_being_scanned

Best of all, Bruce gave a fantastic lecture to our students on security and the Internet of Things:

Bruce_lecturing

Thanks, Bruce, for visiting us at BYU!

On the Top of the World (Y Mountain)

The Neurosecurity Lab hiked to the top of Y Mountain, an 8,572 ft (2,613 m) mountain named for the 380 ft (116 m) “Y” insignia representing BYU.

It was a beautiful, clear fall morning. Below are some pictures we took.

Y-Mountain_HD

On top of Y Mountain, overlooking BYU campus and Provo, UT.

Y_Mountain_trail

The trail leading from the Y to the top of Y Mountain.

Canyon_pano

A panorama of Rock Canyon from the north summit.

Y-cliff

Jeff, Brock, Bonnie, and Dan near the cliffs of the north summit.

Y_Gate

After returning to the Y Mountain trailhead.

What the Neurosecurity Lab Has Been Up To this Summer

With summer now officially over, it’s a good time to recap what the Neurosecurity Lab has been up to. We’ve been very busy, with a major publication, presentations on three continents, and our ongoing research.

Study on Interruptions and Security Messages Published in ISR

Our study, “More Harm than Good? How Messages that Interrupt Can Make Us Vulnerable,” was published online at Information Systems Research, one of the top two journals of the field of Information Systems. This article received press coverage in a number of outlets, including:

Workshop on Security and Human Behavior (SHB)

austin_hall

Bonnie and Tony presented at the Workshop on Security and Human Behavior, held at Harvard Law School. Bruce Schneier describes the workshop this way:

SHB is a small invitational gathering of people studying various aspects of the human side of security. The fifty or so people in the room include psychologists, economists, computer security researchers, sociologists, political scientists, philosophers, political scientists, neuroscientists, lawyers, anthropologists, business school professors, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

These are the most intellectually stimulating two days of my year; this year someone called it “Bruce’s brain in conference form.”

Bonnie and Tony participated in a panel on security decision making with Anupam Datta, Robin Dillon-Merrill, Serge Edelman, and Angela Sasse.

SHB_panel_2016

Ross Anderson summarized Bonnie’s presentation this way:

The last session of Tuesday was started by Bonnie Anderson from the neurosecurity lab at BYU. Mostly we tune out security warnings because we’re busy; if warnings could avoid dual-task interference they’d be more effective and less annoying. An overload in the MTL temporal lobe is responsible, and she’s been working with the Chrome security team to investigate bad times to interrupt a user (so: not during a video but after, not while typing, while switching between domains of different types …). Now she has an eye tracker that can be used with fMRI and is testing polymorphic warnings, jiggling warnings and much more. This demonstrated that polymorphic warnings are more resistant to habituation, and that eye tracking studies give much the same results as fMRI.

And here’s Ross’ summary of Tony’s presentation:

Tony Vance studies habituation in communication. It’s not the same as fatigue, as polymorphic stimuli still work, but rather a means of saving effort. However people habituate to whole classes of UI designs; and notifications are becoming pervasive and desensitising in general. It’s not just habituation you /have to forestall, but generalisation too. It’s good that the Chrome team worry about their warning design, but not sufficient; their good design can be impacted by others’ poor design (or downright mimicry). Tony has been using eye tracking and fMRI to explore all this.

Interdisciplinary Symposium on Decision Neuroscience

Brock and Dan presented a poster at the Interdisciplinary Symposium on Decision Neuroscience (ISDN) at Temple University in Philadelphia.

Dan_at_ISDN

Besides presenting, Dan and Brock went to a Phillies game and had a great time. Brock caught a ball and gave it to Dan for his birthday. Best. PhD adviser. Ever.

Phillies

Gmuden Retreat on NeuroIS

gmunden-retreat_2016

Bonnie and Tony participated in the Gmunden Retreat on NeuroIS, held in the Schloss Ort castle in Gmuden, Austria. This was their commute to work during the conference:

The Gmuden Retreat focuses on neuroscience applications to information systems research. Tony presented on generalization to security messages.

gmuden_retreat_lake

Tony, Bonnie, and colleague Adriane Randolph

European Conference on Information Systems

Bonnie and Tony attended the European Conference on Information Systems, held at Boğaziçi University at Istanbul, Turkey.

Bosphorus

The Bospherous, looking towards the European side of Istanbul

Bonnie presented on our security message interruptions paper, described at the top of this post.

ECIS_presentation

Symposium on Usable Security and Privacy

soups2016-1

Finally, Bonnie presented at the USENIX Symposium on Usable Security and Privacy in Denver, Colorado. She presented on generalization to security messages.

Dual-task Interference Study Published in Information Systems Research

Our study, “More Harm than Good? How Messages that Interrupt Can Make Us Vulnerable,” has been accepted to the special issue on “Ubiquitous IT and Digital Vulnerabilities” at Information Systems Research, one of the premier journals of the field of information systems.

In the article, we examine how security messages are impacted by dual-task interference (DTI), a neural limitation in which even simple tasks cannot be simultaneously performed (i.e., multitasking) without significant performance loss. We demonstrated this in two experiments: one using fMRI and another using users’ responses to the Chrome Cleanup Tool (CCT), a security message in Google Chrome.

In the News

Study Summary

First, we used fMRI to show how DTI occurs in the brain when a simple memory task is interrupted with a security message. We found that neural activity in the bilateral medial temporal lobe (MTL) was substantially reduced when a security message interrupted a user in a simple memory task (a high-DTI condition), compared to when a user responded to the security message by itself (Figure 1). This suggests that DTI inhibits one’s ability to utilize the MTL to retrieve information from the long-term memory necessary to respond to permission warnings.

DTI-fMRI

Figure 1. Increased activity in the medial temporal lobe (MTL) in response to the Warning-Only condition compared to the High-DTI condition, in which the warning interrupted a memory task. Warm colors indicate increased blood flow.

Further, we showed that the change in activation in the MTL significantly predicted users’ disregard of the security message, which we define as behaving against the security message’s recommended course of action.

 Interestingly, we found that if we finessed the timing of the security message so that it was displayed between memory tasks (a low-DTI condition), then participants had more activation in the MTL as compared to the high-DTI treatment. In addition, participants in the low-DTI condition had significantly lower security message disregard compared to the high-DTI condition (8.8% vs. 22.92%).

Amazon Mechanical Turk Experiment using the Chrome Cleanup Tool

Next, applying the findings of our fMRI experiment, we performed a practical experiment that examined how DTI impacts users’ responses to the Chrome Cleanup Tool (CCT), a security message in Google Chrome for Windows (Figure 2). The CCT detects if malware has tampered with the host computer and manipulated the browser or other Internet settings (Google 2015). When a problem is detected, the CCT displays a message to the user asking for permission to remove the unwanted software and restore Chrome’s original settings. Although the CCT message is important, it does not require immediate attention and, therefore, can be delayed.

CCT

Figure 2. Google Chrome Cleanup Tool (CCT) message.

We collaborated with a team of Google Chrome security engineers who develop the CCT to identify low-DTI times to display security messages during the browsing experience, in contrast to high-DTI times when the user would likely be cognitively engaged in another task. These times were selected according to (1) DTI theory and the results of fMRI results of Experiment 1, (2) input from Google engineers on moments that were frequent in occurrence and generalizable across a wide variety of web-based activities and users, and (3) a feasibility assessment for implementing in a web browser.

The low- and high-DTI conditions were:

Low-DTI:

  1. At the beginning of starting the first task.
  2. After the video.
  3. After interacting with a website.
  4. Waiting for a file to process.
  5. Waiting for a page to load.

 

High-DTI:

  1. In the middle of watching a video.
  2. In the middle of typing.
  3. In the middle of transferring a confirmation code.
  4. In the middle of the movement to close the web page.

 

We tested each of these conditions were tested in connection with an online video categorization task using Amazon Mechanical Turk. A total of 856 Turkers participated.

The results were dramatic. Finessing the timing of when the CCT was displayed reduced the rate it was disregarded by users from 80% for high-DTI times to 36% for low-DTI times (see Table 1 below).

Table 1. Percentage of Security Message Disregard for high- and low-DTI experimental conditions.

DTI-Table

Finally, we show how mouse cursor-tracking and psychometric measures can be used to validate low-DTI times for security messages to be displayed for other software applications and contexts.

Together, our findings show that the timing of when security messages are displayed makes a substantial difference in how users respond to them. Many security messages are urgent and cannot be delayed (e.g., browser malware warnings). However, for those security messages that are not attached to an immediate threat (like the CCT), using a timing that respects users’ limited cognitive resources can significantly improve the effectiveness of security messages.

Acknowledgements:

We thank Elisabeth Morant, Adrienne Porter Felt, and Robert Shield of Google, Inc. for their collaboration on the Google Chrome Clean-up Tool experiment.

From the abstract:

System-generated alerts are ubiquitous in personal computing and, with the proliferation of mobile devices, daily activity. While these interruptions provide timely information, research shows they come at a high cost in terms of increased stress and decreased productivity. This is due to dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss. Although previous research has examined how DTI impacts the performance of a primary task (the task that was interrupted), no research has examined the effect of DTI on the interrupting task. This is an important gap because in many contexts, failing to heed an alert—the interruption itself—can introduce critical vulnerabilities.

Using security messages as our context, we address this gap by using functional magnetic resonance imaging (fMRI) to explore how (1) DTI occurs in the brain in response to interruptive alerts, (2) DTI influences message security disregard, and (3) the effects of DTI can be mitigated by finessing the timing of the interruption. We show that neural activation is substantially reduced under a condition of high DTI, and the degree of reduction in turn significantly predicts security message disregard. Interestingly, we show that when a message immediately follows a primary task, neural activity in the medial temporal lobe is comparable to when attending to the message is the only task.

Further, we apply these findings in an online behavioral experiment in the context of a web-browser warning. We demonstrate a practical way to mitigate the DTI effect by presenting the warning at low-DTI times, and show how mouse cursor-tracking and psychometric measures can be used to validate low-DTI times in other contexts.

Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard. This paper provides a theoretically-grounded, cost-effective approach to reduce the effects of DTI for a wide variety of interruptive messages that are important but do not require immediate attention.

Article Download

Download a PDF of the article here.

Interview on BYU Radio

Screen Shot 2016-03-01 at 11.41.08 PM

Bonnie Anderson was interviewed on BYU Radio’s Top of Mind With Julie Rose program about the Neurosecurity Lab’s research. They discussed specifically why and how we are doing our research, what our findings are, and how we are working with Google and others to implement improved security message design.

From Julie Rose’s introduction:

Improving our security online is a $67 billion-year business. It’s huge. And yet, what’s your instinct when you’re surfing the web and a little window pops up warning you could be at risk? Most of us hit ignore and move on. We, the human users, are the weak link in internet security. But it’s not all our fault. Studies conducted in the neurosecurity lab here at BYU show our biology deserves some of the blame, too.

You can listen to their 17-minute conversation here.

Neurosecurity Lab Profiled in Marriott Alumni Magazine

Marriott

The cover story of the Marriott School of Management’s Alumni Magazine is a profile of the Neurosecurity Lab.

From the article:

Cerebral Security

Tech smarts and a pair of grants from Google and the National Science Foundation are helping BYU professors at the university’s Neurosecurity Lab lift the lid on computer users’ riskiest behaviors. And with a multimillion-dollar brain scanner at their fingertips, the six researchers are turning heads.

You can read the article here.

Google Faculty Research Award 2016

We received our second Google Faculty Research Award for our proposal entitled, “Improving Adherence to Security Messages through Intelligent Timing: A Neurosecurity Study.” We were awarded $34,200, and Elisabeth Morant will serve as our Google liaison.

Our previous Google Faculty Research Award proposed to study habituation to security warnings.

From the Abstract:

System-generated notifications are ubiquitous in personal computing. Many of these interruptions are security messages that prompt the user to perform a security action, but these interruptions come at a high cost. Neuroscience has shown that the brain cannot perform even simple tasks simultaneously without significant performance loss, the result of a cognitive limitation known as dual-task interference (DTI). While some security messages require immediate attention, others can be timed to display when a user is best equipped to respond, i.e., when DTI is low. The goal of this proposal is to develop a system to predict low-DTI times using input-device tracking and mobile-device indicators of the user to display security messages at times when users’ adherence will be maximized.

Neurosecurity Research Agenda for Security Messages Accepted to the European Journal of Information Systems

Update: The article is now officially published online here.

Our paper entitled, “How Users Perceive and Respond to Security Messages: A NeuroIS Research Agenda and Empirical Study,” was accepted for publication at the European Journal of Information Systems, a leading journal of the field of Information Systems. In our article, we lay out a research agenda for studying security messages using neurophysiological theories and methods.

The purpose of our research agenda is to demonstrate the promise of using neurophysiological measures, and encourage more research in this area. We believe that the approaches described in this article will provide new insights into users’ responses to security messages and facilitate more effective security message designs.

Why Use Neuroscience to Study Security Messages?

Research shows that users routinely disregard security messages. Although users may say that they are concerned about their security, their actual behavior doesn’t match what they say.

The theories and methods of neuroscience provide a promising lens to investigate the disconnect between what users say about security and actually do. The neural bases for human cognitive processes can offer new insights into the complex interaction between information processing and decision making, allowing researchers to open the ‘black box’ of cognition by directly observing the brain.

Research Agenda

Research_agenda

The figure above shows four factors that we argue interfere with users’ best intentions to comply with security messages: (1) habituation, (2) dual-task interference, (3) stress, and (4) fear. These are not the only important factors, but they are ones that we think the theories and methods of neuroscience have strong potential to address. We briefly describe each below.

How Does Habituation Affect Users’ Responses to Security Messages?

Habituation is the diminishing of attention because of frequent exposure to warnings. Through this process, warnings that were once salient become virtually unnoticeable, like familiar wallpaper. Habituation has been pointed to as a problem in many security-warning studies. However, it is difficult to observe using conventional methods because habituation is a mental state.

Neuroscience approaches can provide additional insight by directly measuring the mental process of habituation to determine (1) how quickly habituation develops in response to security messages, (2) how the neurological manifestation of habituation affects security behaviors, and (3) how long the effects of habituation on security messages persist. As an example, we’ve used fMRI and mouse cursor tracking to study habituation to warnings.

What Is the Impact of Stress on a User’s Response to Security Messages?


Recent research has highlighted the impact of ‘technostress’, which is stress caused by interactions with information communication technologies. Stress can have profound detrimental effects on individuals’ productivity and well-being. D’Arcy et al (2014) showed that technostress has important implications for end-user security. An important gap in past stress-related security research is that survey measures capture a user’s perceptions of stress. perceptual measure of stress-inducing conditions, but nothing about the stress that someone is actually experiencing physiologically.

salivette_small

Two neurophysiological methods for measuring stress are cortisol-level measurement and skin conductance response (SCR). Cortisol (commonly called the stress hormone) can measure unconscious stress responses. When an individual’s stress level increases, so does the amount of cortisol in the body as psychological stressors stimulate its release into the bloodstream. Increases in cortisol can be measured easily with a saliva swab that is placed in a capsule for later chemical analysis (see image above).

SCR measures increases in the activity of sweat glands when an individual is stressed, and has been linked to measures of arousal, excitement, fear, etc. By using these and other methods, researchers can measure how users’ stress impacts their responses to security messages.

How Does Fear Influence Our Neural Processing of Security Messages?


Fear can have a powerful impact on how individuals respond to security messages. In information security, both protective and malicious messages commonly attempt to elicit fear to motivate the target into action. However, fear may invoke automatic responses that bypass cognition, leading an individual to not pay attention to a warning. As with stress, past research on fear has relied on survey measures, which don’t measure fear physiologically.

fEMG_small

A variety of neurophysiological methods can be used to measure fear. fMRI can measure activation in areas of the brain associated with fear, such as the amygdala, orbitofrontal cortex, and striatum. We propose that facial electromyography (fEMG) is a useful tool to detect fear in users interacting with security messages. With fEMG, visually imperceptible EMG activity in the muscle regions associated with facial expressions (over the brow–corrugator supercilia, eye–orbicularis oculi, and cheek–zygomatic major) can differentiate the intensity and valence of an individual’s reactions to visual stimuli.

How Does Dual-task Interference Disrupt Cognitive Processing of Security Messages?

Dual-task interference (DTI) is a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss. Responses to security messages are susceptible to DTI because they are typically secondary tasks that interrupt the completion of a users’ primary task of using a computer. Unfortunately, when DTI occurs, performance is reduced for both the primary and secondary tasks, which means that users will not pay full attention to the security warning.

Brain imaging methodologies such as fMRI and electroencephalography (EEG) can be effective techniques for examining the cognitive consequences of DTI. Using EEG, the P300 brainwave component of the event-related potential can be examined, which is associated with attention and memory operations. The P300 reflects brain activity approximately 300–600 milliseconds after exposure to a stimulus. The speed of this measure reveals reaction differences in subjects before they have time to consciously contemplate a response. Monitoring a person’s EEG measures as they perform a computing task that a security message interrupts can allow researchers to see the degree to which the message disrupted the task and the level of cognitive resources devoted to the message. We used EEG in a past study to predict users’ responses to security warnings.

A Call for Research

Neurosecurity has the potential to provide new understanding of how users respond to security messages. We hope researchers will join us in researching the issues described above to significantly advance our understanding of security messages and how to design them to be more effective.

From the abstract:

Users are vital to the information security of organizations. In spite of technical safeguards, users make many critical security decisions. An example is users’ responses to security messages—discrete communication designed to persuade users to either impair or improve their security status. Research shows that although users are highly susceptible to malicious messages (e.g., phishing attacks), they are highly resistant to protective messages such as security warnings. Research is therefore needed to better understand how users perceive and respond to security messages.

In this article, we argue for the potential of NeuroIS—cognitive neuroscience applied to Information Systems—to shed new light on users’ reception of security messages in the areas of (1) habituation, (2) stress, (3) fear, and (4) dual-task interference. We present an illustrative study that shows the value of using NeuroIS to investigate one of our research questions. This example uses eye tracking to gain unique insight into how habituation occurs when people repeatedly view security messages, allowing us to design more effective security messages. Our results indicate that the eye movement-based memory (EMM) effect is a cause of habituation to security messages—phenomenon in which people unconsciously scrutinize stimuli that they have previously seen less than other stimuli. We show that after only a few exposures to a warning, this neurological aspect of habituation sets in rapidly, and continues with further repetitions.

We also created a polymorphic warning that continually updates its appearance and found that it is effective in substantially reducing the rate of habituation as measured by the EMM effect. Our research agenda and empirical example demonstrate the promise of using NeuroIS to gain novel insight into users’ responses to security messages that will encourage more secure user behaviors and facilitate more effective security message designs.

 

Article Download

Download a PDF of the article here.