Neurosecurity Lab Awarded ISR’s “Best Published Paper”

We received the “Best Published Paper Award” for all papers published in Information Systems Research in 2016 for our article, “More Harm than Good? How Messages that Interrupt Can Make Us Vulnerable.” Coauthors Jeff Jenkins and David Eargle received the award this past weekend at the 2017 INFORMS Annual Meeting in Houston, Texas.

Information Systems Research is one of the leading journals in the field of Information Systems, so we’re honored to have been selected out of many excellent articles published last year. You can read a summary of the article and related news coverage here.

Figure 1. Jeff Jenkins (right) and David Eargle (left) receiving the award from ISR editor-in-chief Alok Gupta.

From the abstract:

System-generated alerts are ubiquitous in personal computing and, with the proliferation of mobile devices, daily activity. While these interruptions provide timely information, research shows they come at a high cost in terms of increased stress and decreased productivity. This is due to dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss. Although previous research has examined how DTI impacts the performance of a primary task (the task that was interrupted), no research has examined the effect of DTI on the interrupting task. This is an important gap because in many contexts, failing to heed an alert—the interruption itself—can introduce critical vulnerabilities.

Using security messages as our context, we address this gap by using functional magnetic resonance imaging (fMRI) to explore how (1) DTI occurs in the brain in response to interruptive alerts, (2) DTI influences message security disregard, and (3) the effects of DTI can be mitigated by finessing the timing of the interruption. We show that neural activation is substantially reduced under a condition of high DTI, and the degree of reduction in turn significantly predicts security message disregard. Interestingly, we show that when a message immediately follows a primary task, neural activity in the medial temporal lobe is comparable to when attending to the message is the only task.

Further, we apply these findings in an online behavioral experiment in the context of a web-browser warning. We demonstrate a practical way to mitigate the DTI effect by presenting the warning at low-DTI times, and show how mouse cursor-tracking and psychometric measures can be used to validate low-DTI times in other contexts.

Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard. This paper provides a theoretically-grounded, cost-effective approach to reduce the effects of DTI for a wide variety of interruptive messages that are important but do not require immediate attention.

Article Download

Download a PDF of the article here.

Longitudinal Habituation Study Forthcoming in MIS Quarterly

The latest in our series of studies on habituation to security warnings, is now forthcoming in MIS Quarterly, one of the premier journals of the field of information systems. This article, titled “Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments,” is an expansion of our CHI 2017 paper that examined how people habituate to security warnings over the course of a workweek using eye tracking and fMRI. This paper includes that experiment, but we also conducted a three-week field experiment involving users’ warning adherence behavior on their personal mobile devices in order to test our lab findings in the field.

Eye Tracking and fMRI Experiment

Habituation is decreased response to repeated stimulation. In the context of security warnings, past work has shown that people “tune out” warnings after multiple exposures to them. However, previous studies on habituation (including our own work) only examined habituation during a lab experiment at a single point in time. This is an important limitation because habituation is a neurobiological phenomenon that develops over time. This means that past work has provided an incomplete picture of the problem.

To expand our understanding of habituation, we conducted a longitudinal experiment to see how habituation develops over the course of five daily experimental sessions involving 16 participants. In addition, we measured habituation using both fMRI and eye tracking simultaneously (Figure 1), which allowed us to measure habituation as it occurred in the brain as well as a behavioral manifestation of habituation (i.e., eye movements).

Figure 1. Our lab's EyeLink 1000 Plus long-range eye tracker mounted under the MRI viewing monitor.

We found that people habituated rapidly to repeated warnings within a single laboratory session, both in terms of decreased neural activity (such as in the ventral visual pathways, Figure 2) and fewer eye fixations. However, we observed a recovery effect of attention from one day to the next when warnings were withheld. Unfortunately, this recovery effect wasn’t enough to offset the overall pattern of habituation across the workweek. This is depicted by the dotted blue line in Figures 3 and 4.

More positively, we found that a polymorphic warning, a warning that changes its appearance with each presentation, was able to significantly sustain attention over time. This is depicted by the solid red line in Figures 3 and 4. We found this result with only four variations to the warning.

Figure 2. Left and right ventral visual pathways.

Figure 3. Activity in the right ventral visual pathway in response to each presentation of static and polymorphic warnings.

Figure 4. Change in eye-gaze fixations across viewings.

Mobile Field Experiment

We also tested our lab findings in the field by conducting a three-week field experiment in which 140 Android users were naturally exposed to privacy permission warnings as they installed apps on their personal mobile devices. This had the benefit of improving the realism and ecological validity of the study overall, but it also allowed us see how habituation influences actual warning adherence behavior.

To do this, we designed an Android app store and required participants in the experiment to install three apps from a category of apps each day for 15 days (Figure 5).

Figure 5. A screenshot of the app store created for the field experiment.

When participants selected an app to download, they saw a permission warning like the one in Figure 6. This warning listed permissions that the app requested to access or modify data.

Figure 6. A screenshot of the app store permission warning.

If a participant chose to install a warning with a risky permission, then this meant they disregarded the warning. To make this less subjective, we created four scary permissions that should be inappropriate for any app category:

  • Charge purchases to your credit card
  • Delete your photos
  • Record microphone audio any time
  • Sell your web-browsing data

If participants were paying attention, they should cancel the installation and find another app to install from the app category.

We then randomly assigned participants into one of two groups: a control group, that received the same warning every time, and a polymorphic warning that changed its appearance throughout the 15 days, as shown in Figure 7.

Figure 7. Sample polymorphic warnings.

Consistent with our fMRI results, users’ warning adherence substantially decreased over the three weeks. Interestingly however, the average accuracy rate by the end for participants in the polymorphic condition was 76 percent, compared to 55 percent for participants in the static condition, a substantial difference (see Figure 8).

Figure 8. Percentage of warning adherence in rejecting risky warnings across 15 weekdays for each treatment group.

What These Findings Mean

Together, these findings provide the most complete view yet of the problem of habituation to security warnings. First, they show that people not only habituate to warnings, but also that they recover from this habituation effect if a warning isn’t seen for a while (in our case, 24 hours). However, this recovery is not enough to compensate for frequent exposure to warnings over time. This means that systems designers need to be judicious in the number of times warnings are displayed to a user.

Second, we found that updating the appearance of a security warning can reduce habituation, as demonstrated by our eye tracking and fMRI data, as well as warning adherence behavior in the field. Even using a few variations can have a substantial effect over time. Although this study wasn’t the first to propose polymorphic warnings, it is the first to show that they remain effective over time.

Third, this study improves on past studies that were conducted in laboratories at a single point in time. The mobile field experiment showed for the first time how a realistic repetition of warnings in the field results in a decrease of warning adherence behavior.

From the Abstract:

Research in the fields of information systems and human-computer interaction has shown that habituation—decreased response to repeated stimulation—is a serious threat to the effectiveness of security warnings. Although habituation is a neurobiological phenomenon that develops over time, past studies have only examined this problem cross-sectionally. Further, past studies have not examined how habituation influences actual security warning adherence in the field. For these reasons, the full extent of the problem of habituation is unknown.

We address these gaps by conducting two complementary longitudinal experiments. First, we performed an experiment collecting fMRI and eye-tracking data simultaneously to directly measure habituation to security warnings as it develops in the brain over a five-day workweek. Our results show not only a general decline of participants’ attention to warnings over time but also that attention recovers at least partially between workdays without exposure to the warnings. Further, we found that updating the appearance of a warning—that is, a polymorphic design—substantially reduced habituation of attention.

Second, we performed a three-week field experiment in which users were naturally exposed to privacy permission warnings as they installed apps on their mobile devices. Consistent with our fMRI results, users’ warning adherence substantially decreased over the three weeks. However, for users who received polymorphic permission warnings, adherence dropped at a substantially lower rate and remained high after three weeks, compared to users who received standard warnings. Together, these findings provide the most complete view yet of the problem of habituation to security warnings and demonstrate that polymorphic warnings can substantially improve adherence.

Article Download

Download a PDF of the article here.

Presentation at CHI 2017

Bonnie Anderson and Dan Bjornn attended CHI 2017 this week at Denver, Colorado to present, “What Do We Really Know about How Habituation to Warnings Occurs Over Time? A Longitudinal fMRI Study of Habituation and Polymorphic Warnings.” CHI is widely considered the premier conference in the field of human–computer interaction.

We were fortunate to share the session with some of our favorite usable security researchers. The presentation went well and the questions from the audience allowed us to talk about our future research streams.

Whereas previous studies (including our own work) examined habituation at a single point in time, this study observed habituation over five consecutive days using fMRI and eye tracking simultaneously. This allowed us to measure not only the decrease in users’ attention to warnings over the course of the workweek, but also another core characteristic of habituation: response recovery—the increase in user response after a rest period during which the stimulus is absent.

We found that people habituated rapidly to repeated warnings within a single laboratory session (both in terms of decreased neural activity and fewer eye fixations). However, we observed a recovery effect of attention from one day to the next when warnings were withheld. Unfortunately, this recovery effect wasn’t enough to offset the overall pattern of habituation across the workweek. More positively, we found that a polymorphic warning with only four variations was able to significantly sustain attention over time.

Our results also add credibility to prior point-in-time studies by showing that the pattern of habituation they reported holds across a workweek, indicating that cross-sectional habituation studies can be useful proxies for habituation overtime. Additionally, the eye-tracking and fMRI results very similar, suggesting that eye tracking is a valid and cost-effective alternative to fMRI for studying the mental process of habituation.

From the abstract:

A major inhibitor of the effectiveness of security warnings is habituation: decreased response to a repeated warning. Although habituation develops over time, previous studies have examined habituation and possible solutions to its effects only within a single experimental session, providing an incomplete view of the problem. To address this gap, we conducted a longitudinal experiment that examines how habituation develops over the course of a five-day workweek and how polymorphic warnings decrease habituation. We measured habituation using two complementary methods simultaneously: functional magnetic resonance imaging (fMRI) and eye tracking.

Our results show a dramatic drop in attention throughout the workweek despite partial recovery between workdays. We also found that the polymorphic warning design was substantially more resistant to habituation compared to conventional warnings, and it sustained this advantage throughout the five-day experiment. Our findings add credibility to prior studies by showing that the pattern of habituation holds across a workweek, and indicate that cross-sectional habituation studies are valid proxies for longitudinal studies. Our findings also show that eye tracking is a valid measure of the mental process of habituation to warnings.

Article Download

Download a PDF of the article here.

Neurosecurity Lab at USENIX Enigma 2017

Tony presented recent work of the Neurosecurity Lab at USENIX Enigma 2017, a TED-style security conference held annually in the San Francisco Bay Area.

USENIX Enigma is interesting because its attendees and presenters are equal parts security academics and practitioners, with significant representation from Silicon Valley companies. It also has a strong emphasis on presentation quality.

Presentation Video

The talk received news coverage in a number of outlets, including:

Three New Research Articles on Habituation to Security Warnings

The Neurosecurity Lab has three recently published or accepted research articles on habituation to security warnings: (1) Journal of Management Information Systems (JMIS), (2) Decision Support Systems (DSS), and (3) ACM Conference on Human Factors in Computing Systems (CHI) 2017.

Journal of Management Information Systems

Our article, “From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done About It,” was published in December. It is an expanded version of our 2015 CHI paper. JMIS is widely recognized as one of the top three journals of the field of Information Systems.

The article reports the findings of two separate laboratory experiments that used fMRI and mouse cursor tracking to show how users habituate to security warnings. The fMRI experiment showed how neural activity in the visual processing center of the brain decreases precipitously with repeated exposures to a warning. We also found that a polymorphic warning design that repeatedly changed its appearance was resistant to the effects of habituation.

From the abstract:

Warning messages are fundamental to users’ security interactions. Unfortunately, research has shown that they are largely ineffective. A key contributor to this failure is habituation: decreased response to a repeated warning. Previous research has inferred the occurrence of habituation to warnings or measured it indirectly, such as through the proxy of a related behavior. Therefore, there is a gap in our understanding of how habituation to security warnings develops in the brain. Without direct measures of habituation, we are limited in designing warnings that can mitigate its effects.

In this study, we use neurophysiological measures to directly observe habituation as it occurs in the brain and behaviorally. We also design a polymorphic warning artifact that repeatedly changes its appearance in order to resist the effects of habituation. In an experiment using functional magnetic resonance imaging (fMRI; n = 25), we found that our polymorphic warning was significantly more resistant to habituation than were conventional warnings in regions of the brain related to attention.

In a second experiment (n = 80), we implemented the top four most resistant polymorphic warnings in a realistic setting. Using mouse cursor tracking as a surrogate for attention to unobtrusively measure habituation on participants’ personal computers, we found that polymorphic warnings reduced habituation compared to conventional warnings. Together, our findings reveal the substantial influence of neurobiology on users’ habituation to security warnings and security behavior in general, and we offer our polymorphic warning design as an effective solution to practice.

Article Download

Download a PDF of the article here.

Decision Support Systems

Our article, “Your Memory Is Working Against You: How Eye Tracking and Memory Explain Habituation to Security Warnings,” was published in December. This study examines habituation to security warnings in a laboratory experiment using eye tracking.

Habituation was measured in terms of the eye movement-based memory (EMM) effect, a neurophysiological manifestation of habituation in which people unconsciously scrutinize previously seen stimuli less than novel stimuli. Consistent with our JMIS findings, we also found that participants habituated less in terms of eye fixations to a polymorphic warning compared to conventional warnings.

From the abstract:

Security warnings are critical to the security of end users and their organizations, often representing the final defense against an attack. Because warnings require users to make a contextual judgment, it is critical that they pay close attention to warnings. However, research shows that users routinely disregard them. A major factor contributing to the ineffectiveness of warnings is habituation, the decreased response to a repeated warning. Although previous research has identified the problem of habituation, the phenomenon has only been observed indirectly through behavioral measures. Therefore, it is unclear how habituation develops in the brain in response to security warnings, and how this in turn influences users’ perceptions of these warnings.

This paper contributes by using eye tracking to measure the eye movement-based memory (EMM) effect, a neurophysiological manifestation of habituation in which people unconsciously scrutinize previously seen stimuli less than novel stimuli. We show that habituation sets in after only a few exposures to a warning and progresses rapidly with further repetitions. Using guidelines from the warning science literature, we design a polymorphic warning artifact which repeatedly changes its appearance. We demonstrate that our polymorphic warning artifact is substantially more resistant to habituation than conventional security warnings, offering an effective solution for practice. Finally, our results highlight the value of applying neuroscience to the domain of information security behavior.

Article Download

Download a PDF of the article here.

CHI 2017

Our article, “What Do We Really Know about How Habituation to Warnings Occurs Over Time? A Longitudinal fMRI Study of Habituation and Polymorphic Warnings,” is forthcoming at CHI 2017, held this year in Denver, Colorado. CHI is widely considered the premier conference in the field of human–computer interaction.

Whereas previous studies on habituation (including our JMIS and DSS studies above) examined habituation at a single point in time, this study observed habituation over the course of a workweek in five daily experimental sessions. We measured habituation using fMRI and eye tracking simultaneously, validating that eye tracking is a useful, non-obtrusive method for measuring habituation.

We found that people habituated rapidly to repeated warnings within a single laboratory session (both in terms of decreased neural activity and fewer eye fixations). However, we observed a recovery effect of attention from one day to the next when warnings were withheld. Unfortunately, this recovery effect wasn’t enough to offset the overall pattern of habituation across the workweek. More positively, we found that a polymorphic warning with only four variations was able to significantly sustain attention over time.

From the abstract:

A major inhibitor of the effectiveness of security warnings is habituation: decreased response to a repeated warning. Although habituation develops over time, previous studies have examined habituation and possible solutions to its effects only within a single experimental session, providing an incomplete view of the problem. To address this gap, we conducted a longitudinal experiment that examines how habituation develops over the course of a five-day workweek and how polymorphic warnings decrease habituation. We measured habituation using two complementary methods simultaneously: functional magnetic resonance imaging (fMRI) and eye tracking.

Our results show a dramatic drop in attention throughout the workweek despite partial recovery between workdays. We also found that the polymorphic warning design was substantially more resistant to habituation compared to conventional warnings, and it sustained this advantage throughout the five-day experiment. Our findings add credibility to prior studies by showing that the pattern of habituation holds across a workweek, and indicate that cross-sectional habituation studies are valid proxies for longitudinal studies. Our findings also show that eye tracking is a valid measure of the mental process of habituation to warnings.

Article Download

Download a PDF of the article here.

Future Work on Habituation

Despite the publication of these three articles, we’re not done with the topic of habituation yet. We recently completed a three-week field experiment that examines habituation in terms of reduced warning adherence behavior. This study is currently under peer review. We have also begun a pilot test to examine how the effects of habituation generalize from familiar notifications to novel warnings that share visual similarities. Across all of these studies, we’re seeking to find ways to reduce habituation so that warnings don’t lose their efficacy over time.