research-article

Open access

How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study

Authors:

Bonnie Brinton Anderson,

C. Brock Kirwan,

Jeffrey L. Jenkins,

Anthony VanceAuthors Info & Claims

CHI '15: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems

Pages 2883 - 2892

https://doi.org/10.1145/2702123.2702322

Published: 18 April 2015 Publication History

Abstract

Research on security warnings consistently points to habituation as a key reason why users ignore security warnings. However, because habituation as a mental state is difficult to observe, previous research has examined habituation indirectly by observing its influence on security behaviors. This study addresses this gap by using functional magnetic resonance imaging (fMRI) to open the "black box" of the brain to observe habituation as it develops in response to security warnings. Our results show a dramatic drop in the visual processing centers of the brain after only the second exposure to a warning, with further decreases with subsequent exposures. To combat the problem of habituation, we designed a polymorphic warning that changes its appearance. We show in two separate experiments using fMRI and mouse cursor tracking that our polymorphic warning is substantially more resistant to habituation than conventional warnings. Together, our neurophysiological findings illustrate the considerable influence of human biology on users' habituation to security warnings.

References

[1]

Akhawe, D. and Felt, A.P. Alice in warningland: A large-scale field study of browser security warning effectiveness. Proc. USENIX Security '13, USENIX Association (2013), 257--272.

Digital Library

[2]

Bravo-Lillo, C., Cranor, L., Komanduri, S., Schechter, S., and Sleeper, M. Harder to ignore? Revisiting pop-up fatigue and approaches to prevent it. In Proc. SOUPS 2014, USENIX Association (2014), 105--111.

[3]

Bravo-Lillo, C., Cranor, L.F., Downs, J., Komanduri, S., and Sleeper, M. Improving computer security dialogs. Proc. INTERACT 2011, Springer-Verlag (2011), 18--35.

Digital Library

[4]

Bravo-Lillo, C., Komanduri, S., Cranor, L.F., Reeder, R.W., Sleeper, M., Downs, J., and Schechter, S. Your attention please: Designing security-decision UIs to make genuine risks harder to ignore. In Proc. SOUPS 2013, ACM (2013), 1--12.

Digital Library

[5]

Brustoloni, J.C. and Villamarín-Salomón, R. Improving security decisions with polymorphic and audited dialogs. In Proc. SOUPS '07, ACM (2007), 76--85.

Digital Library

[6]

Buckner, R.L., Andrews-Hanna, J.R., and Schacter, D.L. The brain's default network. Ann. N. Y. Acad. Sci. 1124, 1 (2008), 1--38.

[7]

Buschman, T.J. and Miller, E.K. Top-down versus bottom-up control of attention in the prefrontal and posterior parietal cortices. Science 315, 5820 (2007), 1860--1862.

[8]

Cox, R.W. Afni: Software for analysis and visualization of functional magnetic resonance neuroimages. Comput. Biomed. Res. 29, 3 (1996), 162--173.

Digital Library

[9]

Desimone, R. Neural mechanisms for visual memory and their role in attention. Proc. Natl. Acad. Sci. 93, 24 (1996), 13494--13499.

[10]

Dimoka, A. How to conduct a functional magnetic resonance (fMRI) study in social science research. MIS Quart. 36, 3 (2012), 811--840.

Digital Library

[11]

Dimoka, A., Banker, R.D., Benbasat, I., Davis, F.D., Dennis, A.R., Gefen, D., Gupta, A., Lschebeck, A., Kenning, P.H., Pavlou, P.A., Muller-Putz, G., Riedl, R., Vom Brocke, J., and Weber, B. On the use of neurophysiological tools in IS research: Developing a research agenda for NeuroIS. MIS Quart. 36, 3 (2012), 679--702.

Digital Library

[12]

Freeman, J.B. and Ambady, N. Mousetracker: Software for studying real-time mental processing using a computer mouse-tracking method. Behav. Res. Methods 42, 1 (2010), 226--241.

[13]

Grill-Spector, K., Henson, R., and Martin, A. Repetition and the brain: Neural models of stimulus-specific effects. Trends Cogn. Sci. 10, 1 (2006), 14--23.

[14]

Guo, Q. and Agichtein, E. Towards predicting web searcher gaze position from mouse movements. In Proc. CHI'10, ACM (2010), 3601--3606.

Digital Library

[15]

Herley, C. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proc. NSPW 2009, ACM (2009), 133--144.

Digital Library

[16]

Kalsher, M. and Williams, K. Behavioral compliance: Theory, methodology, and result. In Handbook of warnings Lawrence Erlbaum Associates, Mahwah NJ (2006), 313--331, 2006.

[17]

Kandel, E.R. The molecular biology of memory storage: A dialogue between genes and synapses. Science 294, 5544 (2001), 1030--1038.

[18]

Lueschow, A., Miller, E.K., and Desimone, R. Inferior temporal mechanisms for invariant object recognition. Cereb. Cortex 4, 5 (1994), 523--531.

[19]

Malhotra, N.K., Kim, S.S., and Agarwal, J. Internet users' information privacy concerns (IUIPC): The construct, the scale, and a causal model. Inf. Syst. Res. 15, 4 (2004), 336--355.

Digital Library

[20]

Minnery, B.S. and Fine, M.S. Neuroscience and the future of human-computer interaction. Interactions 16, 2 (2009), 70--75.

Digital Library

[21]

Motley, S.E. and Kirwan, C.B. A parametric investigation of pattern separation processes in the medial temporal lobe. J. Neurosci. 32, 38 (2012), 13076--13084.

[22]

Schechter, S.E., Dhamija, R., Ozment, A., and Fischer, I. The emperor's new security indicators. In Proc. SP'07, IEEE (2007), 51--65.

Digital Library

[23]

Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and Cranor, L.F. Crying wolf: An empirical study of SSL warning effectiveness. In Proc. SSYM'09, (2009), 399--416.

Digital Library

[24]

Talairach, J. and Tournoux, P. Co-planar stereotaxic atlas of the human brain: 3-dimensional proportional system: An approach to cerebral imaging. Thieme, Stuttgart, 1988.

[25]

Vance, A., Anderson, B.B., Kirwan, C.B., and Eargle, D. Using measures of risk perception to predict information security behavior: Insights from electroencephalography (EEG). J. Assoc. Inf. Syst. 15, 10 (2014), 679--722.

[26]

Vuilleumier, P., Henson, R., Driver, J., and Dolan, R. Multiple levels of visual object constancy revealed by event-related fMRI of repetition priming. Nat. Neurosci. 5, 5 (2002), 491--499.

[27]

Wogalter, M.S. Communication-human information processing (C-HIP) model. In Handbook of warnings, M.S. WOGALTER Ed. Lawrence Erlbaum Associates, Mahwah, NJ (2006), 51--61, 2006.

Cited By

Wang CTozadore DBruno BDillenbourg P(2024)WriteUpRight: Regulating Children’s Handwriting Body Posture by Unobstrusively Error Amplification via Slow Visual Stimuli on TabletsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642457(1-13)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642457
Wang ZKulkarni CWilcox LTerry MMadaio M(2024)Farsight: Fostering Responsible AI Awareness During AI Application PrototypingProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642335(1-40)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642335
Zehnder ETorgersen LAsk TKnox BMorgenstern HGaiser JNaudet YGarcia Perez AStahl C(2024)Digital Twins and Extended Reality for Tailoring Better Adapted Cybersecurity Trainings in Critical InfrastructuresAugmented Cognition10.1007/978-3-031-61569-6_15(233-252)Online publication date: 1-Jun-2024
https://doi.org/10.1007/978-3-031-61569-6_15
Show More Cited By

Index Terms

How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study
1. Applied computing
  1. Law, social and behavioral sciences
2. Human-centered computing
  1. Human computer interaction (HCI)

Recommendations

What Do We Really Know about How Habituation to Warnings Occurs Over Time?: A Longitudinal fMRI Study of Habituation and Polymorphic Warnings
CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems

A major inhibitor of the effectiveness of security warnings is habituation: decreased response to a repeated warning. Although habituation develops over time, previous studies have examined habituation and possible solutions to its effects only within a ...
Tuning out security warnings: a longitudinal examination of habituation through fMRI, eye tracking, and field experiments

Research in the fields of information systems and human-computer interaction has shown that habituation— decreased response to repeated stimulation—is a serious threat to the effectiveness of security warnings. Although habituation is a neurobiological ...
Your memory is working against you

Security warnings are critical to the security of end users and their organizations, often representing the final defense against an attack. Because warnings require users to make a contextual judgment, it is critical that they pay close attention to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '15: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems

April 2015

4290 pages

ISBN:9781450331456

DOI:10.1145/2702123

General Chairs:
Bo Begole
Huawei, USA
,
Jinwoo Kim
Yonsei University, Korea
,
Program Chairs:
Kori Inkpen
Microsoft Research, USA
,
Woontack Woo
KAIST, Korea

Copyright © 2015 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 April 2015

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CHI '15

Sponsor:

SIGCHI

CHI '15: CHI Conference on Human Factors in Computing Systems

April 18 - 23, 2015

Seoul, Republic of Korea

Acceptance Rates

CHI '15 Paper Acceptance Rate 486 of 2,120 submissions, 23%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

65
Total Citations
View Citations
1,959
Total Downloads

Downloads (Last 12 months)281
Downloads (Last 6 weeks)61

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang CTozadore DBruno BDillenbourg P(2024)WriteUpRight: Regulating Children’s Handwriting Body Posture by Unobstrusively Error Amplification via Slow Visual Stimuli on TabletsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642457(1-13)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642457
Wang ZKulkarni CWilcox LTerry MMadaio M(2024)Farsight: Fostering Responsible AI Awareness During AI Application PrototypingProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642335(1-40)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642335
Zehnder ETorgersen LAsk TKnox BMorgenstern HGaiser JNaudet YGarcia Perez AStahl C(2024)Digital Twins and Extended Reality for Tailoring Better Adapted Cybersecurity Trainings in Critical InfrastructuresAugmented Cognition10.1007/978-3-031-61569-6_15(233-252)Online publication date: 1-Jun-2024
https://doi.org/10.1007/978-3-031-61569-6_15
Kontogeorgopoulos KKritikos K(2024)Overview of Social Engineering Protection and Prevention MethodsComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54204-6_4(64-83)Online publication date: 1-Mar-2024
https://doi.org/10.1007/978-3-031-54204-6_4
Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Challenges of Usable PrivacyThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_4(103-131)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_4
Pasquali DKothig AAroyo AMuñoz Cadorna JDautenhahn KBencetti SFrancesco RSciutti A(2023)That's not a Good Idea: A Robot Changes Your Behavior Against Social EngineeringProceedings of the 11th International Conference on Human-Agent Interaction10.1145/3623809.3623879(63-71)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3623809.3623879
Sas MDenoo MMühlberg J(2023)Informing Children about Privacy: A Review and Assessment of Age-Appropriate Information Designs in Kids-Oriented F2P Video GamesProceedings of the ACM on Human-Computer Interaction10.1145/36110367:CHI PLAY(425-463)Online publication date: 4-Oct-2023
https://dl.acm.org/doi/10.1145/3611036
Wang CTozadore DBruno BDillenbourg P(2023)Unobtrusively Regulating Children’s Posture via Slow Visual Stimuli on TabletsProceedings of the 22nd Annual ACM Interaction Design and Children Conference10.1145/3585088.3593894(548-552)Online publication date: 19-Jun-2023
https://dl.acm.org/doi/10.1145/3585088.3593894
Haesler SWendelborn MReuter C(2023)Getting the Residents’ Attention: The Perception of Warning Channels in Smart Home Warning SystemsProceedings of the 2023 ACM Designing Interactive Systems Conference10.1145/3563657.3596076(1114-1127)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3563657.3596076
Shrestha APaudel RDumaru PAl-Ameen M(2023)Towards Improving the Efficacy of Windows Security Notifier for Apps from Unknown Publishers: The Role of RhetoricHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-35822-7_8(101-121)Online publication date: 9-Jul-2023
https://doi.org/10.1007/978-3-031-35822-7_8
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents