Ian Jones and Anthony Vance, Information Systems
Warning messages are one of the last lines of defense in computer security and are fundamental to users’ security interactions with technology. Consequently, researchers have actively sought to understand how users interact with security warnings and why warnings are so pervasively ignored. A key contributor to the disregard of security warnings is habituation—i.e., the diminishing of attention because of frequent exposure to warning. Although habituation has been inferred as a factor in many security-warning studies, little research has examined habituation in the context of security directly because habituation as a mental state is difficult to observe using conventional methods. Therefore, there is a gap in our understanding regarding how habituation to security warnings occurs in the brain, limiting researchers’ efforts to design warnings that can mitigate its effects.
Initially, our eye tracking data using related images established that a computer user less closely scrutinizes images that he or she believes to have seen before. This suggests that users who receive a phishing email appearing similar to a legitimate email will be less likely to identify the malicious message as a phishing attack. This link suggested user habituation toward already seen images, and even extended to security warnings provided by the computer to alert the user to a potential threat. Because eye tracking data illustrated habituation but did not provide more detailed information about brain activity, the study shifted to use functional magnetic resonance imaging (fMRI) to map cerebral activity at the time of warning. Given this possible habituation, we hypothesized that creating polymorphic warning messages or images could mitigate the repetition suppression (reduced neural response to stimuli that are repeatedly viewed) or habituation of the brain and prompt users to more closely scrutinize security warning messages. In order to better understand which, if any, polymorphic warnings would help mitigate these risks, several categories of polymorphic image manipulations were created (Figure 1).
After using the fMRI to confirm the eye tracking data results indicating that habituation did indeed take place in users with repetitive image viewing, the subjects were shown these modified images and their brain activity recorded. These interactions (static vs. polymorphic) are detailed in Figure 2. The level of activity in the Superior Parietal Lobes, the Medial Prefrontal Cortex, and the Left Retrosplenial Cortex appears to differ between static and polymorphic images; moreover, brain activity during these repetitions suggests that, with static images, visual scrutiny diminishes as memory-related activity increases.
After analysis, the data seem to support the hypothesis that A) users become habituated by visual repetition, and B) polymorphic warning systems can mitigate this habituation to a degree. It also appears that “jiggle” animations, “scale” animations, window color variation, and warning symbol use are most effective methods (in these tests) to mitigate repetition suppression.