Bonnie Anderson, Anthony Vance, Brock Kirwan
Evaluation of how well the academic objectives of the proposal were met
The objective of this MEG grant was to:
“show that cognitive neuroscience provides a useful lens through which to study the problem of phishing. A commonly reported finding from the field of memory is the repetition suppression effect, the phenomenon of people unconsciously paying less attention to images that have been previously viewed. We aim to show in this study that this effect holds in the context of email processing, and that the memory-based repetition suppression effect is a significant contributing factor to users’ susceptibility to phishing.”
We ended up studying security messages rather than phishing emails, but we still used fMRI to look at memory. We were able to compare user habituation in response to general computer images versus security warning images. Our results show that the habituation to security warnings was greater than the habituation to general computer images. In addition, we were able to show that a polymorphic warning design that frequently updates its appearance showed greater resistance to habituation than do typical warnings.
We have published an article at the Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI), Seoul, Korea, 2015. We have also presented our work at a variety of other conferences (listed in the next section of this report). In addition, we have several articles currently under review at premier journals in the field of Information Systems (Information Systems Research, MIS Quarterly, European Journal of Information Systems) as well as a neuroscience journal. We have presented our work, by invitation, to security researchers and developers at Apple and Google in Silicon Valley.
Evaluation of the mentoring environment
Our research team was composed of graduate and undergraduate students, who worked together with professors Bonnie Anderson, Anthony Vance and Brock Kirwan. We met together weekly for over a year and conducted experiments in the BYU MRI Research Facility. The students have learned not only principles of designing, conducting, and analyzing research, but they have also learned specific skills required to use the neurophysiological tools.
List of students who participated and what academic deliverables they have produced
Participating undergraduate students:
Dixon Brown: experimental design, data collection
Ian Jones: literature review, experimental design, data collection
Thomas Kelly: experimental design, data collection
Ben LeBaron: literature review, experimental design
Brock Johanson: literature review, data collection
Scott Jensen: literature review, data collection, writeup
Participating graduate students:
Seth Howard: experimental design (artifact development)
Dave Eargle: literature review, experimental design, data collection, data analysis, writeup
Daniel Bjornn: literature review, experimental design, data collection, data analysis, writeup
Conference papers coauthored with student help:
Anderson, B., Kirwan, B., Jenkins, J., Eargle, D., Howard, S, Vance, A. (2015). How Polymorphic Warnings Reduce Habituation in the Brain—Insights from an fMRI Study. ACM Conference on Human Factors in Computing Systems (CHI). Seoul, Korea.
Anderson, B., Vance, A., Kirwan, B., Jenkins, J. and Eargle, D (2015). How Technostress Impacts Users’ Responses to Security Warnings: A NeuroIS Study. Americas Conference on Information Systems (AMCIS). Puerto Rico.
Anderson, B., Kirwan, B., Eargle, D., Jenkins, J., and Vance, A. (2015). Stop Interrupting Me! An fMRI Study of the Negative Impact of DualTask Interference on Users’ Responses to Security Messages. Symposium On Usable Privacy and Security (SOUPS). Ottowa, Canada.
Anderson, B., Vance, A., Kirwan, B., Jenkins, J. and Eargle, D (2015). Technostressing Out: How Technostress Impacts Users’ Responses to Security Warnings. Workshop on Security and Human Behavior. Georgetown University.
Anderson, B., Vance, A., Kirwan, B., Jenkins, J. and Eargle, D (2015). The Threat of the Onetrack Mind: Using fMRI to Show How DualTask Interference in the Brain Affects Users’ Responses to Security Messages. Workshop on Security and Human Behavior. Georgetown University.
Anderson, B., Vance, A., Kirwan, B., Eargle, D., Howard, S. (2014). Users Aren’t (Necessarily) Lazy: Using NeuroIS to Explain Habituation to Security Warnings. International Conference on Information Systems. Auckland, New Zealand.
Anderson, Vance, Kirwan Anderson, B., Vance, A., Kirwan, B., Jenkins, J. and Eargle, D. (2015). Using fMRI to Explain the Effect of DualTask Interference on Security Behavior. Gmunden Retreat on NeuroIS. Gmunden, Austria
Description of the results/findings of the project
This paper makes several contributions. First, in Study 1, we extended previous research on habituation by using neuroscience to observe habituation as it occurs in the context of humancomputer interaction (HCI). Additionally, this study demonstrated how the RS effect can be directly measured in the brain using fMRI. Whereas previous HCI research measured habituation indirectly by observing its effects, such as inattentive behaviors, this study measured habituation directly as it occurs in the brain. Specifically, we showed how using a simple, repeated exposure, experimental design can permit researchers to detect the existence and size of the repetition suppression effect using the BOLD response. Using this method, we illustrated the precipitous drop in visual processing after only one repeated exposure and a large overall drop after 13 exposures. These results can provide researchers with a useful baseline of the RS effect in response to security warnings for future research.
Second, we demonstrated in Study 1 that polymorphic warnings are more resistant to RS than static warnings. Although polymorphic warnings have been proposed before, previous polymorphic variations were limited to the repositioning of options on the warning dialog. In contrast, this study utilized warning science literature to derive 12 polymorphic variations that can be generically applied to a wide variety of security warnings.
Additionally, past research has not examined the influence of polymorphic warnings on habituation (either directly or indirectly) but rather measured frequency of risk-taking behavior. Therefore, it was previously unknown whether polymorphic warnings could indeed reduce habituation. We addressed this research gap by establishing that polymorphic warnings reduce the occurrence of RS to be significantly below that of conventional static warnings.
Third, we analyzed the fMRI data to select the polymorphic variations that were most effective in reducing RS. In this way we were able to identify the four most effective variations (see Figure 5) from our set.
Fourth, the results of the mouse cursor tracking experiment corroborated our fMRI findings. Specifically, we found that that polymorphic warnings resulted in both reduced habituation (as evidenced by the main effect) and slower habituation (as indicated by the interaction effect of the polymorphic treatment and the warning display order) compared with static warnings. Using two complimentary neurophysiological measures allowed us to compensate for weaknesses inherent in each method. For example, the mouse cursor tracking method allowed us to implement the polymorphic warning UI artifact and test it within a natural task on participants’ own personal computers, significantly enhancing the ecological validity of this research.
Finally our methodology is itself a contribution in that it illustrates the usefulness of applying neuroscience to the domain of security and HCI generally. Because automatic or unconscious mental processes underlie much of human cognition and decision making, they likely play an important role in a number of other security behaviors, such as security education, training, and awareness (SETA) programs, password use, and information security policy compliance. Additionally, neuroscience methods have the potential to lead to the development of more complete behavioral security theories and guide the design of more effective security interventions.
Description of how the budget was spent
The MEG grant funds were largely spent on MRI scans and subject compensation (about $12,500) and student wages.