Right Now Is the Wrong Time: And Other Considerations When Presenting Security Warnings

by

Print Friendly, PDF & Email

Brock Johanson  and Bonnie Anderson, Information Systems

Introduction

Neuro Information Security (NeuroIS) focuses on the use of neurological measurements to improve the security of information systems. The BYU NeuroIS lab uses neurological tools and measurements to examine factors that affect security outcomes. Previous work has focused on various factors such as dual task interference (DTI), threat assessment, as well as factors such as habituation and generalization, which have become focus streams of research. The primary point of failure in most security related incidents tends to be users themselves. As such, anything that can be used to overcome neurobiological phenomenon such as those listed above can ultimately lead in better security outcomes. A primary point of failure is in adherence to security messages, which are often glossed over when users are in a hurry to complete another task, or interpreted as another ubiquitous system notification. DTI arises when a user must perform two tasks, a primary task and a secondary task concurrently. In DTI scenarios there is competition for cognitive resources, and the user’s primary task, which began before the warning was displayed, takes precedence and consequently the warning may not be adequately processed (Pashler 1994). A similarly compromising scenario occurs when users interpret security warnings, as “just another message” modeling the effects of habituation and generalization. Habituation occurs when something is seen frequently, and consequently given less importance in the user’s mind (Thompson and Spencer 1966). Generalization occurs when warnings, which are similar to previously viewed notifications or popups, are interpreted as being the same, and therefore treated the same as other notifications. Our research examines both of these phenomenon and their importance to security outcomes, generally focusing on adherence to security warnings.

Methods

DTI was studied using fMRI and different treatments administered by manipulating the order of a series of tasks given to subjects. One was high DTI and the other low DTI. Decreased activation of the medial temporal lobe (MTL) was observed in situations of high DTI (tasks were being completed concurrently). Increased activation of the MTL and improved response to security warnings was observed in situations of low DTI, when tasks were performed in sequence. The difference in adherence to security warnings between treatment groups was observed to be significant. A laboratory experiment, using notifications from a web browser corroborated these results, showing that optimally timing security messages, at points of low DTI in the browser, resulted in less disregard for security messages. Mouse cursor data was used to analyze engagement when interacting with security messages, with slower movements indicating greater attention paid to warnings. Decreased disregard of security messages was also found among the low DTI conditions, confirming findings from the fMRI study (Jenkins et al. 2016). A similar pattern was used examining habituation and generalization. Having previously observed the effect of habituation in the lab, an fMRI study was used to demonstrate that habituation occurs in the brain, in as few as two exposures, and can be combated by employing polymorphic variation, or warnings that physically alter their appearance. This is particularly important as it challenges the thoughts of designers and programmers, who strive for consistency, which may actually be making the task of communicating important messages to users more difficult to everyone, but can be combatted (Anderson et al 2016).

Conclusion

The importance of the research is two fold. First and foremost, using the fMRI methods, we demonstrate that there are neurophysiological phenomenon occurring in the brain, for DTI, generalization, and habituation. This has implications in behavioral outcomes when given tasks in an experimental setting; but these outcomes are not exclusively observed in experimental settings. Although the initial fMRI studies provide a basis for further research, they are tool that helps us isolate potential threats to secure computing behavior, and recreate them in an appropriate context as we seek to focus on the real world implications of DTI, generalization and habituation. Second, the research that we do provides a means to combat the effects of these phenomenon, such as timing important notifications to when users are most likely to be idle, or varying the physical appearance of warnings when they are important to security outcomes.

References

  • Jenkins, J., Anderson, B., Vance, A., Kirwan, B., Eargle, D. forthcoming, “More Harm than Good? How Security Messages that Interrupt Make Us Vulnerable,” Information Systems Research, Digital Vulnerabilities Special Issue, Published online August 2016.
  • Thompson, R. F., and Spencer, W. A. “Habituation: A Model Phenomenon for the Study of Neuronal Substrates of Behavior,” Psychological Review (73:1), pp. 16-43, 1966.
  • Pashler, H. “Dual-Task Interference in Simple Tasks: Data and Theory,” Psychological Bulletin, vol. 116, pp. 220-244, 1994.
  • Anderson, Bonnie Brinton, et al. “From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done About It.” Journal Of Management Information Systems 33, no. 3, pp. 713-743. 2016.