The Guardian highlighted the BYU Neurosecurity Lab in a story, “Why do people ignore security warnings when browsing the web?” The article discusses the findings of our 2015 CHI paper, “How Polymorphic Warnings Reduce Habituation in the Brain.”
Here’s an excerpt from the article:
Hardwired Not to Notice
Anthony Vance, assistant professor of information systems at Utah’s Brigham Young University, works in the neurosecurity lab there. The lab spends its time exploring how the brain interacts with cybersecurity issues. His team put test subjects in a magnetic resonance imaging machine to see what happened inside their brains when faced with software security warnings.
“We used a variety of 40 different warnings – common ones of all kinds, like anti-virus warnings, software updates, and SSL warnings from browsers of all kinds,” says Vance. The results showed that the visual processing part of the brain stopped analysing the warnings after seeing them more than once.
This is a concept that he calls “habituation” – in short, people stop paying attention to warnings, the more they see them, and Vance says there’s a biological reason for it. “The first time that your brain experiences a stimulus, it devotes attention to it, but then for subsequent exposures, it relies on memory, and the response is far less,” he says.
When you walk into your room for the hundredth time, you’re not really looking at your wallpaper Vance explains. Instead, your brain is painting a picture of it for you from memory. This leaves your brain free to focus on other things.
That’s fine for wallpaper that doesn’t change, but it’s problematic for computer warnings which may change frequently and present different information. “Some people think that users are lazy and inattentive,” says Vance, “but this is simply fundamental to our own biology.”
Bauer’s design guidelines suggest consistency in warnings to make them more understandable for the user. Paradoxically, Vance’s research suggests the opposite. He tried to make polymorphic warnings, which are inconsistent, to keep the brain engaged.
Switching colours, adding images randomly and including animated graphics are all ways to stop the brain relying on memory and persuading it to pay attention, he said. One of the most successful polymorphic warnings in his test even jiggled slightly.