Presentation at CHI 2015

Bonnie Anderson and Anthony Vance presented our research in the “Security Feedback & Warnings” session at CHI 2015 in Seoul, Korea. It was a great session with closely-related presentations by Serge Egelman of UC Berkeley, Adrienne Porter Felt of Google, and Blase Ur of Carnegie Mellon University. You can read and watch a video about the paper here:

How Polymorphic Warnings Reduce Habituation in the Brain—Insights from an fMRI Study

The Guardian Highlights the BYU Neurosecurity Lab

The Guardian highlighted the BYU Neurosecurity Lab in a story, “Why do people ignore security warnings when browsing the web?” The article discusses the findings of our 2015 CHI paper, “How Polymorphic Warnings Reduce Habituation in the Brain.”

Here’s an excerpt from the article:

Hardwired Not to Notice

Anthony Vance, assistant professor of information systems at Utah’s Brigham Young University, works in the neurosecurity lab there. The lab spends its time exploring how the brain interacts with cybersecurity issues. His team put test subjects in a magnetic resonance imaging machine to see what happened inside their brains when faced with software security warnings.

“We used a variety of 40 different warnings – common ones of all kinds, like anti-virus warnings, software updates, and SSL warnings from browsers of all kinds,” says Vance. The results showed that the visual processing part of the brain stopped analysing the warnings after seeing them more than once.

This is a concept that he calls “habituation” – in short, people stop paying attention to warnings, the more they see them, and Vance says there’s a biological reason for it. “The first time that your brain experiences a stimulus, it devotes attention to it, but then for subsequent exposures, it relies on memory, and the response is far less,” he says.

When you walk into your room for the hundredth time, you’re not really looking at your wallpaper Vance explains. Instead, your brain is painting a picture of it for you from memory. This leaves your brain free to focus on other things.

That’s fine for wallpaper that doesn’t change, but it’s problematic for computer warnings which may change frequently and present different information. “Some people think that users are lazy and inattentive,” says Vance, “but this is simply fundamental to our own biology.”

Bauer’s design guidelines suggest consistency in warnings to make them more understandable for the user. Paradoxically, Vance’s research suggests the opposite. He tried to make polymorphic warnings, which are inconsistent, to keep the brain engaged.

Switching colours, adding images randomly and including animated graphics are all ways to stop the brain relying on memory and persuading it to pay attention, he said. One of the most successful polymorphic warnings in his test even jiggled slightly.

Google Faculty Research Award 2015

In February 2015 we received a Google Faculty Research Award for our proposal entitled, “Has Your Warning Turned into Wallpaper? Using Neuroscience to Design Habituation-Resistant Security Messages.” We were awarded $35,503 with Google Liaison Adrienne Porter Felt. This award will be used to support Neurosecurity Lab member Dan Bjornn, PhD student in Psychology, who is emphasizing in behavioral neuroscience.

fMRI and Mouse Cursor Tracking Study on Habituation to Security Warnings Published in CHI 2015

The next study in our research stream on habituation to security warnings has been accepted to CHI 2015, which will be held in Seoul, April 18–23. The paper uses fMRI and mouse cursor tracking to show how the brain automatically habituates or “tunes out” security warnings after multiple exposures. We also test an approach to reduce habituation in which we update the appearance of the warning so that brain naturally pays more attention to the warning with repeated exposures.

Here is the abstract:

Research on security warnings consistently points to habituation as a key reason why users ignore security warnings. However, because habituation as a mental state is difficult to observe, previous research has examined habituation indirectly by observing its influence on security behaviors. This study addresses this gap by using functional magnetic resonance imaging (fMRI) to open the “black box” of the brain to observe habituation as it develops in response to security warnings. Our results show a dramatic drop in the visual processing centers of the brain after only the second exposure to a warning, with further decreases with subsequent exposures. To combat the problem of habituation, we designed a polymorphic warning that changes its appearance. We show in two separate experiments using fMRI and mouse cursor tracking that our polymorphic warning is substantially more resistant to habituation than conventional warnings. Together, our neurophysiological findings illustrate the considerable influence of human biology on users’ habituation to security warnings.

4-minute Video Overview

30-second CHI Preview Video

Article Download

Download a PDF of the article here.

In the News

EEG Study on Risk Perceptions and Security Warning User Behavior published in JAIS 2014

People commonly say they are concerned about the security of their information, but what they say frequently doesn’t match what they do. In this study, we use electroencephalography (EEG) via event-related potentials (ERPs) to measure peoples’ risk perceptions. We then show that this EEG measure of risk perception is a better predictor of users’ security behaviors than their own stated risk perceptions than users’ stated risk perceptions. Our experiments show that these self-reported measures are ineffective in predicting security behaviors under a condition in which information security is not salient. However, we show that, when security concerns become salient, self-reported measures do predict security behavior. Interestingly, EEG measures significantly predict behavior in both salient and non-salient conditions, which indicates that EEG measures are a robust predictor of security behavior.

Video

Article Download

Download a PDF of the article here.

In the News