Abstract
This paper examines how habituation to frequent software notifications may carry over to infrequent security warnings. This general process—known as stimulus generalization or simply generalization—is a well-established phenomenon in neurobiology that has clear implications for information security. Because software user interface guidelines call for visual consistency, software notifications and security warnings have a similar look and feel. Consequently, through frequent exposure to notifications, people may become habituated to security warnings they have never seen before. The objective of this paper to propose an fMRI experimental design to measure the extent to which this occurs. We also propose testing security warning designs that are resistant to generalization of habituation effects.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Rankin, C. H., et al. (2009). Habituation revisited: An updated and revised description of the behavioral characteristics of habituation. Neurobiology of Learning and Memory, 92(2), 135–138.
Thompson, R. F., & Spencer, W. A. (1966). Habituation: A model phenomenon for the study of neuronal substrates of behavior. Psychological Review, 73(1), 16–43.
Anderson, B. B., Kirwan, C. B., Jenkins, J. L., Eargle, D., Howard, S., & Vance, A. (2015). How polymorphic warnings reduce habituation in the brain: Insights from an fMRI study. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (pp. 2883–2892). ACM: Seoul, Republic of Korea.
Bravo-Lillo, C., Komanduri, S., Cranor, L. F., Reeder, R. W., Sleeper, M., Downs, J., et al. (2013). Your attention please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security (pp. 1–12). ACM: Newcastle, United Kingdom.
Egelman, S., Cranor, L. F., & Hong, J. (2008). You’ve been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 1065–1074). ACM: Florence, Italy.
Anderson, B. B., Vance, A., Jenkins, J. L., Kirwan, C. B., & Bjornn, D. (2017). It all blurs together: How the effects of habituation generalize across system notifications and security warnings. Information Systems and Neuroscience (pp. 43–49). Cham: Springer.
Bravo-Lillo, C., Cranor, L., Komanduri, S., Schechter, S., & Sleeper, M. (2014). Harder to ignore? Revisiting pop-up fatigue and approaches to prevent it. In 10th Symposium on Usable Privacy and Security (SOUPS 2014). USENIX Association.
Brustoloni, J. C., & VillamarĂn-SalomĂłn, R. (2007). Improving security decisions with polymorphic and audited dialogs. In Proceedings of the Third Symposium on Usable Privacy and Security (SOUPS 2007). New York, NY, USA: ACM.
Vance, A., et al. (2018). Tuning out security warnings: a longitudinal examination of habituation through fMRI, eye tracking, and field experiments. MIS Quarterly, 42(2), 355–380.
West, R. (2008). The psychology of security. Communications of the ACM, 51(4), 34–40.
Böhme, R., & Köpsell, S. (2012). Trained to accept? A field experiment on consent dialogs. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Atlanta: ACM.
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., & Cranor, L. F. (2009). Crying wolf: An empirical study of SSL warning effectiveness. In SSYM’09 Proceedings of the 18th Conference on USENIX Security Symposium. Montreal, Canada.
Amer, T. S., & Maris, J.-M. B. (2007). Signal words and signal icons in application control and information technology exception messages—Hazard matching and habituation effects. Journal of Information Systems, 21(2), 1–25.
Groves, P. M., & Thompson, R. F. (1970). Habituation: A dual-process theory. Psychological Review, 77, 419–450.
Rumelhart, D. E. (1980). Schemata: the building blocks of cognition. In R. J. Spiro (Ed.), Theoretical issues in reading comprehension. Hillsdale, NJ: Lawrence Erlbaum.
Grill-Spector, K. (2003). The neural basis of object perception. Current Opinion in Neurobiology, 13(2), 159–166.
Kirwan, C. B., & Stark, C. E. L. (2007). Overcoming interference: An fMRI investigation of pattern separation in the medial temporal lobe. Learning and Memory, 14(9), 625–633.
Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40–46.
Balfanz, D., et al. (2004). In search of usable security: Five lessons from the field, IEEE. IEEE Security and Privacy, 2(5), 19–24.
Acknowledgements
This research was funded by NSF Grant #CNS-1931108.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kirwan, B., Anderson, B., Eargle, D., Jenkins, J., Vance, A. (2020). Using fMRI to Measure Stimulus Generalization of Software Notification to Security Warnings. In: Davis, F., Riedl, R., vom Brocke, J., LĂ©ger, PM., Randolph, A., Fischer, T. (eds) Information Systems and Neuroscience. Lecture Notes in Information Systems and Organisation, vol 32. Springer, Cham. https://doi.org/10.1007/978-3-030-28144-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-28144-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-28143-4
Online ISBN: 978-3-030-28144-1
eBook Packages: Business and ManagementBusiness and Management (R0)