Journal of Management Information Systems

Volume 33 Number 3 2016 pp. 713-743

From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done About It

Anderson, Bonnie Brinton, Vance, Anthony, Kirwan, C Brock, Jenkins, Jeffrey L, and Eargle, David

ABSTRACT:

Warning messages are fundamental to users’ security interactions. Unfortunately, they are largely ineffective, as shown by prior research. A key contributor to this failure is habituation: decreased response to a repeated warning. Previous research has only inferred the occurrence of habituation to warnings, or measured it indirectly, such as through the proxy of a related behavior. Therefore, there is a gap in our understanding of how habituation to security warnings develops in the brain. Without direct measures of habituation, we are limited in designing warnings that can mitigate its effects. In this study, we use neurophysiological measures to directly observe habituation as it occurs in the brain and behaviorally. We also design a polymorphic warning artifact that repeatedly changes its appearance in order to resist the effects of habituation. In an experiment using functional magnetic resonance imaging (fMRI; n = 25), we found that our polymorphic warning was significantly more resistant to habituation than were conventional warnings in regions of the brain related to attention. In a second experiment (n = 80), we implemented the four most resistant polymorphic warnings in a realistic setting. Using mouse cursor tracking as a surrogate for attention to unobtrusively measure habituation on participants’ personal computers, we found that polymorphic warnings reduced habituation compared to conventional warnings. Together, our findings reveal the substantial influence of neurobiology on users’ habituation to security warnings and security behavior in general, and we offer our polymorphic warning design as an effective solution to practice

Key words and phrases: behavioral information systems security, cybersecurity, fMRI, functional magnetic resonance imaging, habituation, mouse cursor tracking, neurobiology, NeuroIS, polymorphic warnings, security warnings