Your memory is working against you: How eye tracking and memory explain habituation to security warnings

Security warnings are critical to the security of end users and their organizations, often representing the final defense against an attack. Because warnings require users to make a contextual judgment, it is critical that they pay close attention to warnings. However, research shows that users rout...

Full description

Saved in:
Bibliographic Details
Published in:Decision Support Systems 2016-12, Vol.92, p.3-13
Main Authors: Anderson, Bonnie Brinton, Jenkins, Jeffrey L., Vance, Anthony, Kirwan, C. Brock, Eargle, David
Format: Article
Language:English
Subjects:
Behavioral information security
Emergency communications systems
Eye movements
Eye tracking
Habituation
Memory
NeuroIS
Neuropsychology
Security warnings
Studies
Visual perception
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Security warnings are critical to the security of end users and their organizations, often representing the final defense against an attack. Because warnings require users to make a contextual judgment, it is critical that they pay close attention to warnings. However, research shows that users routinely disregard them. A major factor contributing to the ineffectiveness of warnings is habituation, the decreased response to a repeated warning. Although previous research has identified the problem of habituation, the phenomenon has only been observed indirectly through behavioral measures. Therefore, it is unclear how habituation develops in the brain in response to security warnings, and how this in turn influences users' perceptions of these warnings. This paper contributes by using eye tracking to measure the eye movement-based memory (EMM) effect, a neurophysiological manifestation of habituation in which people unconsciously scrutinize previously seen stimuli less than novel stimuli. We show that habituation sets in after only a few exposures to a warning and progresses rapidly with further repetitions. Using guidelines from the warning science literature, we design a polymorphic warning artifact which repeatedly changes its appearance. We demonstrate that our polymorphic warning artifact is substantially more resistant to habituation than conventional security warnings, offering an effective solution for practice. Finally, our results highlight the value of applying neuroscience to the domain of information security behavior. •Eye tracking is used to measure habituation to security warnings.•Habituation sets in after a few exposures to a warning.•A polymorphic warning is designed to reduce habituation.•The polymorphic warning reduces habituation compared to conventional warnings.
ISSN:0167-9236
1873-5797
DOI:10.1016/j.dss.2016.09.010