Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments
COM2 Level 2
MR3, COM2-02-26
ABSTRACT:
Research in the fields of information systems and human-computer interaction has shown that habituation- decreased response to repeated stimulation- is a serious threat to the effectiveness of security warnings. Although habituation is a neurobiological phenomenon that develops over time, past studies have only examined this problem cross-sectionally. Further, past studies have not examined how habituation influences actual security warning adherence in the field. For these reasons, the full extent of the problem of habituation is unknown.
We address these gaps by conducting two complementary longitudinal experiments. First, we performed an experiment collecting fMRI and eye-tracking data simultaneously to directly measure habituation to security warnings as it develops in the brain over a five-day workweek. Our results show not only a general decline of participants- attention to warnings over time but also that attention recovers at least partially between workdays without exposure to the warnings. Further, we found that updating the appearance of a warning- that is, a polymorphic design-substantially reduced habituation of attention.
Second, we performed a three-week field experiment in which users were naturally exposed to privacy permission warnings as they installed apps on their mobile devices. Consistent with our fMRI results, users' warning adherence substantially decreased over the three weeks. However, for users who received polymorphic permission warnings, adherence dropped at a substantially lower rate and remained high after three weeks, compared to users who received standard warnings. Together, these findings provide the most complete view yet of the problem of habituation to security warnings and demonstrate that polymorphic warnings can substantially improve adherence.
BIODATA:
Anthony Vance is the Danny & Elsa Lui Distinguished Associate Professor in the Information Technology Management Department at the Shidler College of Business of the University of Hawaii at Manoa, as well as Associate Professor of Information Systems at the Marriott School of Business of Brigham Young University. He earned Ph.D. degrees in Information Systems from Georgia State University, USA; the University of Paris - Dauphine, France; and the University of Oulu, Finland. His previous experience includes working as a security consultant at Deloitte and as a research professor in the Information Systems Security Research Center at the University of Oulu.
His research focuses on behavioral and neuroscience applications to information security. His work is published in outlets such as MIS Quarterly, Information Systems Research, Journal of Management Information Systems, Journal of the Association for Information Systems, European Journal of Information Systems, Journal of the American Society for Information Science and Technology, and Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). He currently is an associate editor at MIS Quarterly and serves on the editorial board of Journal of the Association for Information Systems.