C. Brock Kirwan - US grants

Warning messages are one of the last lines of defense in computer security, and are fundamental to users' security interactions with technology. Unfortunately, research shows that users routinely ignore security warnings. A key contributor to this disregard is habituation, the diminishing of attention due to frequent exposure. However, previous research examining habituation has done so only indirectly, by observing the influence of habituation on security behavior, rather than measuring habituation itself. This project uses neuroscience to open the "black box" of the brain to observe habituation as it occurs. By investigating how repetition suppression occurs in the brain, researchers can make a more precise approach to designing security warnings that are resistant to the effects of habituation.

Specifically, functional magnetic resonance imaging (fMRI) is used to measure how neural activity in the visual processing centers of the brain sharply decrease with repeated exposure to warnings. This phenomenon, termed the repetition suppression effect, is directly antecedent to the process of habituation. This project aims to: (1) directly measure how habituation of security warnings occurs in the brain; (2) examine how habituation towards security warnings develops over time using a longitudinal design; and (3) use fMRI brain data to guide the design of polymorphic (dynamic) security warnings, as well as to empirically test their effectiveness compared with existing security warnings. The insights gained from this project have the potential to inform the design and evaluation of warnings that more effectively help users to respond to security threats.

This project measures how decreased attention to frequent software notifications negatively influences peoples' responses to uncommon security warnings that are truly critical. The researchers will use eye tracking equipment to examine this problem by measuring attention to notifications and warnings through eye gaze patterns, and individuals' decisions in response to these messages. They will observe how changes occur in the context of a single computing device, such as a laptop computer, as well as diminished attention across devices, such as how frequent notifications on a mobile device affect people's responses to uncommon security warnings on a desktop computer.

Through a series of laboratory experiments using eye tracking and functional Magnetic Resonance Imaging (fMRI) technologies, the researchers will examine the conditions under which habituation to frequent software notifications generalizes, or carries over, to uncommon security warnings. These conditions include the similarity of visual appearance and mode of interaction (i.e., look and feel) between notifications and warnings, the volume of notifications, and whether these factors cause generalization to occur across devices. They also examine how people behaviorally respond successfully to security warnings by adhering to the warning recommendations.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.