Please join us for the CIS PHD seminar on Monday 4:30-5:30 in Hamilton Library. Our speaker will be visiting scholar Dr. Anthony Vance.
Title: How Do People Habituate to Security Warnings Over Time? Insights from Longitudinal fMRI and Field Experiments
Abstract: Research in the fields of information systems and human–computer interaction has shown that habituation—decreased response to repeated stimulation—is a serious threat to the effectiveness of security warnings. Although habituation is a neurobiological phenomenon that develops over time, past studies have only examined this problem cross-sectionally. Further, past studies have not examined how habituation influences actual security warning behavior in the field. For these reasons, the full extent of the problem of habituation is unknown.
We address these gaps by conducting two complementary longitudinal experiments. First, we performed an fMRI experiment to directly measure habituation to security warnings as it develops in the brain over a five-day workweek. Our results show not only a general decline of participants’ attention to warnings over time, but also that attention recovers at least partially between workdays without exposure to the warnings. Further, we found that updating the appearance of a warning—i.e., a polymorphic design— substantially reduced habituation of attention.
Second, we performed a three-week field experiment in which users were naturally exposed to privacy permission warnings as they installed apps on their mobile device. Consistent with our fMRI results, users’ security behavior substantially decreased over the three weeks. However, for users who received polymorphic permission warnings, adherence dropped at a substantially lower rate and remained high after three weeks compared to users who received standard warnings. Together, these findings provide the most complete view yet of the problem of habituation to security warnings, and demonstrates that polymorphic warnings can substantially improve warning adherence behavior.