This paper examines how habituation to frequent software notifications may carry over to infrequent security warnings. This general process— known as stimulus generalization or simply generalization—is a well-established phenomenon in neurobiology that has clear implications for information security. Because software user interface guidelines call for visual consistency, software notifications and security warnings have a similar look and feel. Consequently, through frequent exposure to notifications, people may become habituated to security warnings they have never seen before. The objective of this paper to propose an fMRI experimental design to measure the extent to which this occurs. We also propose testing security warning designs that are resistant to generalization of habituation effects.
more »
« less
The Fog of Warnings: How Non-essential Notifications Blur with Security Warnings
Adherence to security warnings continues to be an important problem in information security. Although users may fail to heed a security warning for a variety of reasons, a major contributor is habituation, which is decreased response to repeated stimulation. However, the scope of this problem may actually be much broader than previously thought because of the neurobiological phenomenon of generalization. Whereas habituation describes a diminished response with repetitions of the same stimulus, generalization occurs when habituation to one stimulus carries over to other novel stimuli that are similar in appearance.
Generalization has important implications for the domains of usable security and human–computer interaction. Because a basic principle of user interface design is visual consistency, generalization suggests that through exposure to frequent non-security-related notifications (e.g., dialogs, alerts, confirmations, etc.) that share a similar look and feel, users may become deeply habituated to critical security warnings that they have never seen before. Further, with the increasing number of notifications in our lives across a range of mobile, Internet of Things, and computing devices, the accumulated effect of generalization may be substantial. However, this problem has not been empirically examined before.
This paper contributes by measuring the impacts of generalization in terms of (1) diminished attention via mouse cursor tracking and (2) users’ ability to behaviorally adhere to security warnings. Through an online experiment, we find that:
• Habituation to a frequent non-security-related notification does carry over to a one-time security warning.
• Generalization of habituation is manifest both in (1) decreased attention to warnings and (2) lower warning adherence behavior.
• The carry-over effect, most importantly, is due to generalization, and not fatigue.
• The degree that generalization occurs depends on the similarity in look and feel between a notification and warning.
These findings open new avenues of research and provide guidance to software developers for creating warnings that are more resistant to the effects of generalization of habituation, thereby improving users’ security warning adherence.
more »
« less
- Award ID(s):
- 1931108
- NSF-PAR ID:
- 10176924
- Date Published:
- Journal Name:
- Symposium on Usable Privacy and Security (SOUPS)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
more » « less
Abstract Chronic stress has been extensively studied in both laboratory and field settings; however, a conclusive and consistent phenotype has not been reached. Several studies have reported attenuation of the hypothalamic–pituitary–adrenal axis during experiments intended to cause chronic stress. We sought to determine whether this attenuation could be indicative of habituation. Importantly, we were not investigating habituation to a specific stimulus—as many stress physiology studies do—but rather we assessed how the underlying physiology and behavior changed in response to repeated stressor presentation. We exposed house sparrows (
Passer domesticus ) to a single stimulus twice per day at random times for 8 consecutive days. We predicted that this period of time would be long enough for the birds to determine that these acute stressors were not, in fact, dangerous and they would, therefore, acclimate. A second control group remained undisturbed for the same period of time. We measured baseline, stress‐induced, negative feedback strength, and maximum production of corticosterone as well as neophobic behavior before, during, and after this 8‐day experiment. When birds experienced a stimulus for 4 days, their negative feedback strength was significantly diminished, but recovered after the second 4 days. Additionally, perch hopping decreased and recovered in this same time frame. These data suggest that distinct physiological and behavioral responses arise when house sparrows are exposed to the same stressor for several consecutive days as opposed to many stressors layered on top of one another. Furthermore, they indicate that habituation—as with chronic stress—can appear differently depending on the metric being examined. -
null (Ed.)Improving end-users’ awareness of cybersecurity warnings (e.g., phishing and malware alerts) remains a longstanding problem in usable security. Prior work suggests two key weaknesses with existing warnings: they are primarily communicated via saturated communication channels (e.g., visual, auditory, and vibrotactile); and, they are communicated rationally, not viscerally. We hypothesized that wrist-based affective haptics should address both of these weaknesses in a form-factor that is practically deployable: i.e., as a replaceable wristband compatible with modern smartwatches like the Apple Watch. To that end, we designed and implemented Spidey Sense, a wristband that produces customizable squeezing sensations to alert users to urgent cybersecurity warnings. To evaluate Spidey Sense, we applied a three-phased ‘Gen-Rank-Verify’ study methodology with 48 participants. We found evidence that, relative to vibrotactile alerts, Spidey Sense was considered more appropriate for the task of alerting people to cybersecurity warnings.more » « less
-
Witnessing the blooming adoption of push notifications on mobile devices, this new message delivery paradigm has become pervasive in diverse applications. Accompanying with its broad adoption, the potential security risks and privacy exposure issues raise public concerns regarding its great social impacts. This paper conducts the first attempt to exploit the mobile notification ecosystem. By dissecting its structural elements and implementation process, a comprehensive vulnerability analysis is conducted towards the complete flow of mobile notification from platform enrollment to messaging. Meanwhile, for privacy exposure, we first examine the implementation of privacy policy compliance by proposing a three-level inspection approach to guide our analysis. Then, our top-down methods from documentation analysis, application network traffic study, to static analysis expose the illicit data collection behaviors in released applications. In addition, we uncover the potential privacy inference resulted from the notification monitoring. To support our analysis, we conduct empirical studies on 12 most popular notification platforms and perform static analysis over 30,000+ applications. We discover: 1) six platforms either provide ambiguous KEY naming rules or offer vulnerable messaging APIs; 2) privacy policy compliance implementations are either stagnated at the documentation stages (8 of 12 platforms) or never implemented in apps, resulting in billions of users suffering from privacy exposure; and 3) some apps can stealthily monitor notification messages delivering to other apps, potentially incurring user privacy inference risks. Our study raises the urgent demand for better regulations of mobile notification deployment.more » « less
-
more » « less
Abstract There are lingering questions about the effectiveness of the watch, warning, and advisory system (WWA) used to convey weather threats in the United States. Recently there has been a shift toward alternative communication strategies such as the impact-based forecast. The study reported here compared users’ interpretation of a color-coded impact-based prototype designed for email briefings, to a legacy WWA format. Participants, including emergency managers and members of the public, saw a weather briefing and rated event likelihood, severity, damage, and population affected. Then they recommended emergency response actions. Each briefing described the severity of the weather event and the degree of impact on population and property. In one condition a color-coded impacts scale was added to the text description. In another, an advisory and/or warning was added to the text description. These were compared with the text-only control. Both emergency managers and members of the public provided higher ratings for event likelihood, severity, damage, and population affected and recommended a greater response for higher impact levels regardless of format. For both groups, the color-coded format decreased ratings for lower-impact events. Among members of the public, the color-coded format also led to increases for many ratings and greater response at higher levels relative to the other two conditions. However, the highest ratings among members of the public were in the WWA condition. Somewhat surprisingly, the only effect of the WWA format on emergency managers was to
reduce action recommendations, probably because of the inclusion of the “advisory” in some briefings.
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- The DOI is not currently available.
