skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: The Fog of Warnings: How Non-essential Notifications Blur with Security Warnings
Adherence to security warnings continues to be an important problem in information security. Although users may fail to heed a security warning for a variety of reasons, a major contributor is habituation, which is decreased response to repeated stimulation. However, the scope of this problem may actually be much broader than previously thought because of the neurobiological phenomenon of generalization. Whereas habituation describes a diminished response with repetitions of the same stimulus, generalization occurs when habituation to one stimulus carries over to other novel stimuli that are similar in appearance. Generalization has important implications for the domains of usable security and human–computer interaction. Because a basic principle of user interface design is visual consistency, generalization suggests that through exposure to frequent non-security-related notifications (e.g., dialogs, alerts, confirmations, etc.) that share a similar look and feel, users may become deeply habituated to critical security warnings that they have never seen before. Further, with the increasing number of notifications in our lives across a range of mobile, Internet of Things, and computing devices, the accumulated effect of generalization may be substantial. However, this problem has not been empirically examined before. This paper contributes by measuring the impacts of generalization in terms of (1) diminished attention via mouse cursor tracking and (2) users’ ability to behaviorally adhere to security warnings. Through an online experiment, we find that: • Habituation to a frequent non-security-related notification does carry over to a one-time security warning. • Generalization of habituation is manifest both in (1) decreased attention to warnings and (2) lower warning adherence behavior. • The carry-over effect, most importantly, is due to generalization, and not fatigue. • The degree that generalization occurs depends on the similarity in look and feel between a notification and warning. These findings open new avenues of research and provide guidance to software developers for creating warnings that are more resistant to the effects of generalization of habituation, thereby improving users’ security warning adherence.  more » « less
Award ID(s):
1931108
PAR ID:
10176924
Author(s) / Creator(s):
Date Published:
Journal Name:
Symposium on Usable Privacy and Security (SOUPS)
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. (, Lecture notes in information systems and organisation)
    This paper examines how habituation to frequent software notifications may carry over to infrequent security warnings. This general process— known as stimulus generalization or simply generalization—is a well-established phenomenon in neurobiology that has clear implications for information security. Because software user interface guidelines call for visual consistency, software notifications and security warnings have a similar look and feel. Consequently, through frequent exposure to notifications, people may become habituated to security warnings they have never seen before. The objective of this paper to propose an fMRI experimental design to measure the extent to which this occurs. We also propose testing security warning designs that are resistant to generalization of habituation effects. 
    more » « less
  2. ; ; ; ; (, Designing Interactive Systems Conference 2021 (DIS ’21))
    null (Ed.)
    Improving end-users’ awareness of cybersecurity warnings (e.g., phishing and malware alerts) remains a longstanding problem in usable security. Prior work suggests two key weaknesses with existing warnings: they are primarily communicated via saturated communication channels (e.g., visual, auditory, and vibrotactile); and, they are communicated rationally, not viscerally. We hypothesized that wrist-based affective haptics should address both of these weaknesses in a form-factor that is practically deployable: i.e., as a replaceable wristband compatible with modern smartwatches like the Apple Watch. To that end, we designed and implemented Spidey Sense, a wristband that produces customizable squeezing sensations to alert users to urgent cybersecurity warnings. To evaluate Spidey Sense, we applied a three-phased ‘Gen-Rank-Verify’ study methodology with 48 participants. We found evidence that, relative to vibrotactile alerts, Spidey Sense was considered more appropriate for the task of alerting people to cybersecurity warnings. 
    more » « less
  3. ; (, IACR Communications in Cryptology)
    To be useful and widely accepted, automated contact tracing schemes (also called exposure notification) need to solve two seemingly contradictory problems at the same time: they need to protect the anonymity of honest users while also preventing malicious users from creating false alarms. In this paper, we provide, for the first time, an exposure notification construction that guarantees the same levels of privacy and integrity as existing schemes but with a fully malicious database (notably similar to Auerbach et al. CT-RSA 2021) without special restrictions on the adversary. We construct a new definition so that we can formally prove our construction secure. Our definition ensures the following integrity guarantees: no malicious user can cause exposure warnings in two locations at the same time and that any uploaded exposure notifications must be recent and not previously uploaded. Our construction is efficient, requiring only a single message to be broadcast at contact time no matter how many recipients are nearby. To notify contacts of potential infection, an infected user uploads data with size linear in the number of notifications, similar to other schemes. Linear upload complexity is not trivial with our assumptions and guarantees (a naive scheme would be quadratic). This linear complexity is achieved with a new primitive: zero knowledge subset proofs over commitments which is used by our no cloning proof protocol. We also introduce another new primitive: set commitments on equivalence classes, which makes each step of our construction more efficient. Both of these new primitives are of independent interest. 
    more » « less
  4. ; ; ; ; (, ACM)
    As we develop computing platforms for augmented reality (AR) head-mounted display (HMDs) technologies for social or workplace environments, understanding how users interact with notifications in immersive environments has become crucial. We researched effectiveness and user preferences of different interaction modalities for notifications, along with two types of notification display methods. In our study, participants were immersed in a simulated cooking environment using an AR-HMD, where they had to fulfill customer orders. During the cooking process, participants received notifications related to customer orders and ingredient updates. They were given three interaction modes for those notifications: voice commands, eye gaze and dwell, and hand gestures. To manage multiple notifications at once, we also researched two different notification list displays, one attached to the user’s hand and one in the world. Results indicate that participants preferred using their hands to interact with notifications and having the list of notifications attached to their hands. Voice and gaze interaction was perceived as having lower usability than touch 
    more » « less
  5. ; (, Journal of Experimental Zoology Part A: Ecological and Integrative Physiology)
    Abstract Chronic stress has been extensively studied in both laboratory and field settings; however, a conclusive and consistent phenotype has not been reached. Several studies have reported attenuation of the hypothalamic–pituitary–adrenal axis during experiments intended to cause chronic stress. We sought to determine whether this attenuation could be indicative of habituation. Importantly, we were not investigating habituation to a specific stimulus—as many stress physiology studies do—but rather we assessed how the underlying physiology and behavior changed in response to repeated stressor presentation. We exposed house sparrows (Passer domesticus) to a single stimulus twice per day at random times for 8 consecutive days. We predicted that this period of time would be long enough for the birds to determine that these acute stressors were not, in fact, dangerous and they would, therefore, acclimate. A second control group remained undisturbed for the same period of time. We measured baseline, stress‐induced, negative feedback strength, and maximum production of corticosterone as well as neophobic behavior before, during, and after this 8‐day experiment. When birds experienced a stimulus for 4 days, their negative feedback strength was significantly diminished, but recovered after the second 4 days. Additionally, perch hopping decreased and recovered in this same time frame. These data suggest that distinct physiological and behavioral responses arise when house sparrows are exposed to the same stressor for several consecutive days as opposed to many stressors layered on top of one another. Furthermore, they indicate that habituation—as with chronic stress—can appear differently depending on the metric being examined. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email