Researchers at the Neurosecurity Lab at Brigham Young University in Utah have conducted research [PDF] demonstrating that end-users become immured to online security warnings almost immediately – even when the warnings contain varying threat-levels regarding system security and/or personal privacy disclosure.

The report was conducted by Bonnie Brinton Anderson, C. Brock Kirwan, Jeffrey L. Jenkins and Anthony Vance of BYU, together with David Eargle of the University of Pittsburgh and ex-BYU alumnus Seth Howard of Google, Inc.

In the first set of experiments the group used functional magnetic resonance imaging (fMRI) to measure Repetition Suppression (RS) – ‘immunity’ to repeated security warnings – whilst each subject was exposed to a unique set of 560 images. Among the images were twenty ‘static’ security warnings and twenty ‘polymorphic’ warnings which exhibited unusual design or behaviour, including ‘jiggle’ or ‘zoom’ animations.

fmri[1]The ‘unusual’ warnings evinced a significant increase in levels of activation in the super parietal lobes for the polymorphic warnings, compared to the static versions.

The second study concentrated on analysing mouse movement as an index of user response to warnings. For this study the researchers received permission from Google to perform a ‘man-in-the-middle’ attack on the test subjects, who were placed in an ordinary browsing environment and told to retrieve and install twenty Chrome weather extensions. Users were forced to install the extensions ‘inline’, since the scientists’ MITM meddling caused the Chrome Web Store to appear to be ‘down for maintenance’.

polymorphic-warnings[1]

The mouse-analysis study repeated the incidence of polymorphic warnings vs. static, but this time compared the mouse proximity and relative position to the warnings shown, verifying the fMRI study but also throwing out additional information:

chrome-weather-extension-experiment[1]‘Three additional variables were included in the model. First, we explored whether the content of the warning influenced habituation (isMalicious). Interestingly, the content of the warning did not influence habituation for any of the statistics. This finding suggests that changing the content of a warning may not be enough to deter the influence of habituation. Likewise, the interaction between isMalicious and Order of the warning did not significantly influence any of the statistics, suggesting that the content of the message may not decrease habituation even during early encounters’ [My emphasis]

The report concludes that our habituation to user warnings is wide-spread, inevitable and practically instantaneous, and that new UI designs can help to alleviate the effect.

Anthony Vance, Assistant Professor of Information Systems at BYU concludes, in the video below: “In this paper we show that not only do users have to worry about attackers, but they also have to cope with their own biology, which in the case of habituation, is working against them, and their effectiveness in responding to security warnings,”


Opinion The BYU report also notes the results of a 2009 study ‘consistent with the theory of warning fatigue’ which found that users click past 50% of SSL warnings [PDF]. The online environment now presents such a ‘white noise’ of warnings – mostly intended to indemnify the provider – that it seems logical to believe identifying a warning of any kind is now enough to nullify its intended effect. The BYU report’s recommendation of new UI approaches to warnings seems set only to provide more templates for users to screen out as persistent annoyances. The only thing that may raise our cortical response to warnings would be to radically reduce their frequency and make them serve the end-user, rather than the paranoia of some distant legal department.