Users’ perceptions of risks have important implications for information security because individual users’ actions can compromise entire systems. Therefore, there is a critical need to understand how users perceive and respond to information security risks. Previous research on perceptions of information security risk has chiefly relied on self-reported measures. Although these studies are valuable, risk perceptions are often associated with feelings—such as fear or doubt—that are difficult to measure accurately using survey instruments. Additionally, it is unclear how these self-reported measures map to actual security behavior. This paper contributes to this topic by demonstrating that risk-taking behavior is effectively predicted using electroencephalography (EEG) via event-related potentials (ERPs). Using the Iowa Gambling Task, a widely used technique shown to be correlated with real-world risky behaviors, we show that the differences in neural responses to positive and negative feedback strongly predict users’ information security behavior in a separate laboratory-based computing task. In addition, we compare the predictive validity of EEG measures to that of self-reported measures of information security risk perceptions. Our experiments show that self-reported measures are ineffective in predicting security behaviors under a condition in which information security is not salient. However, we show that, when security concerns become salient, self-reported measures do predict security behavior. Interestingly, EEG measures significantly predict behavior in both salient and non-salient conditions, which indicates that EEG measures are a robust predictor of security behavior.
Research in the fields of information systems and human-computer interaction has shown that habituationdecreased response to repeated stimulation-is a serious threat to the effectiveness of security warnings.Although habituation is a neurobiological phenomenon that develops over time, past studies have only examined this problem cross-sectionally.Further, past studies have not examined how habituation influences actual security warning adherence in the field.For these reasons, the full extent of the problem of habituation is unknown.We address these gaps by conducting two complementary longitudinal experiments.First, we performed an experiment collecting fMRI and eye-tracking data simultaneously to directly measure habituation to security warnings as it develops in the brain over a five-day workweek.Our results show not only a general decline of participants' attention to warnings over time but also that attention recovers at least partially between workdays without exposure to the warnings.Further, we found that updating the appearance of a warningthat is, a polymorphic design-substantially reduced habituation of attention.Second, we performed a three-week field experiment in which users were naturally exposed to privacy permission warnings as they installed apps on their mobile devices.Consistent with our fMRI results, users' warning adherence substantially decreased over the three weeks.However, for users who received polymorphic permission warnings, adherence dropped at a substantially lower rate and remained high after three weeks, compared to users who received standard warnings.Together, these findings provide the most complete view yet of the problem of habituation to security warnings and demonstrate that polymorphic warnings can substantially improve adherence.
Warning messages are fundamental to users' security interactions. Unfortunately, they are largely ineffective, as shown by prior research. A key contributor to this failure is habituation: decreased response to a repeated warning. Previous research has only inferred the occurrence of habituation to warnings, or measured it indirectly, such as through the proxy of a related behavior. Therefore, there is a gap in our understanding of how habituation to security warnings develops in the brain. Without direct measures of habituation, we are limited in designing warnings that can mitigate its effects. In this study, we use neurophysiological measures to directly observe habituation as it occurs in the brain and behaviorally. We also design a polymorphic warning artifact that repeatedly changes its appearance in order to resist the effects of habituation. In an experiment using functional magnetic resonance imaging (fMRI; n = 25), we found that our polymorphic warning was significantly more resistant to habituation than were conventional warnings in regions of the brain related to attention. In a second experiment (n = 80), we implemented the four most resistant polymorphic warnings in a realistic setting. Using mouse cursor tracking as a surrogate for attention to unobtrusively measure habituation on participants' personal computers, we found that polymorphic warnings reduced habituation compared to conventional warnings. Together, our findings reveal the substantial influence of neurobiology on users' habituation to security warnings and security behavior in general, and we offer our polymorphic warning design as an effective solution to practice
A major inhibitor of the effectiveness of security warnings is habituation: decreased response to a repeated warning. Although habituation develops over time, previous studies have examined habituation and possible solutions to its effects only within a single experimental session, providing an incomplete view of the problem. To address this gap, we conducted a longitudinal experiment that examines how habituation develops over the course of a five-day workweek and how polymorphic warnings decrease habituation. We measured habituation using two complementary methods simultaneously: functional magnetic resonance imaging (fMRI) and eye tracking.
Electronic commerce can be defined as the conduct of commerce in goods and services, with the assistance of telecommunications and telecommunications-based tools. The economic growth potential of e-commerce is extraordinary - but so are the challenges that lie on the path toward success. One of the more pressing challenges is how to ensure the integrity and reliability of the transaction process: key aspects being fair-exchange and atomicity assurance.This paper delineates an extended fair-exchange standard, which includes atomicity assurance, intended for a wide audience including e-commerce designers, managers, users, and auditors. We demonstrate how such a standard prevents or mitigates important e-commerce concerns. To bridge theory with practice, we illustrate how the application of model checking can be used to verify the correctness of the implementation of e-commerce protocols to prevent the failure of such protocols when unforeseen circumstances occur.
