Ever feel your eyes glazing over when you see yet another security warning pop up on your monitor? In a first, scientists have used magnetic resonance imaging to measure a human brain's dramatic drop in attention that results when a computer user is subjected to just two security warnings in a short time.

In a paper scheduled to be presented next month at the Association for Computing Machinery's CHI 2015 conference, researchers will present data that maps regions of the brain responsible for visual processing. The MRI images show a "precipitous drop" in visual processing after even one repeated exposure to a standard security warning and a "large overall drop" after 13 of them. Previously, such warning fatigue has been observed only indirectly, such as one study finding that only 14 percent of participants recognized content changes to confirmation dialog boxes or another that recorded users clicking through one-half of all SSL warnings in less than two seconds.

Building a better mousetrap

The inattention is the result of a phenomenon known as habituation, or the tendency for organisms' neural systems to show partial or complete cessations of responses to stimuli over repeated exposures. Such repetition suppression, or RS, has long been documented in everything from sea slugs to humans. By directly measuring RS in the brains of people exposed to computer security warnings, the scientists were then able to test more effective ways that software makers can alert people to potential risks. The paper—titled "How Polymorphic Warnings Reduce Habituation in the Brain—Insights from an fMRI Study"—is one of two to be presented at CHI 2015 that studies people's responses to security warnings. A second paper is titled "Improving SSL Warnings: Comprehension and Adherence."

Besides leading to potential improvements in user interfaces, the research may pave the way for better security education, training, and awareness (SETA) programs, password use, and information security policy compliance. The scientists wrote:

Users’ habituation to security warnings is pervasive, and is often attributed to users’ carelessness and inattention. However, we demonstrate that habituation is largely obligatory as a result of how the brain processes familiar visual stimuli. A chief implication of our results is that because habituation occurs unconsciously at the neurobiological level, interventions designed to encourage greater attention and vigilance on the part of users—such as SETA programs—are incomplete on their own. Our findings suggest that a complimentary solution is to develop UI designs that are less susceptible to habituation. We show that the polymorphic warning artifact developed in this study is one such effective design. Our results point to future research opportunities for security interventions that take into account the biology of the user.

The experiment was conducted on 25 participants recruited from a university who were native English speakers. The subjects laid down on their backs on an MRI table and had a volume coil placed over their heads to allow imaging of the entire brain. The participants then viewed experimental images on a large monitor at the opening of the scanner. In all, each participant viewed a unique set of 560 images. A second experiment tracked participants' responses to security warnings in a more natural setting while using a laptop computer. To measure attention paid to a particular warning, the researchers analyzed users' mouse cursor movements along the x and y , and z axes using a timestamp of each movement at a millisecond rate.

The habituation response caused by humans' frequent exposure to warnings has been documented as long ago as 2006. Since then, numerous studies have supported what many people know intuitively: the more times a website, computer, or smartphone displays a warning, the harder it is to heed its urgent message. The fatigue sets off a vicious cycle in which many end users increasingly make poorly informed security choices and designers add more warnings to counteract the increased threats.

The researcher team—made up of six scientists from Brigham Young University, the University of Pittsburgh, and Google—went on to test so-called polymorphic warnings. As their name suggests, polymorphic warnings change their colors, text, shapes, and other characteristics rather than presenting the same static content each time. The MRI data showed reduced habituation to repeated warnings that changed. A second measurement using mouse tracking also showed reduced habituation from repeated warnings, and it also showed slower habituation. The findings could be seminal for makers of software and hardware alike as they search for new ways to steer users clear of everything from weak password choices to websites pushing malware.

"Polymorphic warnings garner more attention over time due to the novelty of their changing appearance," the researchers wrote. "Changing appearance of the warning reinvigorates attention, especially in brain regions that have been shown to demonstrate RS to exact repetitions of visual stimuli. For this reason, polymorphic warnings that continually change their appearance will slow the rate of habituation."