Your memory is working against you: How eye tracking and memory explain habituation to security warnings

Security warnings are critical to the security of end users and their organizations, often representing the final defense against an attack. Because warnings require users to make a contextual judgment, it is critical that they pay close attention to warnings. However, research shows that users routinely disregard them. A major factor contributing to the ineffectiveness of warnings is habituation, the decreased response to a repeated warning. Although previous research has identified the problem of habituation, the phenomenon has only been observed indirectly through behavioral measures. Therefore, it is unclear how habituation develops in the brain in response to security warnings, and how this in turn influences users’ perceptions of these warnings. This paper contributes by using eye tracking to measure the eye movement-based memory (EMM) effect, a neurophysiological manifestation of habituation in which people unconsciously scrutinize previously seen stimuli less than novel stimuli. We show that habituation sets in after only a few exposures to a warning and progresses rapidly with further repetitions. Using guidelines from the warning science literature, we design a polymorphic warning artifact which repeatedly changes its appearance. We demonstrate that our polymorphic warning artifact is substantially more resistant to habituation than conventional security warnings, offering an effective solution for practice. Finally, our results highlight the value of applying neuroscience to the domain of information security behavior.