Users Aren't (Necessarily) Lazy: Using NeuroIS to Explain Habituation to Security Warnings

Warning messages are one of the last lines of defense in information security, and are fundamental to users’ security interactions with technology. Unfortunately, research shows that users routinely ignore security warnings. A key contributor to this disregard is habituation, the diminishing of attention through frequent exposure. However, previous research has examined habituation indirectly by observing its influence on security behavior, rather than measuring habituation itself. We contribute by using functional magnetic resonance imaging (fMRI) to directly observe habituation as it occurs in the brain. Our results show that with repeated exposure to warnings, neural activity in the visual processing centers sharply decreases. We also show that this process occurs for images of both security warnings and general software applications, although habituation is more severe for security warnings. Our findings suggest that habituation is not due to users’ laziness or carelessness, but is a natural consequence of how the brain works.