Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments

When information security depends on font size: how the saliency of warnings affects protection behavior

Prior research on how to improve the effectiveness of information security warnings has predominantly focused on either the informational content of warnings or their visual saliency. In an online experiment (N = 1'486), we disentangle the effect of both manipulations and demonstrate that both factors simultaneously influence decision making. Our data indicate that the proportion of people who engage in protection behavior can be increased by roughly 65% by making a particular warning message more visually salient (i.e. a more conspicuous visual design is used). We also show that varying the message's saliency can make people behave very differently when confronted with the same threat or behave very similarly when confronted with threats that differ widely in terms of severity of outcomes. Our results suggest that the visual design of a warning may warrant at least as much attention as the informational content that the warning message conveys.

Investigation the role of contrast on habituation and sensitisation effects in peripheral areas of graphical user interfaces

Graphical user interfaces are designed so that the most important elements are usually located in the central part of the screen, where they catch the user’s attention. However, there are situations where it is necessary to attract the user’s attention to make him/her notice, e.g., a critical alert, which is customarily displayed in the peripheral area so as not to interact with the main content. Therefore, our focus is to deliver an increased visibility of content in the peripheral area of the display in a non-intrusive way. Thus, the main purpose of this work is to analyze the visibility of the stimulus (in the form of colored discs), displayed in the peripheral area of a screen, which distracts users from the central part of the interface. The habituation and sensitization effects were considered to study which parameters catch and hold the user’s attention, despite the length of their interaction with the system. The experiments performed indicated how the parameters should be set to reduce the habituation effect without the need to use content with the highest visual intensity. The results showed that a high visual intensity is not necessarily needed for the best impact. A medium contrast level, a horizontal or vertical display localization, and a flashing frequency of 2 Hz are sufficient to obtain the best visibility in the peripheral area. In the case of critical alerts and the need for short-term intensive stimuli, it is worth highlighting these with high contrast. This configuration should be the most effective if it is not a continuous operation. However, they can cause unnecessary irritation or even cognitive load for more extended usage.

Roles and Research Trends of Neuroscience on Major Information Systems Journal: A Bibliometric and Content Analysis

Over the past decade, neuroscience has been integrated into information systems as a new methodology and perspective to study and solve related problems. Therefore, NeuroIS has emerged as a new cutting-edge research field. This review aimed to identify, summarize, and classify existing NeuroIS publications through knowledge mapping and bibliometric analysis. To effectively understand the development trend of NeuroIS, this study referred to the journal selection index of the Association of Business Schools in 2021 and journals above three stars in the field of information management as the main selection basis. A total of 99 neuroscience papers and their citation data were included from 19 major information systems journals of SCI/SSCI. This study analyzed bibliometric data from 2010 to 2021 to identify the most productive countries, universities, authors, journals, and prolific publications in NeuroIS. To this end, VOSviewer was used to visualize mapping based on co-citation, bibliographic coupling, and co-occurrence. Keywords with strong citation bursts were also identified in this study. This signifies the evolution of this research field and may reveal potential research directions in the near future. In selecting research methods and analysis tools for NeuroIS, content analysis was used to further conclude and summarize the relevant trends. Moreover, a co-citation network analysis was conducted to help understand how the papers, journals, and authors in the field were connected and related, and to identify the seminal or pioneering major literature. For researchers, network maps visualized mainstream research and provided a structural understanding of NeuroIS. The review concludes by discussing potential research topics in this field.

Do emotions influence safe browsing? Toward an electroencephalography marker of affective responses to cybersecurity notifications

Cybersecurity notifications play an important role in encouraging users to use computers safely. Emotional reactions to such notifications are known to positively influence users’ adherence to these notifications, though it is challenging for researchers to identify and quantify users’ emotional reactions. In this study, we explored electroencephalography (EEG) signals that were elicited by the presentation of various emotionally charged image stimuli provided by the International Affective Picture System (IAPS) and compared signals to those elicited by images of cybersecurity notifications and other computer-related stimuli. Participants provided behavioral assessments of valence and arousal elicited by the images which were used to cross-reference the results. We found that EEG amplitudes corresponding to the late positive potential (LPP) were elevated in reaction to images of cybersecurity notifications as well as IAPS images known to elicit strong positive and negative valence, when compared to neutral valence or other computer-related stimuli. These findings suggest that the LPP may account for emotional deliberation about cybersecurity notifications, which could be a useful measure when conducting future studies into the role such emotional reactions play in encouraging safe computer behavior.

The infamous “Like” feature - A neuro perspective

With the recent rise of excessive use of social media and its damaging effects, there is an urgent need to systematically recognize how users behave towards the “Like” button, which has been considered the most toxic feature on social media. To date, scholars know little about the neurophysiological responses of users towards the ‘Like’ feature despite its pervasiveness. Thus, through the lens of cybernetic theory, this research measured user behavior towards the “Like” feature by experimenting with two neuro tools (i.e., electrocardiogram (EKG/ECG) and electroencephalography (EEG)). Sixteen participants, allocated within three separate groups, completed a simple experimental task of ‘’liking’’ content. Unexpectedly, the findings revealed that participants who frequently and infrequently received “Likes” shared similar biometrics (i.e., high neurophysiological activities). Furthermore, this research raised concerns over the underlying AI algorithms related to recommendation engines/systems.

The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites

Phishing is a significant security concern for organizations, threatening employees and members of the public. Phishing threats against employees can lead to severe security incidents, whereas those against the public can undermine trust, satisfaction, and brand equity. At the root of the problem is the inability of Internet users to identify phishing attacks even when using anti-phishing tools. We propose the phishing funnel model (PFM), a framework for predicting user susceptibility to phishing websites. PFM incorporates user, threat, and tool-related factors to predict actions during four key stages of the phishing process: visit, browse, consider legitimate, and intention to transact. We evaluated the efficacy of PFM in a 12-month longitudinal field experiment in two organizations involving 1,278 employees and 49,373 phishing interactions. PFM significantly outperformed competing models in terms of its ability to predict user susceptibility to phishing attacks. A follow-up three-month field study revealed that employees using PFM were significantly less likely to interact with phishing threats relative to comparison models and baseline warnings. Results of a cost-benefit analysis suggest that interventions guided by PFM could reduce annual phishing-related costs by nearly $1,900 per employee relative to comparison prediction methods.

Understanding employees' information security identities: an interpretive narrative approach

Purpose

The authors seek to understand the formation of control- and security-related identities among organizational employees through and interpretive narrative analysis. The authors also seek to identify how the identities form over time and across contexts. Several identities are identified as well as the changes that may occur in the identities.

Design/methodology/approach

Few interpretive or critical studies exist in behavioral information security research to represent employee perspectives of power and control. Using qualitative interviews and narrative analysis of the interview transcripts, this paper analyzes the security- and control-related identities and values that employees adopt in organizational settings.

Findings

Two major categories of behavioral security compliance identities were identified: compliant and noncompliant. Specific identities within the compliant category included: faithful follower vs the reasoned follower, and other-preserving versus the self-preserving identities. The noncompliant category included: anti-authority identity, utilitarian identity, trusting identity and unaware identity. Furthermore, three patterns of identity changes were observed.

Research limitations/implications

The authors’ narrative stories suggest that employee identities are complex and multi-faceted, and that they may be fluid and adaptive to situational factors. Future research should avoid assumptions that all employees are the same or that employee beliefs remain constant over time or in different contexts. Identities are also strongly rooted in individuals' rearing and other life experiences. Thus, security control is far broader than is studied in behavioral studies. The authors find that history matters and should be examined carefully.

Practical implications

The authors’ study provides insights that managers can use to enhance security initiatives. It is clear that different employees build different control-related identities. Managers must understand that their employees are unique and will not all respond to policies, punishments, and other forms of control in the same way. The narratives also suggest that many organizations lack appropriate programs to enhance employees' awareness of security issues.

Originality/value

The authors’ narrative analysis suggests that employee security identities are complex and multi-faceted, and that they are fluid and adaptive to situational factors. Research should avoid assumptions that all employees are the same or that their beliefs remain constant over time or in different contexts. Identities are also strongly rooted in individuals' rearing and other life experiences. Their history matters and should be examined carefully.

Organizational science and cybersecurity: abundant opportunities for research at the interface

Cybersecurity is an ever-present problem for organizations, but organizational science has barely begun to enter the arena of cybersecurity research. As a result, the "human factor" in cybersecurity research is much less studied than its technological counterpart. The current manuscript serves as an introduction and invitation to cybersecurity research by organizational scientists. We define cybersecurity, provide definitions of key cybersecurity constructs relevant to employee behavior, illuminate the unique opportunities available to organizational scientists in the cybersecurity arena (e.g., publication venues that reach new audiences, novel sources of external funding), and provide overall conceptual frameworks of the antecedents of employees' cybersecurity behavior. In so doing, we emphasize both end-users of cybersecurity in organizations and employees focused specifically on cybersecurity work. We provide an expansive agenda for future organizational science research on cybersecurity-and we describe the benefits such research can provide not only to cybersecurity but also to basic research in organizational science itself. We end by providing a list of potential objections to the proposed research along with our responses to these objections. It is our hope that the current manuscript will catalyze research at the interface of organizational science and cybersecurity.

Repetition of Computer Security Warnings Results in Differential Repetition Suppression Effects as Revealed With Functional MRI

Computer users are often the last line of defense in computer security. However, with repeated exposures to system messages and computer security warnings, neural and behavioral responses show evidence of habituation. Habituation has been demonstrated at a neural level as repetition suppression where responses are attenuated with subsequent repetitions. In the brain, repetition suppression to visual stimuli has been demonstrated in multiple cortical areas, including the occipital lobe and medial temporal lobe. Prior research into the repetition suppression effect has generally focused on a single repetition and has not examined the pattern of signal suppression with repeated exposures. We used complex, everyday stimuli, in the form of images of computer programs or security warning messages, to examine the repetition suppression effect across repeated exposures. The use of computer warnings as stimuli also allowed us to examine the activation of learned fearful stimuli. We observed widespread linear decreases in activation with repeated exposures, suggesting that repetition suppression continues after the first repetition. Further, we found greater activation for warning messages compared to neutral images in the anterior insula, pre-supplemental motor area, and inferior frontal gyrus, suggesting differential processing of security warning messages. However, the repetition suppression effect was similar in these regions for both warning messages and neutral images. Additionally, we observed an increase of activation in the default mode network with repeated exposures, suggestive of increased mind wandering with continuing habituation.

The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context

The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context

IS Reappraisal and Technology Adaptation Behaviors

Employees have to adapt to newly implemented information systems (IS) because they are often perceived as radical changes or disruptions. To understand such adaptation behavior, IS research suggests that employees first appraise the new IS and second perform technology adaptive behaviors. However, while the psychology literature indicates that adaptation is a continuous process unfolding over time, previous IS literature treats adaptation towards IS implementation as a rather singular, noniterative process. As firms continue to implement IS, an understanding of reappraisal and the influence of technology adaptation behavior is vital to ensure successful implementations. Therefore, the present paper investigates reappraisal and the influences of four different technology adaptation behaviors. We conducted a longitudinal study and used hierarchical linear modeling (HLM) to validate our research model. The findings reveal that employees reappraise the newly implemented IS over time regarding perceived opportunity, threat, and controllability and demonstrate that technology adaption behaviors influence such reappraisal. One specific finding is that employees might get into positive or negative reappraisal loops. We thereby contribute to research by extending the adaptation behavior literature and add a new piece of the puzzle to understand how employees adapt towards newly implemented IS over time.

Future Directions for Optimizing Clinical Science & Safety: Ecological Momentary Assessments in Suicide/Self-Harm Research

OBJECTIVE

Mobile technology has facilitated rapid growth in the use of intensive longitudinal methods (ILM), such as ecological momentary assessments (EMA), that help identify proximal indicators of risk in real-time and real-world settings. To realize the potential of ILM for advancing knowledge regarding suicidal and self-injurious thoughts and behaviors (SITB), this article aims to provide a systematic review of safety protocols in published ILM studies of youth SITB, highlight considerations for maximizing safety, and offer an agenda for future research.

METHOD

We conducted a systematic review of risk management strategies in published studies applying ILM to assess SITB in youth.

RESULTS

The review indicated diverse safety strategies, with near-universal use of preventive strategies before beginning ILM surveys. Strategies for participant protection during the survey period included automated protective messages to seek support when elevated risk was detected; and staff-led strategies, some of which included active outreach to parents/caregivers when youth responses suggested elevated risk. Studies assessing suicidality all provided staff-led follow-up. There was minimal information on youth reactivity to intensive longitudinal assessments of SITB. Available evidence did not suggest increased suicidal ideation, suicide attempts, self-injurious behavior, or deaths with ILM.

CONCLUSIONS

Based on the review, we propose a research agenda to inform safety procedures in ILM research and a model for managing risk in future ILM studies of youth SITB. This model begins with a needs assessment and proposes a "goodness of fit" approach for matching safety procedures to the specific needs of each ILM study.

Appealing to Sense and Sensibility: System 1 and System 2 Interventions for Fake News on Social Media

Disinformation on social media—commonly called “fake news”—has become a major concern around the world, and many fact-checking initiatives have been launched in response. However, if the presentation format of fact-checked results is not persuasive, fact-checking may not be effective. For instance, Facebook tested the idea of flagging dubious articles in 2017 but concluded that it was ineffective and removed the feature. We conducted three experiments with social media users to investigate two different approaches to implementing a fake news flag—one designed to be most effective when processed by automatic cognition (System 1) and the other designed to be most effective when processed by deliberate cognition (System 2). Both interventions were effective, and an intervention that combined both approaches was about twice as effective. The awareness training on the meaning of the flags increased the effectiveness of the System 2 intervention but not the System 1 intervention. Believability influenced the extent to which users would engage with the article (e.g., read, like, comment, and share). Our results suggest that both theoretical routes can be used—separately or together—in the presentation of fact-checking results in order to reduce the influence of fake news on social media users.

A Decade of NeuroIS Research

NeuroIS is a field in Information Systems (IS) that makes use of neuroscience and neurophysiological tools and knowledge to better understand the development, adoption, and impact of information and communication technologies. The fact that NeuroIS now exists for more than a decade motivated us to comprehensively review the academic literature. Investigation of the field's development provides insights into the status of NeuroIS, thereby contributing to identity development in the NeuroIS field. Based on a review of N=200 papers published in 55 journals and 13 conference proceedings in the period 2008-2017, we addressed the following four research questions: Which NeuroIS topics were investigated? What kind of NeuroIS research was published? How was the empirical NeuroIS research conducted? Who published NeuroIS research? Based on a discussion of the findings and their implications for future research, which considers results of a recent NeuroIS survey (N=60 NeuroIS scholars), we conclude that today NeuroIS can be considered an established research field in the IS discipline. However, our review also indicates that further efforts are necessary to advance the field, both from a theoretical and methodological perspective.

Risk communication in cyberspace: a brief review of the information-processing and mental models approaches

Effective risk communication in cyberspace is critical for users to understand the potential security risks and make secure decisions. Two approaches to risk communication originating from psychology, the human information-processing approach and the mental-models approach, have been widely applied in other research fields of risk communication. The human information-processing approach characterizes the human as a communication system, with risk-communication information from a source delivered to the receiver, who processes the information via various stages. The mental-models approach emphasizes the importance of understanding experts' and non-experts' mental models, comparing these models, and drafting and evaluating risk-communication messages. With an overview of these two approaches and their applications, the goal of this paper is to provide insights for future use of these approaches in cybersecurity.

Protecting a whale in a sea of phish

Whaling is one of the most financially damaging, well-known, effective cyberattacks employed by sophisticated cybercriminals. Although whaling largely consists of sending a simplistic email message to a whale (i.e. a high-value target in an organization), it can result in large payoffs for cybercriminals, in terms of money or data stolen from organizations. While a legitimate cybersecurity threat, little information security research has directed attention toward whaling. In this study, we begin to provide an initial understanding of what makes whaling such a pernicious problem for organizations, executives, or celebrities (e.g. whales), and those charged with protecting them. We do this by defining whaling, delineating it from general phishing and spear phishing, presenting real-world cases of whaling, and provide guidance on future information security research on whaling. We find that whaling is far more complex than general phishing and spear phishing, spans multiple domains (e.g. work and personal), and potentially results in spillover effects that ripple across the organization. We conclude with a discussion of promising future directions for whaling and information security research.

The Dilemma of User Engagement in Privacy Notices

Privacy notices and consent forms are the means of conveying privacy policy information to users. In Europe, a valid consent needs to be confirmed by a clear affirmative action. Despite previous research, it is not yet clear whether user engagement with consent forms via different types of interactions for confirming consent may play a significant role in effectively drawing user attention to the content, even after repeated exposure. We investigate, in a laboratory study, how different types of interactions that engage users with consent forms differ in terms of their effectiveness, efficiency, and user satisfaction. In addition, we examine if and how habituation affects user attention and satisfaction, and the time they spend on giving their consent. We conducted a controlled experiment with 80 participants in four different groups where people either were engaged actively with the policy content via Drag and Drop (DAD), Swipe, or Checkboxes, or were not actively engaged with the content (as the control condition) in a first-exposure phase and in a habituation phase. We measured user attention to consent forms along multiple dimensions, including direct, objective measurements and indirect, self-reported measures. Our results show that the different types of interactions may affect user attention to certain parts of policy information. In particular, the DAD action results in significantly more user attention to the data items compared to other groups. However, with repeated exposure to consent forms, the difference disappears. We conclude that user engagement with policy content needs to be designed with care, so that attention to substantial policy information is increased and not negatively affected.

Neural correlates of decision making related to information security: Self-control and moral potency

Security breaches of digital information represent a significant threat to the wellbeing of individuals, corporations, and governments in the digital era. Roughly 50% of breaches of information security result from the actions of individuals inside organizations (i.e., insider threat), and some evidence indicates that common deterrence programs may not lessen the insiders’ intention to violate information security. This had led researchers to investigate contextual and individual difference variables that influence the intention to violate information security policies. The current research builds upon previous studies and explores the relationship between individual differences in self-control and moral potency and the neural correlates of decision making in the context of information security. The behavioral data revealed that individuals were sensitive to the severity of a violation of information security, and that the measures of self-control and moral potency were reliable indicators of the underlying constructs. The ERP data provided a partial replication of previous research, revealing differences in neural activity for scenarios describing security violations relative to control stimuli over the occipital, medial and lateral frontal, and central regions of the scalp. Brain-behavior analyses showed that higher moral potency was associated with a decrease in neural activity, while higher self-control was associated with an increase in neural activity; and that moral potency and self-control tended to have independent influences on neural recruitment related to considering violations of information security. These findings lead to the suggestion that enhancing moral potency and self-control could represent independent pathways to guarding against insider threat.

It's the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling

Phishing email is one of the biggest risks to online information security due to its ability to exploit human trust and naivety. Prior research has examined whether some people are more susceptible to phishing than others and what characteristics may predict this susceptibility. Given that there are no standardised measures or methodologies to detect phishing susceptibility, results have conflicted. To address this issue, the current study created a 40-item phishing detection task to measure both cognitive and behavioural indicators of phishing susceptibility and false positives (misjudged genuine email). The task is based on current real-life email stimuli (i.e., phishing and genuine) relevant to the student and general population. Extending previous literature we also designed a methodology for assessing phishing susceptibility by allowing participants to indicate perception of maliciousness of each email type and the actions they would take (keep it, trash it or seek further information). This enabled us to: (1) examine the relationships that psychological variables share with phishing susceptibility and false positives-both captured as consistent tendencies; (2) determine the relationships between perceptions of maliciousness with behavioural outcomes and psychological variables; and (3) determine the relationships between these tendencies and email characteristics. In our study, 150 undergraduate psychology students participated in exchange for partial course credit (98 Females; Mean age = 19.70, SD = 2.27). Participants also completed a comprehensive battery of psychometric tests assessing intelligence, pre- and on-task confidence, Big 6 personality, and familiarity/competence in computing and phishing. Results revealed that people showed distinct and robust tendencies for phishing susceptibility and false positives. A series of regression analyses looking at the accuracy of both phishing and false positives detection revealed that human-centred variables accounted for a good degree of variance in phishing susceptibility (about 54%), with perceptions of maliciousness, intelligence, knowledge of phishing, and on-task confidence contributing significantly, directly and/or indirectly via perception of maliciousness. A regression model looking at discriminating false positives has also shown that human-centred variables accounted for a reasonable degree of variance (41%), with perceptions of maliciousness, intelligence and on-task confidence contributing significantly, directly and/or indirectly via perception of maliciousness. Furthermore, the characteristics of the most effective phishing and misjudged genuine email items were profiled. Based on our findings, we suggest that future research should investigate these significant variables in more detail. We also recommend that future research should capture consistent response tendencies to determine vulnerability to phishing and false positives (rather than a one off response to a single email), and use the collection of the most current phishing email obtained from relevant sources to the population. It is important to capture perceptions of maliciousness of email because it is a key predictor of the action taken on the email. It directly predicts accuracy detection of phishing and genuine email, as well as mediating the relationships between some other predictors whose role would have been overlooked if the perceptions were not captured. The study provides the framework of human-centred variables which predict phishing and false positive susceptibility as well as the characteristics of email which most deceive people.