Bonnie Brinton Anderson

Model checking for design and assurance of e-business processes

Use of the Internet for electronic business has the potential to revolutionize the way many businesses are conducted. Yet, several businesses have fallen victim to problems in information systems that facilitate e-Business. These problems are characterized by uncertainties due to system complexity, rapid development, interconnectivity, and a lack of familiarity with the new technologically based economy. This paper demonstrates how model checking can aid in the design and assurance of e-Business processes in environments characterized by distributed processing, parallelism, concurrency, communication uncertainties, and continuous operations.

Model checking for E-business control and assurance

Model checking is a promising technique for the verification of complex software systems. As the use of the Internet for conducting e-business extends the reach of many organizations, well-designed software becomes the foundation of reliable implementation of e-business processes. These distributed, electronic methods of conducting transactions place reliance on the control structures embedded in the transaction processes. Deficiencies in control structures of processes that support e-business can lead to loss of physical assets, digital assets, money, and consumer confidence. Yet, assessing the reliability of e-business processes is complex and time-consuming. This paper explicates how model-checking technology can aid in the design and assurance of e-business processes in complex digital environments. Specifically, we demonstrate how model checking can be used to verify e-business requirements concerning money atomicity, goods atomicity, valid receipt, and communication-link failure. These requirements are fundamental to many e-business applications. Model checking can be used to test a broad range of systems requirements-not only for system designers, but also for auditors and security specialists. Systems that are examined by auditors need to have adequate controls built in prior to implementation and will need adequate auditing after implementation to ensure that none of the processes have been corrupted. Model checkers may also provide value in examining the processes of highly integrated applications as found in enterprise resource planning systems.

Standards and verification for fair-exchange and atomicity in e-commerce transactions

Electronic commerce can be defined as the conduct of commerce in goods and services, with the assistance of telecommunications and telecommunications-based tools. The economic growth potential of e-commerce is extraordinary-but so are the challenges that lie on the path toward success. One of the more pressing challenges is how to ensure the integrity and reliability of the transaction process: key aspects being fair-exchange and atomicity assurance. This paper delineates an extended fair-exchange standard, which includes atomicity assurance, intended for a wide audience including e-commerce designers, managers, users, and auditors. We demonstrate how such a standard prevents or mitigates important e-commerce concerns. To bridge theory with practice, we illustrate how the application of model checking can be used to verify the correctness of the implementation of e-commerce protocols to prevent the failure of such protocols when unforeseen circumstances occur.

The application of model checking for securing e-commerce transactions

Model checking is an effective component for performing online transactions that build customer trust and confidence.

From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done About It

Abstract Warning messages are fundamental to users’ security interactions. Unfortunately, they are largely ineffective, as shown by prior research. A key contributor to this failure is habituation: decreased response to a repeated warning. Previous research has only inferred the occurrence of habituation to warnings, or measured it indirectly, such as through the proxy of a related behavior. Therefore, there is a gap in our understanding of how habituation to security warnings develops in the brain. Without direct measures of habituation, we are limited in designing warnings that can mitigate its effects. In this study, we use neurophysiological measures to directly observe habituation as it occurs in the brain and behaviorally. We also design a polymorphic warning artifact that repeatedly changes its appearance in order to resist the effects of habituation. In an experiment using functional magnetic resonance imaging (fMRI; n = 25), we found that our polymorphic warning was significantly more resistant to habituation than were conventional warnings in regions of the brain related to attention. In a second experiment (n = 80), we implemented the four most resistant polymorphic warnings in a realistic setting. Using mouse cursor tracking as a surrogate for attention to unobtrusively measure habituation on participants’ personal computers, we found that polymorphic warnings reduced habituation compared to conventional warnings. Together, our findings reveal the substantial influence of neurobiology on users’ habituation to security warnings and security behavior in general, and we offer our polymorphic warning design as an effective solution to practice

More Harm than Good? How Messages that Interrupt Can Make Us Vulnerable

System-generated alerts are ubiquitous in personal computing and, with the proliferation of mobile devices, daily activity. While these interruptions provide timely information, research shows they come at a high cost in terms of increased stress and decreased productivity. This is due to dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss. Although previous research has examined how DTI impacts the performance of a primary task (the task that was interrupted), no research has examined the effect of DTI on the interrupting task. This is an important gap because in many contexts, failing to heed an alert—the interruption itself—can introduce critical vulnerabilities.Using security messages as our context, we address this gap by using functional magnetic resonance imaging (fMRI) to explore how (1) DTI occurs in the brain in response to interruptive alerts, (2) DTI influences message security disregard, and (3) the effects of DTI can be mitigated by finessing the timing of the interruption. We show that neural activation is substantially reduced under a condition of high DTI, and the degree of reduction in turn significantly predicts security message disregard. Interestingly, we show that when a message immediately follows a primary task, neural activity in the medial temporal lobe is comparable to when attending to the message is the only task.Further, we apply these findings in an online behavioral experiment in the context of a web-browser warning. We demonstrate a practical way to mitigate the DTI effect by presenting the warning at low-DTI times, and show how mouse cursor tracking and psychometric measures can be used to validate low-DTI times in other contexts.Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard. This paper provides a theoretically grounded, cost-effective approach to reduce the effects of DTI for a wide variety of interruptive messages that are important but do not require immediate attention.

How users perceive and respond to security messages: a NeuroIS research agenda and empirical study

Users are vital to the information security of organizations. In spite of technical safeguards, users make many critical security decisions. An example is users’ responses to security messages – discrete communication designed to persuade users to either impair or improve their security status. Research shows that although users are highly susceptible to malicious messages (e.g., phishing attacks), they are highly resistant to protective messages such as security warnings. Research is therefore needed to better understand how users perceive and respond to security messages. In this article, we argue for the potential of NeuroIS – cognitive neuroscience applied to Information Systems – to shed new light on users’ reception of security messages in the areas of (1) habituation, (2) stress, (3) fear, and (4) dual-task interference. We present an illustrative study that shows the value of using NeuroIS to investigate one of our research questions. This example uses eye tracking to gain unique insight into how habituation occurs when people repeatedly view security messages, allowing us to design more effective security messages. Our results indicate that the eye movement-based memory (EMM) effect is a cause of habituation to security messages – a phenomenon in which people unconsciously scrutinize stimuli that they have previously seen less than other stimuli. We show that after only a few exposures to a warning, this neural aspect of habituation sets in rapidly, and continues with further repetitions. We also created a polymorphic warning that continually updates its appearance and found that it is effective in substantially reducing the rate of habituation as measured by the EMM effect. Our research agenda and empirical example demonstrate the promise of using NeuroIS to gain novel insight into users’ responses to security messages that will encourage more secure user behaviors and facilitate more effective security message designs.

What Do We Really Know about How Habituation to Warnings Occurs Over Time?: A Longitudinal fMRI Study of Habituation and Polymorphic Warnings

A major inhibitor of the effectiveness of security warnings is habituation: decreased response to a repeated warning. Although habituation develops over time, previous studies have examined habituation and possible solutions to its effects only within a single experimental session, providing an incomplete view of the problem. To address this gap, we conducted a longitudinal experiment that examines how habituation develops over the course of a five-day workweek and how polymorphic warnings decrease habituation. We measured habituation using two complementary methods simultaneously: functional magnetic resonance imaging (fMRI) and eye tracking. Our results show a dramatic drop in attention throughout the workweek despite partial recovery between workdays. We also found that the polymorphic warning design was substantially more resistant to habituation compared to conventional warnings, and it sustained this advantage throughout the five-day experiment. Our findings add credibility to prior studies by showing that the pattern of habituation holds across a workweek, and indicate that cross-sectional habituation studies are valid proxies for longitudinal studies. Our findings also show that eye tracking is a valid measure of the mental process of habituation to warnings.

Creating automated plans for Semantic Web applications through planning as model checking

The uncertainties of planning engendered by nondeterminism and partial observability have led to a melding of model checking and artificial intelligence. The result is planning as model checking. Because planning as model checking tests sets of states and sets of transitions at once, rather than single states, the method remains robust and viable in domains of large state spaces and varying levels of uncertainty. We develop a test bench for Semantic Web agents and use model-based planning to derive strong plans, strong cyclic plans, and weak plans. Our results suggest potential robustness and efficacy in devising plans for agent actions in the Semantic Web environment.

It All Blurs Together: How the Effects of Habituation Generalize Across System Notifications and Security Warnings

Habituation to security warnings—the diminished response to a warning with repeated exposures—is a well-recognized problem in information security. However, the scope of this problem may actually be much greater than previously thought because of the neurobiological phenomenon of generalization. Whereas habituation describes a diminished response with repetitions of the same stimulus, generalization occurs when habituation to one stimulus carries over to other novel stimuli that are similar in appearance. Because software user interface guidelines call for visual consistency, many notifications and warnings share a similar appearance. Unfortunately, generalization suggests that users may already be deeply habituated to a warning they have never seen before because of exposure to other notifications. In this work-in-progress study, we propose an eye tracking and fMRI experiment to examine how habituation to frequent software notifications generalizes to infrequent security warnings, and how security warnings can be designed to resist the effects of generalization.