David Eargle

Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment

Passwords remain the dominant authentication mechanism for information security. Unfortunately, research has shown that most passwords are highly insecure. Given the risks of using weak passwords, there is a need to effectively motivate users to select strong passwords. In this study we examine the influence of interactivity, as well as static and interactive fear appeals, on motivating users to increase the strength of their passwords. We developed a field experiment involving the account registration process of a website in use in which we observed the strength of passwords chosen by users. Data were collected from 354 users in 65 countries. We found that while the interactive password strength meter and static fear appeal treatments were not effective, the interactive fear appeal treatment resulted in significantly stronger passwords. Our findings suggest that interactive fear appeals are a promising means of encouraging a range of secure behaviors in end users.

From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done About It

Abstract Warning messages are fundamental to users’ security interactions. Unfortunately, they are largely ineffective, as shown by prior research. A key contributor to this failure is habituation: decreased response to a repeated warning. Previous research has only inferred the occurrence of habituation to warnings, or measured it indirectly, such as through the proxy of a related behavior. Therefore, there is a gap in our understanding of how habituation to security warnings develops in the brain. Without direct measures of habituation, we are limited in designing warnings that can mitigate its effects. In this study, we use neurophysiological measures to directly observe habituation as it occurs in the brain and behaviorally. We also design a polymorphic warning artifact that repeatedly changes its appearance in order to resist the effects of habituation. In an experiment using functional magnetic resonance imaging (fMRI; n = 25), we found that our polymorphic warning was significantly more resistant to habituation than were conventional warnings in regions of the brain related to attention. In a second experiment (n = 80), we implemented the four most resistant polymorphic warnings in a realistic setting. Using mouse cursor tracking as a surrogate for attention to unobtrusively measure habituation on participants’ personal computers, we found that polymorphic warnings reduced habituation compared to conventional warnings. Together, our findings reveal the substantial influence of neurobiology on users’ habituation to security warnings and security behavior in general, and we offer our polymorphic warning design as an effective solution to practice

More Harm than Good? How Messages that Interrupt Can Make Us Vulnerable

System-generated alerts are ubiquitous in personal computing and, with the proliferation of mobile devices, daily activity. While these interruptions provide timely information, research shows they come at a high cost in terms of increased stress and decreased productivity. This is due to dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss. Although previous research has examined how DTI impacts the performance of a primary task (the task that was interrupted), no research has examined the effect of DTI on the interrupting task. This is an important gap because in many contexts, failing to heed an alert—the interruption itself—can introduce critical vulnerabilities.Using security messages as our context, we address this gap by using functional magnetic resonance imaging (fMRI) to explore how (1) DTI occurs in the brain in response to interruptive alerts, (2) DTI influences message security disregard, and (3) the effects of DTI can be mitigated by finessing the timing of the interruption. We show that neural activation is substantially reduced under a condition of high DTI, and the degree of reduction in turn significantly predicts security message disregard. Interestingly, we show that when a message immediately follows a primary task, neural activity in the medial temporal lobe is comparable to when attending to the message is the only task.Further, we apply these findings in an online behavioral experiment in the context of a web-browser warning. We demonstrate a practical way to mitigate the DTI effect by presenting the warning at low-DTI times, and show how mouse cursor tracking and psychometric measures can be used to validate low-DTI times in other contexts.Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard. This paper provides a theoretically grounded, cost-effective approach to reduce the effects of DTI for a wide variety of interruptive messages that are important but do not require immediate attention.

How users perceive and respond to security messages: a NeuroIS research agenda and empirical study

Users are vital to the information security of organizations. In spite of technical safeguards, users make many critical security decisions. An example is users’ responses to security messages – discrete communication designed to persuade users to either impair or improve their security status. Research shows that although users are highly susceptible to malicious messages (e.g., phishing attacks), they are highly resistant to protective messages such as security warnings. Research is therefore needed to better understand how users perceive and respond to security messages. In this article, we argue for the potential of NeuroIS – cognitive neuroscience applied to Information Systems – to shed new light on users’ reception of security messages in the areas of (1) habituation, (2) stress, (3) fear, and (4) dual-task interference. We present an illustrative study that shows the value of using NeuroIS to investigate one of our research questions. This example uses eye tracking to gain unique insight into how habituation occurs when people repeatedly view security messages, allowing us to design more effective security messages. Our results indicate that the eye movement-based memory (EMM) effect is a cause of habituation to security messages – a phenomenon in which people unconsciously scrutinize stimuli that they have previously seen less than other stimuli. We show that after only a few exposures to a warning, this neural aspect of habituation sets in rapidly, and continues with further repetitions. We also created a polymorphic warning that continually updates its appearance and found that it is effective in substantially reducing the rate of habituation as measured by the EMM effect. Our research agenda and empirical example demonstrate the promise of using NeuroIS to gain novel insight into users’ responses to security messages that will encourage more secure user behaviors and facilitate more effective security message designs.

Using fMRI to Explain the Effect of Dual-Task Interference on Security Behavior

We examine how security behavior is affected by dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss. We find that security messages that interrupt users actually make users more vulnerable by increasing security message disregard—behaving against the recommended course of action of a security message. We study the previously unexamined effect of DTI on a secondary, interrupting task—a security message. In a security context, it is critical that his interruption be carefully heeded. We use functional magnetic resonance imaging (fMRI) to explore (1) how DTI occurs in the brain in response to interruptive security messages and (2) how DTI influences security message disregard. We show that neural activation in the medial temporal lobe (MTL)—a brain region associated with declarative memory—is substantially reduced under a condition of high DTI, which in turn significantly predicts security message disregard.

Neural correlates of gender differences and color in distinguishing security warnings and legitimate websites: a neurosecurity study

Users have long been recognized as the weakest link in security. Accordingly, researchers have applied knowledge from the fields of psychology and human–computer interaction to understand the security behaviors of users. However, many cognitive processes and responses are unconscious or obligatory and yet still have a profound effect on users’ security behaviors. With this in mind, researchers have begun to apply methods and theories of neuroscience to yield greater insights into the “black box” of user cognition. The goal of this approach—termed neurosecurity—is to better understand and improve users’ behaviors. This study illustrates the potential for neurosecurity by investigating how two fundamental biological factors—gender and color perception—affect users’ reception of security warnings. This is important to determine because research has shown that users frequently fail to appropriately respond to security warnings. We conducted a laboratory experiment using electroencephalography, a proven method of measuring neurological activity in temporally sensitive tasks. We found that the amplitude of the P300—an event-related potential component indicative of decision-making ability—was higher for all participants when viewing malware warning screenshots relative to legitimate website shots. Additionally, we found that the P300 was greater for women than for men, indicating that women exhibit higher brain activity than men when viewing malware warnings. However, we found that there was no change in the P300 when viewing red warnings compared to grayscale warnings. Together, our results demonstrate the value of applying neurosecurity methods to the domain of cybersecurity and point to several promising avenues for future research.

Acquiring IS Skill through Habitual Use

Understanding skill acquisition in the context of information systems (IS) use is increasingly important as digital technologies continue to pervade all aspects of personal and business life. To address this important construct, in this study we explore potential antecedents of skill acquisition, including: playfulness, ease of use, comprehensiveness of use, and atypical use. We also explore the mediating role of habitual use (conceptualized as “multipurposing” technology) in IS skill acquisition. We develop and validate measurement scales for multipurposing, comprehensiveness of use, and atypical use. Data was collected using 377 self-reported survey responses from users of Microsoft Excel. Our findings indicate that multipurposing mediates some effects on skill acquisition.