Abstract
Users are vital to the information security of organizations. In spite of technical safeguards, users make many critical security decisions. An example is users’ responses to security messages – discrete communication designed to persuade users to either impair or improve their security status. Research shows that although users are highly susceptible to malicious messages (e.g., phishing attacks), they are highly resistant to protective messages such as security warnings. Research is therefore needed to better understand how users perceive and respond to security messages. In this article, we argue for the potential of NeuroIS – cognitive neuroscience applied to Information Systems – to shed new light on users’ reception of security messages in the areas of (1) habituation, (2) stress, (3) fear, and (4) dual-task interference. We present an illustrative study that shows the value of using NeuroIS to investigate one of our research questions. This example uses eye tracking to gain unique insight into how habituation occurs when people repeatedly view security messages, allowing us to design more effective security messages. Our results indicate that the eye movement-based memory (EMM) effect is a cause of habituation to security messages – a phenomenon in which people unconsciously scrutinize stimuli that they have previously seen less than other stimuli. We show that after only a few exposures to a warning, this neural aspect of habituation sets in rapidly, and continues with further repetitions. We also created a polymorphic warning that continually updates its appearance and found that it is effective in substantially reducing the rate of habituation as measured by the EMM effect. Our research agenda and empirical example demonstrate the promise of using NeuroIS to gain novel insight into users’ responses to security messages that will encourage more secure user behaviors and facilitate more effective security message designs.
Similar content being viewed by others
References
Abbasi A, Zhang Z, Zimbra D, Chen H and Nunamaker JJF (2010) Detecting fake websites: the contribution of statistical learning theory. MIS Quarterly 34 (3), 435–461.
Adams A and Sasse MA (1999) Users are not the enemy. Communications of the ACM 42 (12), 40–46.
Akhawe D and Felt AP (2013) Alice in warningland: a large-scale field study of browser security warning effectiveness. In Proceedings of the 22nd USENIX conference on Security (Sam K, Ed), pp 257–272, USENIX Association, Washington DC.
Anderson CL and Agarwal R (2010) Practicing safe computing: a multimedia empirical examination of home computer user security behavioral intentions. MIS Quarterly 34 (3), 613–643.
Anderson B, Kirwan B, Jenkins J, Eargle D, Howard S and Vance A (2015) How polymorphic warnings reduce habituation in the brain –insights from an fMRI study. In ACM Conference on Human Factors in Computing Systems (CHI) (Kim J and Begole B Eds) ACM, Seoul, Korea.
Ayyagari R, Grover V and Purvis R (2011) Technostress: technological antecedents and implications. MIS Quarterly 35 (4), 831–858.
Bakker A, Kirwan CB, Miller M and Stark CEL (2008) Pattern separation in the human hippocampal CA3 and dentate gyrus. Science 319 (5870), 1640–1642.
Beck MR, Peterson MS and Angelone BL (2007) The roles of encoding, retrieval, and awareness. Memory & Cognition 35 (4), 610–620.
Benbasat I, Dimoka A, Pavlou PA and Qiu L (2010) Incorporating social presence in the design of the anthropomorphic interface of recommendation agents: insights from an fMRI study. In ICIS 2010 Proceedings (Lacity M, March S and Niederman F, Eds), AIS, St. Louis, MO.
Bench CJ, Frith CD, Grasby PM, Friston KJ, Paulesu E and Frackowiak RSJ et al (1993) Investigations of the functional anatomy of attention using the stroop test. Neuropsychologia 31 (9), 907–922.
Blanchard RJ and Blanchard DC (1994) Opponent environmental targets and sensorimotor systems in aggression and defence. In Ethology and Psychopharmacology (Cooper SJ and Hendrie CA, Eds), pp 133–157, Wiley, Chichester, UK.
Boss SR, Galletta DF, Lowry PB, Moody GD and Polak P (2015) What do users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors in users. MIS Quarterly 39 (4), 837–864.
Braun CC, Greeno B and Silver NC (1994) Differences in behavioral compliance as a function of warning color. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, pp 379–383, SAGE Publications, Nashville, Tennessee.
Braun CC and Silver NC (1995) Interaction of signal word and colour on warning labels: differences in perceived hazard and behavioural compliance. Ergonomics 38 (11), 2207–2220.
Bravo-Lillo C, Cranor LF, Downs J, Komanduri S and Sleeper M (2011) Improving computer security dialogs. In Proceedings of the 13th IFIP TC 13 International Conference on Human-Computer Interaction – Volume 6949 Part IV (CAMPOS P, GRAHAM N, JORGE J, NUNES N, PALANQUE P and WINCKLER M, Eds), pp 18–35, Springer-Verlag, Lisbon, Portugal.
Bravo-Lillo C et al (2013) Your attention please: designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security (Cranor L, Ed), pp 1–12, ACM, Newcastle, UK.
Brod C (1984) Technostress: The Human Cost of the Computer Revolution. Addison-Wesley, Reading, MA.
Brustoloni JC and Villamarín-Salomón R (2007) Improving security decisions with polymorphic and audited dialogs. In Proceedings of the Third symposium on Usable Privacy and Security (SOUPS 2007) (Cranor L, Ed), pp 76–85, ACM, New York, NY.
Cacioppo JT, Martzke JS, Petty RE and Tassinary LG (1988) Specific forms of facial EMG response index emotions during an interview: from Darwin to the continuous flow hypothesis of affect-laden information processing. Journal of Personality and Social Psychology 54 (4), 592–604.
Castellina E, Corno F and Pellegrino P (2008) Integrated speech and gaze control for realistic desktop environments. In Proceedings of the 2008 Symposium on Eye Tracking Research & Applications (Räihä K-J and Duchowski AT, Eds), pp 79–82, ACM, Savannah, GA.
Chen MC, Anderson JR and Sohn MH (2001) What can a mouse cursor tell us more?: correlation of eye/mouse movements on web browsing. In CHI ‘01 Extended Abstracts on Human Factors in Computing Systems (Jacko J and Sears A, Eds), pp 281–282, ACM, Seattle, Washington DC.
Conti G, Ahamad M and Stasko J (2005) Attacking information visualization system usability overloading and deceiving the human. In Proceedings of the 2005 Symposium on Usable Privacy and Security (Cranor L and Zurko ME, Eds), pp 89–100, ACM, Menlo Park, CA.
Cooper CL, Dewe PJ and O’driscoll MP (2001) Organizational Stress: A Review and Critique of Theory, Research, and Applications. Sage, Thousand Oaks, CA.
Crossler RE, Johnston AC, Lowry PB, Hu Q, Warkentin M and Baskerville R (2013) Future directions for behavioral information security research. Computers & Security 32 (1), 90–101.
Cui X, Bray S, Bryant DM, Glover GH and Reiss AL (2011) A quantitative comparison of nirs and fMRI across multiple cognitive tasks. NeuroImage 54 (4), 2808–2821.
Dawson ME, Schell AM and Courtney CG (2011) The skin conductance response, anticipation, and decision-making. Journal of Neuroscience, Psychology, and Economics 4 (2), 111–116.
De Keukelaere F, Yoshihama S, Trent S, Zhang Y, Luo L and Zurko ME (2009) Adaptive security dialogs for improved security behavior of users. In Proceedings of the 12th IFIP TC 13 International Conference on Human-Computer Interaction: Part I (Gross T et al, Eds), pp 510–523, Springer-Verlag, Uppsala, Sweden.
Dhamija R and Tygar JD (2005) The battle against phishing: dynamic security skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security, (Cranor L and Zurko ME, Eds), pp 77–88, ACM, Menlo Park, CA.
Dhamija R, Tygar JD and Hearst M (2006) Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Olson G, Rodden T and Grinter R, Eds), pp 581–590, ACM, Montréal, Canada.
Dickerson SS and Kemeny ME (2004) Acute stressors and cortisol responses: a theoretical integration and synthesis of laboratory research. Psychological Bulletin 130 (3), 355–391.
Dimoka A (2010) What does the brain tell us about trust and distrust? Evidence from a functional neuroimaging study. MIS Quarterly 34 (2), 373–396.
Dimoka A (2012) How to conduct a functional magnetic resonance (fMRI) study in social science research. MIS Quarterly 36 (3), 811–840.
Dimoka A et al (2012) On the use of neurophysiological tools in IS research: developing a research agenda for NeuroIS. MIS Quarterly 36 (3), 679–702.
Dimoka A, Pavlou PA and Davis FD (2011) Research commentary-NeuroIS: the potential of cognitive neuroscience for information systems research. Information Systems Research 22 (4), 687–702.
Downs JS, Holbrook MB and Cranor LF (2006) Decision Strategies and Susceptibility to Phishing Proceedings of the Second Symposium on Usable Privacy and Security (Cranor L, Karat C-M and Smetters D, Eds), ACM, Pittsburgh, Pennsylvania, pp 79–90.
Drake CE, Oliver JJ and Koontz EJ (2004) Anatomy of a Phishing Email, In Conference on Email and Anti-Spam, CEAS, Mountain View, CA.
Duncan J and Coltheart M (1987) Attention and Reading: Wholes and Parts in Shape Recognition – A Tutorial Review. England: Lawrence Erlbaum Associates, Hillsdale, NJ.
Dux PE, Ivanoff J, Asplund CL and Marois R (2006) Isolation of a central bottleneck of information processing with time-resolved fMRI. Neuron 52 (6), 1109–1120.
D’arcy J, Herath T and Shoss M (2014) Understanding employee responses to stressful information security requirements: a coping perspective. Journal of Management Information Systems 31 (2), 285–318.
Egelman S, Cranor LF and Hong J (2008) You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Czerwinski M and Lund A, Eds), pp 1065–1074, ACM, Florence, Italy.
Egelman S, Sotirakopoulos A, Muslukhov I, Beznosov K and Herley C (2013) Does My Password Go Up to Eleven? The Impact of Password Meters on Password Selection, In ACM Conference on Human Factors in Computing Systems (CHI) (Mackay WE, Ed), ACM, Paris, France, pp 2379–2388.
Ekman P, Rolls ET, Perrett DI and Ellis HD (1992) Facial expressions of emotion: an old controversy and new findings [and discussion]. Philosophical Transactions of the Royal Society of London. Series B: Biological Sciences 335 (1273), 63–69.
Eysenck MW, Derakshan N, Santos R and Calvo MG (2007) Anxiety and cognitive performance: attentional control theory. Emotion 7 (2), 336–353.
Felt AP, Ha E, Egelman S, Haney A, Chin E and Wagner D (2012) Android permissions: user attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (Cranor L, Lipford H and Beznosov K, Eds), pp 3:1–3:14, ACM.
Felt AP, Reeder RW, Almuhimedi H and Consolvo S (2014) Experimenting at Scale with Google Chrome’s SSL Warning, In ACM Conference on Human Factors in Computing Systems (CHI) (Jones M and Palanque P, Eds), ACM, Toronto, Canada, pp 2667–2670.
Fichman RG, Gopal R, Gupta A and Ransbotham S (2014) Call for papers: special issue on ubiquitous IT and digital vulnerabilities. Information Systems Research. [WWW document] http://pubsonline.informs.org/page/isre/calls-for-papers (accessed 13 November 2014).
Floyd DL, Prentice-Dunn S and Rogers RW (2000) A meta-analysis of research on protection motivation theory. Journal of Applied Social Psychology 30 (2), 407–429.
Foltz CB, Schwager PH and Anderson JE (2008) Why users (fail to) read computer usage policies. Industrial Management & Data Systems 108 (6), 701–712.
Freeman JB and Ambady N (2010) Mousetracker: software for studying real-time mental processing using a computer mouse-tracking method. Behavior Research Methods 42 (1), 226–241.
Frijda NH (1986) The Emotions. Cambridge University Press, Cambridge, New York.
Furnell S and Clarke N (2012) Power to the people? The evolving recognition of human aspects of security. Computers & Security 31 (8), 983–988.
Gartner (2013) Gartner says worldwide security market to grow 8.7 percent in 2013. [WWW document] http://www.gartner.com/newsroom/id/2512215 (accessed 29 January 2014).
Gefen D, Ayaz H and Onaral B (2014) Applying functional near infrared (fnir) spectroscopy to enhance mis research. AIS Transactions on Human-Computer Interaction 6 (3), 55–73.
Good N et al (2005) Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware, In Proceedings of the Symposium on Usable Privacy and Security (Cranor L and Zurko ME, Eds), ACM, Pittsburgh, Pennsylvania,pp 43–52.
Grill-Spector K, Henson R and Martin A (2006) Repetition and the brain: neural models of stimulus-specific effects. Trends in Cognitive Sciences 10 (1), 14–23.
Grimes M, Jenkins JL and Valacich J (2013) Exploring the effect of arousal and valence on mouse interaction. In International Conference on Information Systems (Baskerville R and Chau M, Eds), AIS, Milan, Italy.
Guo Q and Agichtein E (2010) Towards predicting web searcher gaze position from mouse movements. In CHI’10 Extended Abstracts on Human Factors in Computing Systems (Mynatt E and Rodden T, Eds),pp 3601–3606, ACM, Austin, TX.
Haier RJ et al (1988) Cortical glucose metabolic rate correlates of abstract reasoning and attention studied with positron emission tomography. Intelligence 12 (2), 199–217.
Hannula DE, Althoff RR, Warren DE, Riggs L, Cohen NJ and Ryan JD (2010) Worth a glance: using eye movements to investigate the cognitive neuroscience of memory. Frontiers in Human Neuroscience (4), 1–16.
Hannula DE and Ranganath C (2009) The eyes have it: hippocampal activity predicts expression of memory in eye movements. Neuron 63 (5), 592–599.
Hehman E, Stolier RM and Freeman JB (2014) Advanced mouse-tracking analytic techniques for enhancing psychological science. Psychological Science 20 (10), 1183–1188.
Herath P, Klingberg T, Young J, Amunts K and Roland P (2001) Neural correlates of dual task interference can be dissociated from those of divided attention: an fMRI study. Cerebral Cortex 11 (9), 796–805.
Herley C (2009) So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 Workshop on New Security Paradigms (Somayaji A and Ford R, Eds), pp 133–144, ACM, Oxford, UK.
Herley C (2012) Why do Nigerian scammers say they are from Nigeria? In Workshop on the Economics of Information Security (WEIS) (Böhme R, Ed) WEIS, Berlin, Germany.
Hibbeln M, Jenkins J, Schneider C, Valacich J and Weinmann M (2014) Investigating the effect of insurance Fraud on mouse usage in human-computer interactions. In Proceedings of the 2014 International Conference on Information Systems (ICIS 2014), (Karahanna E, Srinivasan A and Tan B, Eds), AIS, Auckland, New Zealand.
Hiraga CY, Garry MI, Carson RG and Summers JJ (2009) Dual-task interference: attentional and neurophysiological influences. Behavioural Brain Research 205 (1), 10–18.
Hong J (2012) The state of phishing attacks. Communications of the ACM 55 (1), 74–81.
Hsu M, Bhatt M, Adolphs R, Tranel D and Camerer CF (2005) Neural systems responding to degrees of uncertainty in human decision-making. Science 310 (5754), 1680–1683.
Hu Q, West R, Smarandescu L and Yaple Z (2014) Why individuals commit information security violations: neural correlates of decision processes and self-control. In Hawaii International Conference on Systems Sciences (Sprague R, Ed), IEEE, Waikoloa, HI.
Jenkins JL and Durcikova A (2013) What, I shouldn’t have done that? The influence of training and just-in-time reminders on secure behavior. In International Conference for Information Systems (ICIS) (Baskerville R and Chau M, Eds), AIS, Milan, Italy.
Jenkins JL, Grimes M, Proudfoot J and Lowry PB (2013) Improving password cybersecurity through inexpensive and minimally invasive means: detecting and deterring password reuse through keystroke-dynamics monitoring and just-in-time warnings. Information Technology for Development 20 (2), 196–213.
Jiang Y (2004) Resolving dual-task interference: an fMRI study. NeuroImage 22 (2), 748–754.
Johnston A, Warkentin M and Siponen M (2015) An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly 39 (1), 113–134.
Johnston AC and Warkentin M (2010) Fear appeals and information security behaviors: an empirical study. MIS Quarterly 34 (3), 549–566.
Kalsher M and Williams K (2006) Behavioral compliance: theory, methodology, and result. In Handbook of Warnings (Wogalter MS, Ed), pp 313–331, Lawrence Erlbaum Associates, Mahwah, NJ.
Kalsher MJ, Brewster BM, Wogalter MS and Spunar ME (1995) Hazard level perceptions of current and proposed warning sign and label panels. Proceedings of the Human Factors and Ergonomics Society Annual Meeting 39(5), pp 351–355.
Kalsher MJ, Wogalter MS and Racicot BM (1996) Pharmaceutical container labels: enhancing preference perceptions with alternative designs and pictorials. International Journal of Industrial Ergonomics 18 (1), 83–90.
Kandel ER (2001) The molecular biology of memory storage: a dialogue between genes and synapses. Science 294 (5544), 1030–1038.
Karjalainen M and Siponen M (2011) Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems 12 (8), 518–555.
Kemper D, Davis L, Fidopiastis C and Nicholson D (2007) Foundations for creating a distributed adaptive user interface. In Foundations of Augmented Cognition (Schmorrow D and Reeves L, Eds), Vol. 4565, pp 251–257, Springer, Berlin Heidelberg, Germany.
Kessem L (2012) Phishing in season: a look at online fraud in 2012. [WWW document] http://blogs.rsa.com/phishing-in-season-a-look-at-online-fraud-in-2012/ (accessed 13 November 2014).
Kleiss JA and Lane DM (1986) Locus and persistence of capacity limitations in visual information processing. Journal of Experimental Psychology: Human Perception and Performance 12 (2), 200–210.
Koch I (2009) The role of crosstalk in dual-task performance: evidence from manipulating response-code overlap. Psychological Research 73 (3), 417–424.
Krain AL, Wilson AM, Arbuckle R, Castellanos FX and Milham MP (2006) Distinct neural mechanisms of risk and ambiguity: a meta-analysis of decision-making. NeuroImage 32 (1), 477–484.
Kumaraguru P et al (2009) School of Phish: A Real-World Evaluation of Anti-Phishing Training. Proceedings of Symposium on Usable Privacy and Security, (Cranor L, Garfinkel S and Patrick A, Eds), ACM, Mountain View, CA.
Kumaraguru P, Rhee Y, Acquisti A, Cranor LF, Hong J and Nunge E (2007) Protecting People From Phishing: The Design and Evaluation of an Embedded Training. Email System In ACM Conference on Human Factors in Computing Systems (CHI) (Rosson MB, Ed), ACM, San Jose, CA, pp 905–914.
Laughery KR, Young SL, Vaubel KP and JW Jr. Brelsford (1993) The noticeability of warnings on alcoholic beverage containers. Journal of Public Policy & Marketing 12 (1), 38–56.
Lerner JS and Keltner D (2001) Fear, anger, and risk. Journal of Personality and Social Psychology 81 (1), 146–159.
Lesch M (2006) Consumer product warnings: research and recommendations. In Handbook of Warnings: Human Factors and Ergonomics (Wogalter MS, Ed), pp 137–146, Lawrence Erlbaum Associates, Mahwah, NJ.
Lin E, Greenberg S, Trotter E, Ma D and Aycock J (2011) Does Domain Highlighting Help People Identify Phishing Sites? In ACM Conference on Human Factors in Computing Systems (CHI) (Mynatt E and Rodden T, Eds), ACM, Vancouver, British Columbia, Canada, pp 2075–2084.
Logan GD (1978) Attention in character-classification tasks: evidence for the automaticity of component stages. Journal of Experimental Psychology 107 (1), 32–63.
Loos P et al (2010) NeuroIS: neuroscientific approaches in the investigation and development of information systems. Business & Information Systems Engineering 2 (6), 395–401.
Lopatovska I and Arapakis I (2011) Theories, methods and current research on emotions in library and information science, information retrieval and human – computer interaction. Information Processing & Management 47 (4), 575–592.
Lowry PB et al (2013) Evaluating journal quality and the association for information systems senior scholars’ journal basket via bibliometric measures: do expert journal assessments add value? MIS Quarterly 37 (4), 993–1012.
Luo XR, Zhang W, Burd S and Seazzu A (2013) Investigating phishing victimization with the heuristic – Systematic model: a theoretical framework and an exploration. Computers & Security 38, 28–38.
Mach QH, Hunter MD and Grewal RS (2010) Neurophysiological correlates in interface design: an HCI perspective. Computers in Human Behavior 26 (3), 371–376.
Mahmood MA, Siponen M, Straub D and Rao HR (2008) Special issue call for papers: information systems security in a digital economy. MIS Quarterly 32 (1), 203–204.
Mahmood MA, Siponen M, Straub D, Rao HR and Raghu TS (2010) Moving toward black hat research in information systems security: an editorial introduction to the special issue. MIS Quarterly 34 (3), 431–433.
Mandiant (2013) Apt1: Exposing One of China’s Cyber Espionage Units. Mandiant, http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf, accessed 4 December, 2015.
Maurer M-E, de Luca A and Kempe S (2011) Using Data Type Based Security Alert Dialogs to Raise Online Security Awareness In Proceedings of the Symposium on Usable Privacy and Security (Cranor L, Lipford H and Schechter S, Eds), ACM, Pittsburgh, Pennsylvania.
McArdle JJ and Nesselroade JR (2003) Growth curve analysis in contemporary psychological research. In Handbook of Psychology (Weiner IB, Schinka JA and Velicer WF, Eds) John Wiley & Sons, Hoboken, New Jersey.
McKendrick R, Ayaz H, Olmstead R and Parasuraman R (2014) Enhancing dual-task performance with verbal and spatial working memory training: continuous monitoring of cerebral hemodynamics with nirs. NeuroImage 85 (3), 1014–1026.
Meyer J (2006) Responses to dynamic warnings. In Handbook of Warnings. Human Factors and Ergonomics (Wogalter MS, Ed), pp 221–229, Lawrence Erlbaum Associates, Mahwah, NJ.
Minas R, Potter R, Dennis A, Bartelt V and Bae S (2014) Putting on the thinking cap: using NeuroIS to understand information processing biases in virtual teams. Journal of Management Information Systems 30 (4), 49–82.
Minnery BS and Fine MS (2009) Neuroscience and the future of human-computer interaction. Interactions 16 (2), 70–75.
Mitnick KD and Simon WL (2001) The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, Indianapolis, IN.
Moody G, Galletta D, Walker J and Dunn B (2011) Which phish get caught? An exploratory study of individual susceptibility to phishing. In Proceedings of the 2011 International Conference on Information Systems (ICIS 2014) (Galletta D and Liang T-P, Eds), AIS, Shanghai, China.
Moody GD and Galletta DF (2015) Lost in cyberspace: the impact of information scent and time constraints on stress, performance, and attitudes. Journal of Management Information Systems 32 (1), 192–224.
Moses SN et al (2007) Dynamic neural activity recorded from human amygdala during fear conditioning using magnetoencephalography. Brain Research Bulletin 71 (5), 452–460.
Motiee S, Hawkey K and Beznosov K (2010) Do windows Users Follow the Principle of Least Privilege? Investigating User Account Control Practices, In Proceedings of the Symposium on Usable Privacy and Security (Cranor L, Patrick A and Schechter S, Eds), ACM, Redmond, Washington DC.
Neupane A, Saxena N, Kuruvilla K, Georgescu M and Kana R (2014) Neural Signatures of User-centered Security: An fMRI Study of Phishing, and Malware Warnings. Procedings of the Network and Distributed System Security (NDSS) Symposium (Bauer L, Ed), pp. 1–16.
Neupane A, Rahman ML, Saxena N and Hirshfield L (2015) A Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS) (Kruegel C and Li N, Eds), Denver, CO, pp. 479–491.
Nunamaker Jr. JF and Briggs RO (2012) Toward a broader vision for information systems. ACM Transactionson Management Information Systems 2 (4), 1–12.
Ortiz de Guinea A and Markus ML (2009) Why break the habit of a lifetime? Rethinking the roles of intention, habit, and emotion in continuing information technology use. MIS Quarterly 33 (3), 433–444.
Ortiz de Guinea A, Titah R and Léger P-M (2013) Measure for measure: a two study multi-trait multi-method investigation of construct validity in IS research. Computers in Human Behavior 29 (3), 833–844.
Pantev C et al (2004) Lateral inhibition and habituation of the human auditory cortex. European Journal of Neuroscience 19 (8), 2337–2344.
Pashler H (1994) Dual-task interference in simple tasks: data and theory. Psychological Bulletin 116 (2), 220–244.
Platt ML and Huettel SA (2008) Risky business: the neuroeconomics of decision making under uncertainty. Nature Neuroscience 11 (4), 398–403.
Plessow F, Schade S, Kirschbaum C and Fischer R (2012) Better not to deal with two tasks at the same time when stressed? Acute psychosocial stress reduces task shielding in dual-task performance. Cognitive, Affective, & Behavioral Neuroscience 12 (3), 557–570.
Polich J (2007) Updating p300: an integrative theory of p3a and p3b. Clinical Neurophysiology 118 (10), 2128–2148.
Proctor RW and Vu K-PL (2006) The cognitive revolution at age 50: has the promise of the human information-processing approach been fulfilled? International Journal of Human-Computer Interaction 21 (3), 253–284.
Raja F, Hawkey K, Hsu S, Wang K-LC and Beznosov K (2011) A Brick Wall, A Locked Door, And A Bandit: A Physical Security Metaphor for Firewall warnings, In Proceedings of the Symposium on Usable Privacy and Security (Cranor L, Lipford H and Schechter S, Eds), ACM, Pittsburgh, Pennsylvania.
Ramaswami M (2014) Network plasticity in adaptive filtering and behavioral habituation. Neuron 82 (6), 1216–1229.
Randolph A, Mccampbell L, Moore M and Mason S (2005) Controllability of galvanic skin response. In 11th International Conference on Human – Computer Interaction (HCII), Las Vegas, NV.
Rankin CH et al (2009) Habituation revisited: an updated and revised description of the behavioral characteristics of habituation. Neurobiology of Learning and Memory 92 (2), 135–138.
Raskin DC (1973) Attention and arousal. In Electrodermal Activity in Psychological Research (Prokasy W, Ed), pp 125–155, Academic Press, New York.
Rayner K (1998) Eye movements in reading and information processing: 20 years of research. Psychological Bulletin 124 (3), 372–422.
Rémy F, Wenderoth N, Lipkens K and Swinnen SP (2010) Dual-task interference during initial learning of a new motor task results from competition for the same brain areas. Neuropsychologia 48 (9), 2517–2527.
Riedl R (2012) On the biology of technostress: literature review and research agenda. ACM SIGMIS Database 44 (1), 18–55.
Riedl R et al (2010) On the foundations of NeuroIS: reflections on the gmunden retreat 2009. Communications of the Association for Information Systems 27 (1), 243–264.
Riedl R, Davis FD and Hevner AR (2014) Towards a NeuroIS research methodology: intensifying the discussion on methods, tools, and measurement. Journal of the Association for Information Systems 15 (10), i–xxxv.
Riedl R, Kindermann H, Auinger A and Javor A (2012) Technostress from a neurobiological perspective: system breakdown increases the stress hormone cortisol in computer users. Business & Information Systems Engineering 4 (2), 61–69.
Rogers RW and Prentice-Dunn S (1997) Protection motivation theory. In Handbook of health Behavior Research 1: Personal and Social Determinants (David S Gochman, Ed), pp 113–132, Springer, New York.
Rudin-Brown CM, Greenley MP, Barone A, Armstrong J, Salway AF and Norris BJ (2004) The design of child restraint system (CRS) labels and warnings affects overall CRS usability. Traffic Injury Prevention 5 (1), 8–17.
Sanders MS and McCormick EJ (1987) Human Factors in Engineering and Design, 7th edn, McGraw-Hill, New York.
Sankarpandian K, Little T and Edwards WK (2008) Talc: Using Desktop Graffiti to Fight Software Vulnerability,, In ACM Conference on Human Factors in Computing Systems (CHI) (Czerwinski M and Lund A, Eds), ACM, Florence, Italy, pp 1055–1064.
Sarinopoulos I et al (2010) Uncertainty during anticipation modulates neural responses to aversion in human insula and amygdala. Cerebral Cortex 20 (4), 929–940.
Schechter SE, Dhamija R, Ozment A and Fischer I (2007) The emperor’s new security indicators. In IEEE Symposium on Security and Privacy, 2007 (Shands D, Pfitzmann B and McDaniel P, Eds), SP’07. pp 51–65, IEEE, Berkeley, CA.
Schellhammer S, Haines R and Klein S (2013) Investigating technostress in situ: understanding the day and the life of a knowledge worker using heart rate variability. In System Sciences (HICSS), 2013 46th Hawaii International Conference on (Sprague R, Ed), pp 430–439, IEEE, Maui, Hawaii.
Schutter DJLG and van Honk J (2009) The cerebellum in emotion regulation: a repetitive transcranial magnetic stimulation study. The Cerebellum 8 (1), 28–34.
Searle BJ, Bright JEH and Bochner S (1999) Testing the 3-factor model of occupational stress: the impact of demands, control and social support on a mail sorting task. Work & Stress 13 (3), 268–279.
Sharek D, Swofford C and Wogalter M (2008) Failure to recognize fake internet popup warning messages. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting (Marras WS, Eds), pp 557–560, Sage Publications, New York.
Sheeran P (2002) Intention–Behavior relations: a conceptual and empirical review. European Review of Social Psychology 12 (1), 1–36.
Sheng S et al (2007) Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish, In Proceedings of the Symposium on Usable Privacy and Security (Cranor L, Hong J and Smetters D, Eds), ACM, Pittsburgh, Pennsylvania, pp 88–99.
Shimojo S, Simion C, Shimojo E and Scheier C (2003) Gaze bias both reflects and influences preference. Nature Neuroscience 6 (12), 1317–1322.
Sigman M and Dehaene S (2006) Dynamics of the central bottleneck: dual-task and task uncertainty. PLoS Biology 4 (7), e220.
Silver NC and Wogalter MS (1989) Broadening the range of signal words. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, pp 555–559, SAGE Publications, Denver, CO.
Siponen M and Smith J (2014) Call for papers: IS security and privacy. ICIS 2014: Building a better world through information systems. [WWW document] http://icis2014.aisnet.org/index.php/submissions/tracks/14-is-security-and-privacy, accessed 30 June 2014.
Smith CN, Hopkins RO and Squire LR (2006) Experience-dependent eye movements, awareness, and hippocampus-dependent memory. The Journal of Neuroscience 26 (44), 11304–11312.
Sojourner RJ and Wogalter MS (1997) The influence of pictorials on evaluations of prescription medication instructions. Drug Information Journal 31 (3), 963–972.
Sonnentag S and Frese M (2003) Stress in organizations. In Handbook of Psychology: Industrial and Organizational Psychology, Vol. 12 Borman WC, Ilgen DR and Klimoski RJ, Eds), pp 453–491, John Wiley & Sons, Hoboken, NJ.
Sotirakopoulos A, Hawkey K and Beznosov K (2011) On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings. In Proceedings of the Seventh Symposium on Usable Privacy and Security (SOUPS) (Cranor L, Lipford H and Schechter S, Eds), pp 3:1–3:18, ACM, Menlo Park, CA.
Straub D, Boudreau M-C and Gefen D (2004) Validation guidelines for IS positivist research. Communications of the Association for Information Systems 13 (24), 380–427.
Strawbridge JA (1986) The influence of position, highlighting, and imbedding on warning effectiveness. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, pp 716–720, SAGE Publications, Dayton, OH.
Sunshine J, Egelman S, Almuhimedi H, Atri N and Cranor LF (2009) Crying wolf: an empirical study of SSL warning effectiveness. In SSYM’09 Proceedings of the 18th Conference on USENIX Security Symposium (Monrose F, Ed), pp 399–416, Montreal, Canada.
Szameitat AJ, Schubert T, Müller K and von Cramon DY (2002) Localization of executive functions in dual-task performance with fMRI. Journal of Cognitive Neuroscience 14 (8), 1184–1199.
Tams S, Hill K, Ortiz de Guinea A, Thatcher J and Grover V (2014) NeuroIS – Alternative or complement to existing methods? Illustrating the holistic effects of neuroscience and self-reported data in the context of technostress research. Journal of the Association for Information Systems 15 (10), 1.
Tarafdar M, Gupta A and Turel O (2013) Special issue call for papers: dark side of IT use. Information Systems Journal. [WWW document] http://www.ncl.ac.uk/kite/news/item/information-systems-journal-special-issue-on-the-dark-side-of-it-use (accessed 13 November 2014).
Tombu M and Jolicœur P (2003) A central capacity sharing model of dual-task performance. Journal of Experimental Psychology: Human Perception and Performance 29 (1), 3–18.
Twyman NW, Lowry PB, Burgoon JK and Nunamaker JF (2015) Autonomous scientifically controlled screening systems for detecting information purposely concealed by individuals. Journal of Management Information Systems 31 (3), 106–137.
Ur B et al (2012) How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation, In USENIX Security Symposium (Kohno T, Ed), USENIX, Bellevue, Washington DC, pp 65–80.
van Turennout M, Ellmore T and Martin A (2000) Long-lasting cortical plasticity in the object naming system. Nature Neuroscience 3 (12), 1329–1334.
Vance A, Anderson BB, Kirwan CB and Eargle D (2014) Using measures of risk perception to predict information security behavior: insights from electroencephalography (EEG). Journal of the Association for Information Systems 15 (10), 679–722.
Vance A, Siponen M and Pahnila S (2012) Motivating IS security compliance: insights from habit and protection motivation theory. Information & Management 49 (3–4), 190–198.
Vaniea KE, Rader E and Wash R (2014) Betrayed By Updates: How Negative Experiences Affect Future Security, In ACM Conference on Human Factors in Computing Systems (CHI) (Jones M and Palanque P, Eds), ACM, Toronto, Canada, pp 2671–2674.
Verplanken B and Aarts H (1999) Habit, attitude, and planned behaviour: is habit an empty construct or an interesting case of goal-directed automaticity? European Review of Social Psychology 10 (1), 101–134.
Vigilante Jr. WJ and Wogalter M (2003) Effects of label format on knowledge acquisition and perceived readability by younger and older adults. Ergonomics 46 (4), 327–344.
Villamarín-Salomón RM and Brustoloni JC (2010) Using Reinforcement to Strengthen Users’ Secure Behaviors, In ACM Conference on Human Factors in Computing Systems (CHI), ACM, Atlanta, Georgia, pp 363–372.
vom Brocke J and Liang T-P (2014) Guidelines for neuroscience studies in information systems research. Journal of Management Information Systems 30 (4), 211–234.
Vredenburgh A and Zackowitz I (2006) Expectations. In Handbook of Warnings (Wogalter MS, Ed), pp 345–353, Lawrence Erlbaum Associates, Mahwah, NJ.
Warkentin M, Johnston AC and Vance A (2014) Call for papers: internet and the digital economy: innovative behavioral IS security and privacy research. Hawaii International Conference on System Sciences [WWW document] http://www.hicss.hawaii.edu/hicss_47/track/in/IN-Security.pdf, accessed 30 June 2014.
Warkentin M, Walden EA and Johnston AC (2012) Identifying the neural correlates of protection motivation for secure IT behaviors. In Gmunden Retreat on NeuroIS 2012 (Davis F, Riedl R, vom Brocke J, Léger P-M and Randolph A, Eds), Gmunden, Austria.
Warkentin M and Willison R (2008) Special issue call for papers: behavioural and policy issues in information systems security. European Journal of Information Systems [WWW document] http://www.palgrave-journals.com/ejis/Promo-EJIS_InfoSec.pdf, accessed 30 June 2014.
Warkentin M and Willison R (2009) Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems 18 (2), 101–105.
Warkentin M, Walden EA, Johnston AC and Straub DW (forthcoming) Neural Correlates of Protection Motivation for Secure IT Behaviors: An fMRI Examination. Journal of the Association for Information Systems.
Wastell D and Newman M (1993) The behavioral dynamics of information system development: a stress perspective. Accounting, Management and Information Technologies 3 (2), 121–148.
Weber R (2004) The grim reaper: the curse of e-mail. MIS Quarterly 28 (3), 3–14.
Welsh TN and Elliott D (2004) Movement trajectories in the presence of a distracting stimulus: evidence for a response activation model of selective reaching. The Quarterly Journal of Experimental Psychology Section A 57 (6), 1031–1057.
West R (2008) The psychology of security. Communications of the ACM 51 (4), 34–40.
Whalen PJ (1998) Fear, vigilance, and ambiguity: initial neuroimaging studies of the human amygdala. Current Directions in Psychological Science 7 (6), 177–188.
Witte K (1992) Putting the fear back into fear appeals: the extended parallel process model. Communications Monographs 59 (4), 329–349.
Wogalter M and Vigilante Jr. WJ (2006) Attention switch and maintenance. In Handbook of Warnings (Wogalter MS, Ed), pp 245–266, Lawrence Erlbaum Associates, Mahwah, NJ.
Wright RT and Marett K (2010) The influence of experiential and dispositional factors in phishing: an empirical investigation of the deceived. Journal of Management Information Systems 27 (1), 273–303.
Wu M, Miller RC and Garfinkel SL (2006) Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Olson G, Rodden T and Grinter R, Eds), pp 601–610, ACM, Montreal, Canada.
Yee K-P (2004) Aligning security and usability. Security & Privacy, IEEE 2 (5), 48–55.
Young SL (1991) Increasing the noticeability of warnings: effects of pictorial, color, signal icon and border. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, pp 580–584, SAGE Publications, San Francisco, VA.
Young SL and Wogalter M (1990) Effects of conspicuous print and pictorial icons on comprehension and memory of instruction manual warnings. Human Factors 32 (6), 637–649.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A
Security messages taxonomy
Figure A1 depicts a taxonomy of security messages along with specific examples, which consistent with our definition, may be offensive or defensive in nature. Our scheme classifies security messages according to three primary dimensions: (1) immediacy, (2) relevancy, and (3) complexity. Immediacy refers to the extent to which a message can be deferred. At one extreme, modal software dialogs by design interrupt the user’s workflow until the message has been processed (Egelman et al, 2008). On the other end of the spectrum, security advisories are often in e-mail form, which can be easily set aside for later processing (Weber, 2004). Immediacy has important implications for how security messages are processed because users are less likely to act on messages that can be deferred (Egelman et al, 2008). This is why Web browsers have recently emphasized modal warnings that interrupt the user rather than passive indicators that reside in the chrome of the browser and are easily overlooked (Akhawe & Felt, 2013).
Relevancy concerns the applicability of a security message to the workflow or task that the user is engaged in. Users are more likely to process security messages that are anticipated or clearly applicable to the present task (Vredenburgh & Zackowitz, 2006). In contrast, security messages that have little connection to a user’s current activity are less easily processed because they require users to switch attention from the task at hand (Meyer, 2006). This is one reason why information security policies are less likely to be followed if they are separate from a user’s routine work activities (Vance et al, 2012). This is also why spear-phishing attacks that are targeted to a user’s work are much more effective (Luo et al, 2013).
Complexity describes the informational density of a security message, the mental effort required to process the message, or both. Security messages can be very sparse, such as software dialogs that contain only a few words. Conversely, other security messages contain multiple sub-arguments, such as fear appeals, which convey (1) the severity of a threat, (2) the user’s susceptibility to a threat, (3) the efficacy of a suggested response, and (4) the user’s self-efficacy to enact the protective action (Johnston & Warkentin, 2010; Johnston et al, 2015). More complex still are legalistic, acceptable-use policies that users find intractable (Foltz et al, 2008).
For simplicity of presentation, the taxonomy depicts a binary, high/low classification for each dimension, but each message falls along a gradient for each dimension. Some types of security messages (e.g., phishing e-mails) are flexible enough to fall into several categories. For example, phishing e-mails may offer a single link as bait or be long and abstruse like a Nigerian 419 scam (Herley, 2012). The hierarchical ordering of the taxonomy suggests a precedence among the dimensions, with immediacy being the most important factor in whether a user processes a message because messages high in immediacy can interrupt the user and demand attention (Lesch, 2006; Egelman et al, 2008). We consider relevancy to be the next most important factor, given that if a message is determined to be highly relevant, a user will invest time and effort to process the message, regardless of complexity (Vredenburgh & Zackowitz, 2006).
Appendix B
Listing of articles identified in the literature review
Rights and permissions
About this article
Cite this article
Brinton Anderson, B., Vance, A., Kirwan, C. et al. How users perceive and respond to security messages: a NeuroIS research agenda and empirical study. Eur J Inf Syst 25, 364–390 (2016). https://doi.org/10.1057/ejis.2015.21
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/ejis.2015.21