Been mystified why end-users do not seem to get it? Their eyes glazing over when a security alert pops up on their screen? Brand new neuroscience research using MRI shows a dramatic drop in attention when a computer user is subjected to just two security warnings in a short time.
A group of researchers from Brigham Young University, University of Pittsburgh, and Google, used functional magnetic resonance imaging (fMRI) to see if different (polymorphic) warning messages could prevent users to becoming accustomed to security alerts and simply click through them.
In a paper scheduled to be presented next month at the Association for Computing Machinery's CHI 2015 conference, they will present data that maps regions of the brain responsible for visual processing. The MRI images show a "precipitous drop" in visual processing after even one repeated exposure to a standard security alert and a "large overall drop" after 13 of them. The problem has been given a fancy label: "habituation" but is of course a known phenomenon.
The results seem to be positive: polymorphic warnings help reduce "habituation" making users more likely to pay attention to the warnings and not dismiss them outright. The ones that work best are animated, jiggled or zoomed in. Another positive is the fact that they have illustrated the possible usefulness of applying neuroscience to the domain of IT security.
The researchers said: "Because automatic or unconscious mental processes underlie much of human cognition and decision making, they likely play an important role in a number of other security behaviors, such as security education, training, and awareness (SETA) programs, password use, and information security policy compliance." Here is a link to the PDF with original research
Sure, animated security alerts that jump in your face may help for a while, but you will get the same problem over time. There is only one real solution to "habituation"; filter out all the noise and only show the user security alerts that are really important. Too bad neuroscience can't help with that.
In the meantime, stepping users through effective security awareness training and sending them frequent simulated phishing attacks using different templates all the time is a very good way to keep them on their toes and ward off habituation. Find out how affordable this is for your organization today.