The Fog of Warnings: How Non-Security-Related Notifications Diminish the Efficacy of Security Warnings

Abstract

Users’ disregard of security warnings is a critical problem in cybersecurity. This problem worsens when people confuse security warnings with common, non-security-related notifications, which they learn to routinely disregard. We investigate this problem through the neurobiological phenomenon of generalization of habituation, where habituation to one stimulus transfers to another stimulus that shares similar characteristics. Generalization of habituation suggests that because of habituation to frequent notifications, people may also be deeply habituated to security warnings they have never seen before, leading to warning disregard. Furthermore, because generalization of habituation occurs unconsciously at the neurobiological level, this may occur even though a person can consciously distinguish security warnings from notifications. We address this problem through three experiments—two in the field and one using functional magnetic resonance imaging. These experiments demonstrate how generalization of habituation occurs and can be mitigated by differentiating warnings from notifications in terms of their visual appearance or mode of interaction. These findings provide guidance to software developers for designing warnings that resist generalization of habituation and promote greater warning adherence.