The Fog Of Warnings: How Non-Essential Notifications Blur With Security Warnings

Adherence to security warnings continues to be an important problem in information security. Although users may fail to heed a security warning for a variety of reasons, a major contributor is habituation, which is decreased response to repeated stimulation. However, the scope of this problem may actually be much broader than previously thought because of the neurobiological phenomenon of generalization. Whereas habituation describes a diminished response with repetitions of the same stimulus, generalization occurs when habituation to one stimulus carries over to other novel stimuli that are similar in appearance.Generalization has important implications for the domains of usable security and human-computer interaction. Because a basic principle of user interface design is visual consistency, generalization suggests that through exposure to frequent non-security-related notifications (e.g., dialogs, alerts, confirmations, etc.) that share a similar look and feel, users may become deeply habituated to critical security warnings that they have never seen before. Further, with the increasing number of notifications in our lives across a range of mobile, Internet of Things, and computing devices, the accumulated effect of generalization may be substantial. However, this problem has not been empirically examined before.This paper contributes by measuring the impacts of generalization in terms of (1) diminished attention via mouse cursor tracking and (2) users' ability to behaviorally adhere to security warnings. Through an online experiment, we find that:Habituation to a frequent non-security-related notification does carry over to a one-time security warning.Generalization of habituation is manifest both in (1) decreased attention to warnings and (2) lower warning adherence behavior.The carry-over effect, most importantly, is due to generalization, and not fatigue.The degree that generalization occurs depends on the similarity in look and feel between a notification and warning.These findings open new avenues of research and provide guidance to software developers for creating warnings that are more resistant to the effects of generalization of habituation, thereby improving users' security warning adherence.