More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable

Jenkins, Jeffrey L.; Anderson, Bonnie Brinton; Vance, Anthony; Kirwan, C. Brock; Eargle, David

doi:10.1287/isre.2016.0644

Cited by 99 publications

(40 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We evaluate the effectiveness of polymorphic warnings over time using NeuroIS. NeuroIS can be an effective approach for the evaluation of IT artifacts (vom Brocke and Liang 2014), and it has previously been shown to be effective in examining security warnings specifically (Jenkins et al 2016;Vance et al 2014). Riedl, Davis, and Hevner (2014, p. ii) explain that NeuroIS measures are beneficial "to the design of ICT artifacts."…”

Section: Polymorphic Warning Designmentioning

confidence: 99%

Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments

Vance¹,

Jenkins²,

Anderson³

et al. 2018

MISQ

Self Cite

View full text Add to dashboard Cite

Research in the fields of information systems and human-computer interaction has shown that habituationdecreased response to repeated stimulation-is a serious threat to the effectiveness of security warnings. Although habituation is a neurobiological phenomenon that develops over time, past studies have only examined this problem cross-sectionally. Further, past studies have not examined how habituation influences actual security warning adherence in the field. For these reasons, the full extent of the problem of habituation is unknown. We address these gaps by conducting two complementary longitudinal experiments. First, we performed an experiment collecting fMRI and eye-tracking data simultaneously to directly measure habituation to security warnings as it develops in the brain over a five-day workweek. Our results show not only a general decline of participants' attention to warnings over time but also that attention recovers at least partially between workdays without exposure to the warnings. Further, we found that updating the appearance of a warningthat is, a polymorphic design-substantially reduced habituation of attention. Second, we performed a three-week field experiment in which users were naturally exposed to privacy permission warnings as they installed apps on their mobile devices. Consistent with our fMRI results, users' warning adherence substantially decreased over the three weeks. However, for users who received polymorphic permission warnings, adherence dropped at a substantially lower rate and remained high after three weeks, compared to users who received standard warnings. Together, these findings provide the most complete view yet of the problem of habituation to security warnings and demonstrate that polymorphic warnings can substantially improve adherence.

show abstract

Section: Polymorphic Warning Designmentioning

confidence: 99%

Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments

Vance¹,

Jenkins²,

Anderson³

et al. 2018

MISQ

Self Cite

View full text Add to dashboard Cite

show abstract

“…Since the release of the NSTC report, the National Science Foundation, Department of Homeland Security, DARPA, and other agencies have sponsored numerous funding opportunities that target extant gaps in cybersecurity literature, many of which can be addressed by IS scholars. In fact, there are many within the IS community that already have expressed interest in security-related topics, such as safe computing practices and privacy (Anderson and Agarwal 2010;Jenkins et al 2016;Sutanto et al 2014). However, one major research gap that IS scholars have currently left unexplored is the investigation of cybercriminals to enrich our understanding of how to effectively combat cybercrime Mahmood et al 2010).…”

Section: Introductionmentioning

confidence: 99%

DICE-E: A Framework for Conducting Darknet Identification, Collection, Evaluation with Ethics

Benjamin¹,

Valacich²,

Chen³

2019

MISQ

View full text Add to dashboard Cite

Society's growing dependence on computers and information technologies has been matched by an escalation of the frequency and sophistication of cyber attacks committed by criminals operating from the Darknet. As a result, security researchers have taken an interest in scrutinizing the Darknet and other underground web communities to develop a better understanding of cybercriminals and emerging threats. However, many scholars lack the capability or expertise to operationalize Darknet research and are thus unable to contribute to this increasingly impactful body of literature. This article introduces a framework for guiding such research, called Darknet Identification, Collection, Evaluation, with Ethics (DICE-E). The DICE-E framework provides a focused reference point and detailed guidelines for scholars wishing to become active in the Darknet research stream. Four steps to conducting Darknet forum research are outlined: (1) identification of Darknet data sources, (2) data collection strategies, (3) evaluation of Darknet data, and (4) ethical concerns related to Darknet research. To illustrate how DICE-E can be utilized, an example empirical study is reported. This exemplar illustrates how DICE-E can guide scholars through key decision points when attempting to incorporate the Darknet within their research.

show abstract

“…We recruited participants from Amazon Mechanical Turk (MTurk). MTurk represents a large diversity of participants and the data is considered as reliable as those collected from other methods [4,19]. Following Steelman et al [38], we required all participants to be within the United States.…”

Section: Samplementioning

confidence: 99%

“Information Security Is Not Really My Job”: Exploring Information Security Role Identity in End-Users

Ogbanufe¹

2020

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Given the significant role individuals play on the welfare of organizations' security, end users are encouraged to see themselves as part of the information security solution and are expected to perform certain end-user security roles. However, there is often a divide between the organization's expectations of the enduser's information security role and the end-user's functional role. We explore the concept of role identity in order to understand the factors that increase the importance ascribed to the information security end user role, which in turn affects performance and actions towards security behaviors. We develop a model that focuses on two issues: (1) factors that increase information security role identity (ISRI) and (2) consequents of ISRI, specific to security behaviors. A survey was used to explore the relationships in the model. Theoretical and practical implications of this research are presented.Even though researchers and practitioners agree that the role of the end-user is important to information security, to date, there are few studies examining the link between the individual's role, specifically, their role

show abstract

More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable

Cited by 99 publications

References 44 publications

Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments

Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments

DICE-E: A Framework for Conducting Darknet Identification, Collection, Evaluation with Ethics

“Information Security Is Not Really My Job”: Exploring Information Security Role Identity in End-Users

Contact Info

Product

Resources

About