Eye tracking and fMRI confirm that we don't even perceive security warnings before clicking past them

A team of computer scientists, psychologists and neuroscientists used eye-tracking and fMRI to measure how users perceived security warnings, such as warnings about app permissions and browser warnings about insecure pages and plugin installations.

They found that very quickly, users became "habituated" to warnings and literally stopped perceiving them (users' attention could still be commanded by varying the presentation of each warning).

Habituation is a very significant factor in security. Something that's alarming at first quickly becomes normal, and the distant possibility that the same sign will someday mean really bad news fades quickly. This is why people staffing TSA checkpoints get really good at spotting water bottles (which they see all the time, meaning their brains are getting trained to get better at spotting them), and consistently miss fake bombs and guns smuggled in by auditors (attempts to hijack a plane are statistically nonexistent, and virtually 100% of the incredibly rare weapons discovered at checkpoints either belong to auditors or people who simply forgot to take them out of their bags, but don't intend any harm to a plane or its passengers).

We found that people habituated rapidly to repeated warnings within a single laboratory session, both in terms of decreased neural activity (such as in the ventral visual pathways, Figure 2) and fewer eye fixations. However, we observed a recovery effect of attention from one day to the next when warnings were withheld. Unfortunately, this recovery effect wasn’t enough to offset the overall pattern of habituation across the workweek. This is depicted by the dotted blue line in Figures 3 and 4.

More positively, we found that a polymorphic warning, a warning that changes its appearance with each presentation, was able to significantly sustain attention over time. This is depicted by the solid red line in Figures 3 and 4. We found this result with only four variations to the warning.

Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments [Anthony Vance, Jeffrey L. Jenkins, Bonnie Brinton Anderson, Daniel K. Bjornn and C. Brock Kirwan/CHI 2017]

(via Cryptogram)