security warnings, habituation, behavioral information systems security, functional magnetic resonance imaging (fMRI), mouse cursor tracking, NeuroIS


Warning messages are fundamental to users' security interactions. Unfortunately, research has shown that they are largely ineffective. A key contributor to this failure is habituation: decreased response to a repeated warning. Previous research has inferred the occurrence of habituation to warnings or measured it indirectly, such as through the proxy of a related behavior. Therefore, there is a gap in our understanding of how habituation to security warnings develops in the brain. Without direct measures of habituation, we are limited in designing warnings that can mitigate its effects. In this study, we use neurophysiological measures to directly observe habituation as it occurs in the brain and behaviorally. We also design a polymorphic warning artifact that repeatedly changes its appearance in order to resist the effects of habituation. In an experiment using functional magnetic resonance imaging (fMRI; n=25), we found that our polymorphic warning was significantly more resistant to habituation than were conventional warnings in regions of the brain related to attention. In a second experiment (n=80), we implemented the top four most resistant polymorphic warnings in a realistic setting. Using mouse cursor tracking as a surrogate for attention to unobtrusively measure habituation on participants' personal computers, we found that polymorphic warnings reduced habituation compared to conventional warnings. Together, our findings reveal the substantial influence of neurobiology on users' habituation to security warnings and security behavior in general, and we offer our polymorphic warning design as an effective solution to practice.

Original Publication Citation

Anderson, B., Vance, A., Kirwan, B., Jenkins, J., Eargle, D. 2016. “From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done about It,” Journal of Management Information Systems, 33 (3), pp. 713–743,

Document Type

Peer-Reviewed Article

Publication Date


Permanent URL


Taylor and Francis




Marriott School of Management


Information Systems