This article is based the research of Kelley Assistant Professor of Operations and Decision Technologies, Nick Brown. This work was co-authored by Dezhi Wu (U. of South Carolina), Jun Zhang (Wuhan University), Greg Moody (U. of Nevada Las Vegas), Paul Lowry (Virginia Tech).
Introduction
When a device user is at risk of a security breach, they likely receive a push notification designed to interrupt what they’re doing and direct immediate attention to mitigating the threat. These notifications use fear-based appeals to prompt a response—most often, to heed the security recommendation and follow the protective actions.
Existing research shows that users frequently ignore or dismiss these security notifications, particularly when they are perceived as intrusive or require cognitive effort to process. Alarmingly, up to 87% of crucial security notifications go unheeded, and the disruptive nature of how they are delivered may potentially undermine their effectiveness.
Cyber adversaries exploit this system by mimicking legitimate security alerts to deceive users into downloading malware or surrendering login credentials, making users even more skeptical of these messages.
Previous research in the domain of information security has highlighted the effectiveness of using fear appeals to craft more persuasive messages and improve user compliance. But these studies have looked at what makes a person accept a message—not what motivates them to reject it. They also have not considered the complex interplay of cognitive and emotional factors that contribute to the effectiveness of security notifications.
Statement of Problem
The content of a security notification is often constructed to evoke fear, but the method and timing of its delivery may cause irritation. Because the interplay between the emotions of fear and irritation is complex—and may impact users’ acceptance or rejection of security notifications—the authors designed a study to understand whether security notifications are more likely to be disregarded by users who find them annoying.
Specifically, they wanted to evaluate whether the timing of delivery influences the likelihood of rejection. And does the type of task being interrupted affect the likelihood of rejection?
Data Sources
To develop their research model, the authors conducted a literature review to identify studies that employed fear-based theories in an empirical research context. They also explored the available literature on mental workload to explain the underlying dynamics that culminate in user irritation, finding that when individuals engaged in primary tasks (such as reading articles or gaming on a mobile device) are interrupted by security notifications demanding immediate attention, they perceive these notifications as intrusive.
The authors then built a research model to examine the effect of fear aroused by the message content of a fear appeal and the effect of irritation aroused by its message delivery.
To validate their conceptual model, they developed a mobile app and conducted an experiment designed to evoke the target emotions through various tasks.
Analytic Techniques
The authors developed a mobile app called MSNTASK, which was equipped with a security notification function to deliver security notifications to participants during their use of the app.
After recruiting 811 study participants from Amazon Mechanical Turk (MTurk) via the Cloud Connect platform—all US residents over 18 years old and current organizational employees—the authors asked the participants to complete a pre-experiment survey and spend at least five minutes using the app on their personal smartphone, which dramatically increased realism and ecological validity.
The MSNTASK app encouraged users to complete certain utilitarian or hedonic primary tasks. For the hedonic primary task, the participants played a competitive paddle control game. The utilitarian task required the participants to read a generative artificial intelligence article and to perform a post-quiz to achieve a high reading performance score.
The in-app mobile device management system monitored the data-collection activities of the experimental task system and then pushed a mobile security notification to users when private information collection activities were detected.
The notification warned the participants that the experimental system was trying to access confidential information on their phone without their permission, and recommended users to deny the private information access through recommended actions. After the delivery of the warning, which interrupted their primary task, users were requested to respond to the security notification by clicking the “Yes” button to accept the recommendation or by clicking the “No” button to reject the recommendation before they could resume the primary task. Participants’ app use behaviors and responses to the security notification were tracked and stored in the app backend server.
Results
The authors’ findings reveal a dichotomy in emotional responses. Users predominantly influenced by fear were more compliant with the security notification recommendations, where those primarily irritated displayed maladaptive behaviors such as reactance and avoidance. These emotional states were moderated by users’ perceived efficacy and the nature of their primary tasks.
The results empirically demonstrated that both fear and irritation coexist and influence user behavior in mobile security contexts. Users whose fear dominated their irritation were more likely to accept the security recommendation of notification. In contrast, users whose irritation exceeded their fear were more likely to reject the security recommendation. These emotional effects were moderated by users’ perceived efficacy and the nature of their primary task.
The authors’ data revealed that a fear-appeal strategy worked effectively in both utilitarian and hedonic tasks, and that mobile security notifications with high levels of intrusiveness were particularly effective at provoking user irritation. This elevated irritation negatively correlated with users’ intention to comply with the security measures, while simultaneously encouraging reactance and avoidance behaviors.
Business Implications
The authors’ research empirically validates that irritation can compromise the efficacy of fear appeals in mobile security notifications. Considering these findings, the authors emphasize the importance of a nuanced approach to the design of mobile security notifications, advocating for a balance between fear-inducing content and minimally intrusive delivery mechanisms.
Ultimately, the authors find that the design of security notifications can encourage or undermine protective security actions.
Leave a Reply