Skip to Content

Neuroscience Explains Why We Get Hacked So Easily

A study of how the brain reacts to security alerts led Google to test a new way to warn people that their computers may have been infected with malware.
February 2, 2017
MRI brain scans reveal the way we perceive, or simply ignore, security warnings.

Companies spend nearly $100 billion on securing computers each year, yet incidents such as ransomware crippling hospitals and personal data leaking online remain common. Anthony Vance thinks that defensive measures could be more effective if we paid more attention to the hardware between our ears.

“Security professionals need to worry not only about attackers but the neurobiology of their users,” said Vance, an associate professor at Brigham Young University, this week at the Enigma security conference in Oakland, California. His lab uses functional MRI scans of people’s brains to reveal the unconscious mechanisms behind the way they perceive—or ignore—security warnings.

One of Vance’s studies led him to collaborate with Google on tests of a new approach to displaying security warnings in the Chrome Web browser that people were less likely to dismiss offhand. Vance says Google's engineers told him they plan to add the feature to an upcoming version of Chrome. Google did not respond to a request for confirmation of when it would be added.

Daniela Olivera, an associate professor at the University of Florida, says such research can help suggest ways to refine the usability of security tools and features—an area many researchers say the industry has tended to overlook. Incidents ranging from common malware infections to high-profile breaches like the DNC one that exposed John Podesta’s e-mails often involve a person making a hasty decision about a warning message or strange e-mail.

Multitasking is partly to blame. Vance’s collaboration with Google grew out of experiments that showed when people reacted to security warnings while also performing another task, brain activity in areas associated with fully engaging with a warning was significantly reduced. People were three times less likely to correctly interpret a message when they reacted to security warnings while also performing another task.

Vance’s lab teamed up with Google to test a version of Chrome modified to deliver warnings about a person’s computer possibly being infected by malware or adware only when they weren’t deeply engaged in something. For example, it would wait until someone finished watching a video, or was waiting for a file to download or upload, to pop up the message.

Brain scans reveal that we’re far more likely to ignore security warnings when we’re engaged in another task.

Testing showed that people using the interruption-sensitive version of Chrome ignored the message only about a third of the time, compared to about 80 percent of the time without it.

Other studies in Vance’s lab have shown that people very rapidly become habituated to security warnings—he’s shown how the brain’s response to a message drops significantly even on just the second time someone sees it.

The researchers also did follow-up experiments in which people were asked to download mobile apps that asked for alarming permissions (for example, “Can delete your photos”). By breaking the usual rules of software design and having the security-related messages change in appearance slightly each time—for example, with different colors—it was possible to reduce the habituation effect.

“This shows the potential to use neuroscience to understand people’s behavior and validate new user interface designs,” said Vance. “Our security UI should be designed to be compatible with the way our brains work.”

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.