Neuro-physiological Underpinnings of User-centered Security

This study investigated user-centered security by focusing on the human neuro-physiology governing the processing of security tasks. This research introduces a new methodology for studying neuro-physiological patterns governing users’ performance and behavior with respect to user-centered security tasks. Study results demonstrate that users do not spend enough time analyzing key phishing indicators and often fail at detecting these attacks. In the malware warning tasks, in contrast, the research shows that users are frequently reading, possibly comprehending, and eventually heeding the message embedded in the warning. By incorporating state-of-the-art neuroimaging techniques and eye-tracking technology to study gaze patterns and gaze dynamics, this research provides unique, root-level insights into user-centered security. The researcher identifies neural markers and eye movement patterns that might be controlling and defining users’ performance in security tasks and establishes relationships between neural activity, gaze patterns, and task performance. The researcher shows that users exhibit significant brain activity in key regions associated with decision-making, attention, and problem-solving (phishing attacks, and malware warnings) as well as language comprehension and reading (malware warnings). The researcher conducts an fNIRS study to test whether the neural activities are different when users are listening to the voices of original and fake speakers. The study demonstrates that certain individual traits, such as impulsivity measured via an established questionnaire, can have a significant negative effect on brain activation in the security tasks. This research also shows that users’ behavior in one task may potentially be predicted by their behavior in the other task. Finally, the researcher discusses the broader impacts and implications of the work on the field of user-centered security.