Neural Markers of Cybersecurity: An fMRI Study of Phishing and Malware Warnings

The security of computer systems often relies upon decisions and actions of end users. In this paper, we set out to investigate users' susceptibility to cybercriminal attacks by concentrating at the most fundamental component governing user behavior-the human brain. We introduce a novel neuroscience-based study methodology to inform the design of user-centered security systems as it relates to cybercrime. In particular, we report on an functional magnetic resonance imaging study measuring users' security performance and underlying neural activity with respect to two critical security tasks: 1) distinguishing between a legitimate and a phishing website and 2) heeding security (malware) warnings. We identify the neural markers that might be controlling users' performance in these tasks, and establish relationships between brain activity and behavioral performance as well as between users' personality traits and security behavior. Our results provide a largely positive perspective on users' capability and performance vis-a-vis these crucial security tasks. First, we show that users exhibit significant brain activity in key regions associated with decision-making, attention, and problem-solving (phishing and malware warnings) as well as language comprehension and reading (malware warnings), which means that users are actively engaged in these security tasks. Second, we demonstrate that certain individual traits, such as impulsivity measured via an established questionnaire, are associated with a significant negative effect on brain activation in these tasks. Third, we discover a high degree of correlation in brain activity (in decision-making regions) across phishing detection and malware warnings tasks, which implies that users' behavior in one task may potentially be predicted by their behavior in the other. Fourth, we discover high functional connectivity among the core regions of the brain, while users performed the phishing detection task. Finally, we discuss the broader impacts and implications of our work on the field of user-centered security, including the domain of security education, targeted security training, and security screening.