Cybersecurity Warnings as Safety-Relevant Learning Mechanisms: A Scoping Review of Behavioral Adaptation, Trust Calibration, and Risk Regulation
Eleonora Chiantera, Lorenzo Arciulo, Francesco Di NoceraCybersecurity relies heavily on warning systems to regulate user behavior under uncertainty. These warnings (ranging from browser security dialogs to phishing alerts and enterprise security notifications) do more than convey information: they may alter the conditions under which users select, avoid, verify, report, or override security-related actions. When combined with feedback, they may also contribute to calibrated reliance and safer behavior over time. However, existing research remains fragmented across usable security, human–computer interaction, and safety-related decision-making, and is largely focused on short-term outcomes. As a result, limited attention has been given to how cybersecurity warnings function as risk-control and learning mechanisms within safety-relevant socio-technical systems. This scoping review maps how empirical studies have examined cybersecurity warning systems in relation to behavioral adaptation, trust calibration, and risk regulation, and whether they assess persistence, transfer, or learning over time, identifying recurring design patterns, critical trade-offs, and structural gaps. Following PRISMA-ScR 2018 guidelines, we searched major multidisciplinary and domain-specific databases, with no time frame limits, for empirical studies that examined cybersecurity warnings in relation to learning-relevant behavioral, cognitive, or performance outcomes. Seventeen studies met the inclusion criteria; this number reflects the review’s focused conceptual scope rather than the size of the cybersecurity-warning literature as a whole. Eligible studies included experimental, quasi-experimental, field, and mixed-method designs, but no included study assessed persistence or transfer over time. Data extraction focused on warning characteristics, learning and trust mechanisms, user behavior, and security outcomes. Across the included studies, research primarily evaluates immediate responses, such as clicks, choices, response time, and classification accuracy, whereas comprehension and corrective feedback are infrequently assessed, trust calibration is never formally measured, and persistence or transfer over time is assessed in none of the included studies. On this basis, the review proposes a learning-oriented framework for evaluating cybersecurity warnings beyond short-term compliance, emphasizing feedback, calibrated reliance, risk-regulation responses, and direct tests of maintenance and transfer over time.