K Shane Reeves and Jeffrey Jenkins, Information Systems
Finding ways to help people behave securely is of great value and importance to companies worldwide. Policies are often created to help enforce secure behavior; however, policies are not always followed, even if they seem simple and clear.
To further promote secure behavior, our research focuses on the phenomenon known as dualtask interference. Dual-task interference explains why individuals may struggle to perform two or more tasks at the same time. (Pashler 1994). A common form of dual-tasking is texting while driving. For instance, many people may say that their driving performance remains the same while texting, but in reality performance in one activity or the other or both is negatively affected.
In order to objectively measure people’s true performance while dual-tasking, we also gathered measurements from user’s computer mouse movements. People will often say they performed one way when in reality they performed differently. Using software that Jeffrey Jenkins and his associates created, we can track user’s performances compared to the ideal path. The mousing data collected in the study is still under further analysis.
We hypothesize that performing security-related activities simultaneously with other activities will result in lower secure behavior than performing security-related activities alone. The following sections describe our methods, results, discussion and conclusion.
To explore how dual-task interference influences security behaviors that are performed simultaneously with other activities, a controlled experiment was designed in a phishing setting. A phishing context was chosen because checking for phishing messages is an activity that is frequently done while performing other tasks (e.g., reading and responding to legitimate emails). Over one hundred people volunteered for this study. Prior to the experiment, all participants were given the following scenario and were asked to adhere to its instructions:
“Role play that you are an assistant for Cameron Scott. Cameron Scott is a manager at Front Solutions, Inc. Among Cameron’s numerous duties, he is responsible for requesting / receiving financial information from the various departments at FrontSolutions Inc., compiling financial reports, sending those reports to the CFO, and attending various meetings. All of his responsibilities are accomplished via email. He uses a company email address for receiving financial information, sending reports, and scheduling meetings. There are also times when he uses his company email for personal use. Currently, Cameron is expecting emails containing financial information (either attached to an email or embedded in an email) from 6 product division managers at FrontSolutions.”
Participants were then randomly assigned to one of two conditions: a) a low dual-task interference condition or b) a high-dual task interference condition.
Low dual-task interference condition: In the low dual-task interference condition, participants were told that their only task as Cameron’s assistant was to log into his email account to identify and delete any phishing emails. They were also warned not to delete any legitimate emails so that Cameron could review them later.
High dual-task interference condition: In the high dual-task interference condition, participants were told that they had two tasks. First, they were told to login to Cameron’s email account and fill out a financial summary sheet using information contained in the emails from the six product divisions (described in the general description). A template for a financial summary sheet was provide to the participants, which asked them to record the number of sales, total revenue, total costs, and then calculate the net revenue (revenue – costs) for each division. Second, they were asked to identify and delete any phishing emails in Cameron’s email account. They were also warned not to delete any legitimate emails so that Cameron could review them later.
Emails: After receiving their instructions, all participants were guided to a live online email account that was created specifically for this experiment. The inbox contained 40 emails. Six of the emails were from the product division managers, 14 were phishing emails, and 20 were random (non-phishing) emails.
The analysis explored whether the group with low dual-task interference had higher phishing detection accuracy than the group with high dual-task interference. Of the 125 people who started our survey only 98 completed it (our results are limited to the 98 who completed the full survey). The results show that there was no significant difference between the low dual-task interference group and the high dual-task interference group. In fact those in the high dual-task group scored higher on average than those in the low dual-task group, though not by much. Although we captured the mouse movement data we were unable to analyze the influence of dual-tasking on secure behavior due to time.
Our research answers the following question: How does dual-task interference influence a person’s secure behavior? We hypothesize that performing security-related activities simultaneously with other activities will result in lower secure behavior than performing security-related activities alone. Results were unsupportive of our hypothesis.
Although our results were not statistically significant in this study, our research provides grounds for future experiments dealing with secure user behavior and dual-task interference. We suggest further investigation to why users with high dual-task interference would tend to score higher than those in the low dual-task interference and to see if this holds true with a more representative sample of participants. Our participants were all BYU undergraduate students which does not represent a true firm out in the business world. Performing a similar experiment with a real business firm would prove to be beneficial.