Security training programs are an important intervention to protect users and organizations against security threats. Unfortunately, users often ignore their training and engage in poor security behaviors. We explain how dual-task interference (DTI) is a primary cause of security training disregard. DTI is a cognitive limitation wherein humans cannot perform more than one task simultaneously without experiencing a deterioration of performance. In our context, we hypothesize how prompting users to perform security behaviors during high-DTI times may derail one’s previous security training, resulting in less secure behaviors. We test our hypotheses in an experiment that compares users’ adherence to security training during low-DTI and high-DTI times in a realistic context. We found that performing security behaviors during low-DTI times increased adherence to prior security training by 31% compared to performing behaviors during high-DTI times. The results have implications for using DTI as a theoretical framework for understanding security behaviors, prompting users to perform security behaviors during times that will maximize adherence to past security training, and considering humans’ neurological limitations when designing security training and intervention programs.
Jenkins, Jeffrey L.; Anderson, Bonnie; Vance, Anthony Osborn; and Jensen, Scott, "WHEN TRAINING GETS TRUMPED: HOW DUAL-TASK INTERFERENCE INHIBITS SECURITY TRAINING" (2016). Research Papers. 163.