User errors while performing security-critical tasks can lead to undesirable
or even disastrous consequences. One major factor influencing mistakes and
failures is complexity of such tasks, which has been studied extensively in
prior research. Another important issue which hardly received any attention is
the impact of both accidental and intended distractions on users performing
security-critical tasks. In particular, it is unclear whether, and to what
extent, unexpected sensory cues (e.g., auditory or visual) can influence user
behavior and/or trigger mistakes. Better understanding of the effects of
intended distractions will help clarify their role in adversarial models. As
part of the research effort described in this paper, we administered a range of
naturally occurring -- yet unexpected -- sounds while study participants
attempted to perform a security-critical task. We found that, although these
auditory cues lowered participants' failure rates, they had no discernible
effect on their task completion times. To this end, we overview some relevant
literature that explains these somewhat counter-intuitive findings.
Conducting a thorough and meaningful study on user errors requires a large
number of participants, since errors are typically infrequent and should not be
instigated more than once per subject. To reduce the effort of running numerous
subjects, we developed a novel experimental setup that was fully automated and
unattended. We discuss our experience with this setup and highlight the pros
and cons of generalizing its usage.