Quantifying The Effect Of Cognitive Bias On Security Decision-Making For Authentication Methods

The main challenge that can impact the effectiveness of authentication mechanisms is human error (unintentional threats). Irrational judgment associated with human error is often linked to a unique attribute called cognitive bias (CB). CB is a tendency to think irrationally in certain situations and make irrational judgment. The appearance of CB in human decisions is considered one of the implications of system usability. In the security filed, usability is recognized as one of the main issues that affect an individual's security decisions. Clearly, security decision-making is a result of three overlapping factors: security, usability and CB. In this paper, we quantify security decision making by providing a holistic view on how these factors affect the security decision. For this purpose, an experiment was conducted involving 54 participants who performed multiple security tasks related to authentication. An eye-tracking machine was used to record cognitive measurements that were used for decision analysis. Multi Criteria Decision Analysis (MCDA) approach was then used to evaluate the participants' decisions. The result showed that participants security decisions are varied depends on the authentication method. For instance, picture type was the authentication method least influenced by CB. Low system usability is one of the major causes of CB in decisions. This was not the case for the picture password method. The different levels of usability associated with the picture method resulted in low impact of CB on participants' security decision. This finding point to investigating how picture-based authentication methods are capable of handling the issue of the CB.