Short Paper: Quantifying the Disruption to User Goals from Authentication Events Graeme Jenkinson 1 and Maria Blakemore 2 1 University of Cambridge Computer Laboratory, Cambridge, UK graeme.jenkinson@cl.cam.ac.uk 2 maria.p.blakemore@gmail.com Abstract. The degree to which security actions disrupt the user’s end goal is not currently well understood. Without a clear framework for reasoning about the full impact of security controls, system designers regularly impose security that reduces productivity to such an extent that users simply abandon their goals. Building on established results from experimental psychology, our exploratory results show that inter- rupting a user’s task with an authentication event introduces a large, but relatively short lived, impact. Characterising the disruption of secu- rity controls is the first step in providing system designers with a new generation of tools that allow them to reason about the impact of their decisions on end users. 1 Introduction The impact of a given security measure, such as entering a password, is not absolute: it is instead a function of when it occurs in the user’s workflow, on what functions of the brain it loads and on what else the user was meant to be doing before and after [3]. When a person switches from one task to another task, the brain must re- organize and reallocate cognitive resources to ensure an efficient transition [5]. Transitioning from a task that primarily uses resource A to a task that primarily uses resource B (instead of continuing to use resource A) results in performance deficits, or switch costs. Experimental psychology has uncovered certain princi- ples that govern these transitions. These so-called switch cost asymmetries have been shown to occur, or not, depending on other characteristics of the tasks involved. In this paper we make steps towards quantifying the switching costs when authenticating: – We provide exploratory results that quantify the effect size of task interrup- tion from user authentication. 2 Study Our study was conducted to quantify the effect size of task interruption by authentication events. The study was approved by the Ethics Committee of the Computer Laboratory, University of Cambridge. In submission Passwords 2016