This is a personal blog and all content herein is my personal opinion and not that of my employer.
Enjoying the content? If you value the time, effort, and resources invested in creating it, please consider supporting me on Ko-fi.
Introduction
We spend millions securing systems and training people – and yet we still fall for the same attacks. Phishing, reusing passwords, skipping MFA. Why?
This post isn’t about flaws in policy or tooling (though they matter). It’s about the human operating system – specifically, how episodic memory and something called the doorway effect might help explain why even security-aware users keep making bad decisions.
Spoiler: it’s not that users are lazy. It’s that their brains are working exactly as designed.
What Is the Doorway Effect?
The doorway effect refers to a well-known psychological phenomenon: you walk into a room and forget why you went there.
Research suggests that crossing a spatial or contextual boundary causes your brain to segment memory – an “event boundary” – offloading the previous context to prioritize what’s next. Even in virtual environments, people recall less after transitioning between “rooms.”
The effect isn’t universally strong – replication is mixed – but it’s part of a broader truth: context shifts disrupt memory.
Episodic Memory and Context Switching
Episodic memory is how we remember events: tied to time, place, and situation. It’s flexible and efficient, but not persistent. When context changes – app switch, device change, time passing – our brain de-prioritizes the old mental state.
This is usually helpful. In cybersecurity, it’s dangerous.
How This Relates to Cybersecurity
The Illusion of a “Fresh Start”
You switch from your laptop to your phone. From Outlook to Teams. From office Wi-Fi to a VPN.
Your brain treats each shift as a new “scene” – and sheds old assumptions. But security risks don’t care about scenes.
Attackers love this gap:
- People trust “new” devices or tabs as if risks reset.
- They reuse credentials across contexts.
- They skip checks they’d do in a security training lab.
Fragile Security Intentions
Ever taken a great security course… and then clicked a sketchy link an hour later?
You didn’t forget what you learned – your brain just parked it. The intention to “be cautious” was tied to the context of the training, not your inbox during a hectic day.
Why Zero Trust Feels Wrong
Zero Trust says: verify constantly.
Your brain says: we’ve already trusted this.
Zero Trust feels unnatural to users because it conflicts with how human memory works. We assume continuity of safety unless reminded otherwise.
This doesn’t mean Zero Trust is flawed – it just means it has to fight our defaults.
Clarifying the Limits of the Analogy
A quick reality check:
- This post isn’t claiming episodic memory causes security breaches.
- It’s not saying the doorway effect is a deterministic model.
- And it’s definitely not suggesting psychology replaces technical controls.
What it does say is that our brains create friction with security expectations. That friction explains why enforcement, automation, and user-aware design matter so much.
Design Lessons and Practical Takeaways
So what can we learn from this?
-
Re-auth on context shifts
Revalidate identity when the user changes device, location, or behaviour pattern. -
Make trust state visible
Surface when/where trust was last established: “Session verified at 14:05”. -
Don’t depend on memory
Automate where possible. Users won’t remember what they were supposed to do. -
Persistent visual cues
Use banners, colors, or headers to remind users of session context and sensitivity. -
Vary training environments
Simulate phishing and risk in diverse, real-world contexts. Not just static LMS modules.
Conclusion
Our memory is good at living, not at securing.
It forgets intentions. It assumes safety. It resets when the context changes – even if the risks haven’t.
That’s not failure. That’s how it’s designed.
And that’s why effective cybersecurity requires more than just awareness. It requires systems that remember when we forget, and practices that don’t rely on perfect memory.
Design accordingly.
Thanks for reading. If this helped you think differently about cybersecurity, consider buying me a coffee over on Ko‑fi.
Comments welcome below.