Persuasive password security

Users of password-protected systems have to be persuaded to follow certain regulations to keep systems secure. This paper describes the results of a first study of the mental models, metaphors, attitudes and skills users hold with respect to password mechanisms. It shows that users are currently not motivated to adopt proper password practices. They do not believe that they ultimately can stop somebody from getting into the system, or that somebody getting in could cause them any serious personal harm. We recommend a novel approach to the design of training and online support, which is based on an appropriate use of fear appeals.

[1]  Tony Greening Ask and ye shall receive: a study in “social engineering” , 1996, SGSC.

[2]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[3]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[4]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[5]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[6]  Jeremy L. Jacob,et al.  Specifying security for CSCW systems , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[7]  Gary Meyer,et al.  Effective Health Risk Messages: A Step-By-Step Guide , 2001 .

[8]  P. Dourish,et al.  Security as a Practical Problem: Some Preliminary Observations of Everyday Mental Models , 2003 .

[9]  W. Belgers UNIX Password Security , 1993 .

[10]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[11]  Daniela Gerd tom Markotten,et al.  Usability meets security - the Identity-Manager as your personal security assistant for the Internet , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[12]  Yishay Spector,et al.  Pass-sentence - a new approach to computer code , 1994, Comput. Secur..

[13]  R. L. Campbell,et al.  Artifacts as psychological theories: the case of human-computer interaction , 1989 .

[14]  Peter Lunt,et al.  Rethinking the focus group in media and communications research , 1996 .

[15]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[16]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[17]  L. Cranor Designing a Privacy Preference Specification Interface : A Case Study , 2003 .

[18]  N. Pidgeon,et al.  Qualitative research and psychological theorizing. , 1992, British journal of psychology.

[19]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[20]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[21]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[22]  Sacha Brostoff,et al.  “Ten strikes and you're out”: Increasing the number of login attempts can improve password usability , 2003 .

[23]  W. Schweigert,et al.  Research Methods and Statistics in Psychology , 2023 .

[24]  Julie Bunnell,et al.  Cognitive, associative and conventional passwords: Recall and guessing rates , 1997, Comput. Secur..

[25]  William Yurcik,et al.  Two Visual Computer Network Security Monitoring Tools Incorporating Operator Interface Requirements , 2003 .

[26]  A. Strauss,et al.  The Discovery of Grounded Theory , 1967 .

[27]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[28]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[29]  Ian Wakeman,et al.  Examining Users' Repertoire of Internet Applications , 1999, INTERACT.

[30]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[31]  Deborah S. Carstens,et al.  Development of a Model for Determining the Impact of Password Authentication Practices on Information Security , 2000 .

[32]  Doug Mahar,et al.  Perceived acceptability of biometric security systems , 1995, Comput. Secur..

[33]  C. Willig Applied discourse analysis : social and psychological interventions , 1999 .

[34]  U. Holmström User-centered design of secure software , 1999 .

[35]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[36]  Mark S. Ackerman,et al.  Usability and Security , 1999, NDSS.

[37]  Anne Adams,et al.  Privacy in Multimedia Communications: Protecting Users, Not Just Data , 2001, BCS HCI/IHM.

[38]  Rebecca E. Grinter Three Challenges for Embedding Security into Applications , 2003 .

[39]  J. D. Tygar,et al.  Safe Staging for Computer Security , 2003 .

[40]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[41]  Jean Hitchings,et al.  Deficiencies of the traditional approach to information security and the requirements for a new methodology , 1995, Comput. Secur..

[42]  Phil Spurling,et al.  Promoting security awareness and commitment , 1995, Inf. Manag. Comput. Secur..

[43]  Mary Ellen Zurko,et al.  A user-centered, modular authorization service built on an RBAC foundation , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[44]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[45]  J. D. Tygar,et al.  Usability of Security: A Case Study, , 1998 .

[46]  Jeff Yan,et al.  A note on proactive password checking , 2001, NSPW '01.

[47]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[48]  Clare-Marie Karat Iterative Usability Testing of a Security Application , 1989 .

[49]  Ka-Ping Yee Secure Interaction Design and the Principle of Least Authority , 2003 .

[50]  Mike Just Designing Secure Yet Usable Credential Recovery Systems With Challenge Questions , 2003 .