What 4, 500+ People Can Tell You - Employees' Attitudes Toward Organizational Password Policy Do Matter

Organizations establish policies on how employees should generate, maintain, and use passwords to authenticate and gain access to the organization's information systems. This paper focuses on employees' attitudes towards organizational password policies and examines the impacts on their work-related password activities that have security implications. We conducted a large-scale survey 4,573 respondents to investigate the relationships between the organizational password policies and employees' password behaviors. The key finding of this study is that employees' attitudes toward the rationale behind cybersecurity policies are statistically significant with their password behaviors and experiences. Positive attitudes are related to more secure behaviors such as choosing stronger passwords and writing down passwords less often, less frustration with authentication procedures, and better understanding and respecting the significance to protect passwords and system security. We propose future research to promote positive employees' attitudes toward organizational security policy that could facilitate the balance between security and usability.

[1]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[2]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[3]  S. J. Kraus,et al.  Attitudes and the Prediction of Behavior: A Meta-Analysis of the Empirical Literature , 1990 .

[4]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[5]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[6]  Yee-Yin Choong,et al.  United States Federal Employees' Password Management Behaviors A Department of Commerce Case Study , 2014 .

[7]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[8]  Hilary Johnson,et al.  Using and managing multiple passwords: A week to a view , 2011, Interact. Comput..

[9]  Yee-Yin Choong A Cognitive-Behavioral Framework of User Password Management Lifecycle , 2014, HCI.

[10]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[11]  Robert W. Proctor,et al.  Imposing Password Restrictions for Multiple Accounts: Impact on Generation and Recall of Passwords , 2003 .

[12]  Politika tudományok National Strategy for Trusted Identities in Cyberspace , 2011 .

[13]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[14]  James B. Avey,et al.  Can Positive Employees Help Positive Organizational Change? Impact of Psychological Capital and Emotions on Relevant Attitudes and Behaviors , 2008 .

[15]  D. Weiss,et al.  The Impact of Anonymity on Responses to Sensitive Questions , 2000 .