Examining the Continuance of Secure Behavior: A Longitudinal Field Study of Mobile Device Authentication

It is not enough to get information technology (IT) users to adopt a secure behavior. They must also continue to behave securely. Positive outcomes of secure behavior may encourage the continuance of that behavior, whereas negative outcomes may lead users to adopt less-secure behaviors. For example, in the context of authentication, login success rates may determine whether users continue to use a strong credential or switch to less secure behaviors (e.g., storing a credential or changing to a weaker, albeit easier to successfully enter, credential). Authentication is a particularly interesting security behavior for information systems researchers to study because it is affected by an IT artifact (the design of the user interface). Laptops and desktop computers use full-size physical keyboards. However, users are increasingly adopting mobile devices, which provide either miniature physical keypads or touchscreens for entering authentication credentials. The difference in interface design affects the ease of correctly entering authentication credentials. Thus, the move to use of mobile devices to access systems provides an opportunity to study the effects of the user interface on authentication behaviors. We extend existing process models of secure behaviors to explain what influences their (dis)continuance. We conduct a longitudinal field experiment to test our predictions and find that the user interface does affect login success rates. In turn, poor performance (login failures) leads to discontinuance of a secure behavior and the adoption of less-secure behaviors. In summary, we find that a process model reveals important insights about how the IT artifact leads people to (dis)continue secure behaviors.

[1]  F. Bookstein,et al.  Two Structural Equation Models: LISREL and PLS Applied to Consumer Exit-Voice Theory , 1982 .

[2]  Anol Bhattacherjee,et al.  Understanding Information Systems Continuance: An Expectation-Confirmation Model , 2001, MIS Q..

[3]  Sebastian Möller,et al.  On the need for different security methods on mobile phones , 2011, Mobile HCI.

[4]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[5]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[6]  S. P. Singh Gamification: A Strategic Tool for Organizational Effectiveness , 2012 .

[7]  M. Rand,et al.  National Crime Victimization Survey: Stalking Victimization in the United States , 2009 .

[8]  S. Chaiken,et al.  Personality and Social Psychology Bulle- Tin Chen, Bargh / Consequences of Automatic Evaluation Immediate Behavioral Predispositions to Approach or Avoid the Stimulus , 2022 .

[9]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[10]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[11]  C. Lévi-Strauss,et al.  Experimental investigation , 2013 .

[12]  Moez Limayem,et al.  How Habit Limits the Predictive Power of Intention: The Case of Information Systems Continuance , 2007, MIS Q..

[13]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[14]  Sebastian Deterding,et al.  Gamification: designing for motivation , 2012, INTR.

[15]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[16]  Balbir S. Barn,et al.  Young People and Smart Phones: An Empirical Study on Information Security , 2014, 2014 47th Hawaii International Conference on System Sciences.

[17]  Jaehyun Park,et al.  Touch key design for target selection on a mobile phone , 2008, Mobile HCI.

[18]  James B. Hunt,et al.  The Protection Motivation Model: A Normative Model of Fear Appeals: , 1991 .

[19]  Anol Bhattacherjee,et al.  Understanding Changes in Belief and Attitude Toward Information Technology Usage: A Theoretical Model and Longitudinal Test , 2004, MIS Q..

[20]  Kar Yan Tam,et al.  Understanding Continued Information Technology Usage Behavior: A Comparison of Three Models in the Context of Mobile Internet , 2006, Decis. Support Syst..

[21]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[22]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[23]  Steven Furnell,et al.  Authentication of users on mobile telephones - A survey of attitudes and practices , 2005, Comput. Secur..

[24]  Edwin M Robertson,et al.  Off-Line Processing: Reciprocal Interactions between Declarative and Procedural Memories , 2007, The Journal of Neuroscience.

[25]  E. Robinson Cybernetics, or Control and Communication in the Animal and the Machine , 1963 .

[26]  Heeseok Lee,et al.  Antecedents of Use-Continuance in Information Systems: Toward an Inegrative View , 2008, J. Comput. Inf. Syst..

[27]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[28]  Hee-Woong Kim,et al.  A balanced thinking-feelings model of information systems continuance , 2007, Int. J. Hum. Comput. Stud..

[29]  Ana Ortiz de Guinea,et al.  Why break the habit of a lifetime? rethinking the roles of intention, habit, and emotion in continuing information technology use , 2009 .

[30]  R. Shadmehr,et al.  A Shared Resource between Declarative Memory and Motor Memory , 2010, The Journal of Neuroscience.

[31]  Celeste Lyn Paul,et al.  A Field Study of User Behavior and Perceptions in Smartcard Authentication , 2011, INTERACT.

[32]  Katelyn Y. A. McKenna,et al.  Beyond Behaviorism : On the Automaticity of Higher Mental Processes , 2001 .

[33]  Andrew Sears,et al.  Data Entry for Mobile Devices Using Soft Keyboards: Understanding the Effects of Keyboard Size and User Tasks , 2003, Int. J. Hum. Comput. Interact..

[34]  Fritz Drasgow,et al.  A Meta-Analytic Study of Social Desirability Distortion in Computer- Administered Questionnaires, Traditional Questionnaires, and Interviews , 1999 .

[35]  Viswanath Venkatesh,et al.  Expectation Confirmation in Technology Use , 2012, Inf. Syst. Res..

[36]  Viswanath Venkatesh,et al.  Consumer Acceptance and Use of Information Technology: Extending the Unified Theory of Acceptance and Use of Technology , 2012, MIS Q..

[37]  Viswanath Venkatesh,et al.  Predicting Different Conceptualizations of System Use: The Competing Roles of Behavioral Intention, Facilitating Conditions, and Behavioral Expectation , 2008, MIS Q..

[38]  Elena Karahanna,et al.  Time Flies When You're Having Fun: Cognitive Absorption and Beliefs About Information Technology Usage , 2000, MIS Q..

[39]  M. Ullman Contributions of memory circuits to language: the declarative/procedural model , 2004, Cognition.

[40]  Kevin Lane Keller Memory Factors in Advertising: The Effect of Advertising Retrieval Cues on Brand Evaluations , 1987 .

[41]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[42]  Robert E. Crossler,et al.  Privacy in the Digital Age: A Review of Information Privacy Research in Information Systems , 2011, MIS Q..

[43]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[44]  M. Jakobsson Rethinking Passwords to Adapt to Constrained Keyboards , 2011 .

[45]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[46]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[47]  Gavriel Salvendy,et al.  Factors affecting perception of information security and their impacts on IT adoption and security practices , 2011, Int. J. Hum. Comput. Stud..

[48]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[49]  M. Ullman The Declarative/Procedural Model , 2020, Theories in Second Language Acquisition.

[50]  Jane Webster,et al.  An Investigation of Information Systems Use Patterns: Technological Events as Triggers, the Effect of Time, and Consequences for Performance , 2013, MIS Q..

[51]  Shari Trewin,et al.  Biometric authentication on a mobile device: a study of user effort, error and task disruption , 2012, ACSAC '12.

[52]  I. Bialynicki-Birula,et al.  Uncertainty relations for information entropy in wave mechanics , 1975 .

[53]  Ronald T. Cenfetelli Inhibitors and Enablers as Dual Factor Concepts in Technology Usage , 2004, J. Assoc. Inf. Syst..

[54]  John W Payne Contingent Decision Behavior: A Review and Discussion of Issues. , 1982 .

[55]  Shumin Zhai,et al.  Smart phone use by non-mobile business users , 2011, Mobile HCI.

[56]  Eliot R. Smith,et al.  Arousal, Processing, and Risk Taking: Consequences of Intergroup Anger , 2008, Personality & social psychology bulletin.

[57]  Stuart E. Schechter,et al.  Can i borrow your phone?: understanding concerns when sharing mobile phones , 2009, CHI.

[58]  A. Baddeley Working memory: theories, models, and controversies. , 2012, Annual review of psychology.

[59]  L. Squire Memory systems of the brain: A brief history and current perspective , 2004, Neurobiology of Learning and Memory.

[60]  Izak Benbasat,et al.  The Use of Information in Decision Making: An Experimental Investigation of the Impact of Computer-Based Decision Aids , 1992, MIS Q..

[61]  Ingrid E. Schneider,et al.  Geocachers: Benefits sought and environmental attitudes , 2011 .

[62]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[63]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[64]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[65]  Detmar W. Straub,et al.  Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment , 2013, 2013 46th Hawaii International Conference on System Sciences.

[66]  Detmar W. Straub,et al.  Information Technology Adoption Across Time: A Cross-Sectional Comparison of Pre-Adoption and Post-Adoption Beliefs , 1999, MIS Q..

[67]  Viswanath Venkatesh,et al.  Technology Acceptance Model 3 and a Research Agenda on Interventions , 2008, Decis. Sci..

[68]  Jack Duffy,et al.  Web Page Transformation When Switching Devices , 2004, Mobile HCI.

[69]  Dennis L. Hoffman,et al.  Marketing in Hypermedia Computer-Mediated Environments : Conceptual Foundations 1 ) , 1998 .

[70]  A. Baddeley The magical number seven: still magic after all these years? , 1994, Psychological review.

[71]  Izak Benbasat,et al.  An Experimental Investigation of the Impact of Computer Based Decision Aids on Decision Making Strategies , 1991, Inf. Syst. Res..

[72]  Shumin Zhai,et al.  The performance of touch screen soft buttons , 2009, CHI.

[73]  John W. Payne,et al.  The adaptive decision maker: Name index , 1993 .

[74]  Heng Xu,et al.  Information Privacy Research: An Interdisciplinary Review , 2011, MIS Q..

[75]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[76]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[77]  Beth H. Jones,et al.  Do Business Students Practice Smartphone Security? , 2012, J. Comput. Inf. Syst..

[78]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[79]  E. Tulving,et al.  Availability versus accessibility of information in memory for words , 1966 .

[80]  Clara E. Bussenius,et al.  Memory : A Contribution to Experimental Psychology , 2017 .

[81]  C. Carver,et al.  Control theory: a useful conceptual framework for personality-social, clinical, and health psychology. , 1982, Psychological bulletin.

[82]  Izak Benbasat,et al.  Evaluating the Impact of DSS, Cognitive Effort, and Incentives on Strategy Selection , 1999, Inf. Syst. Res..

[83]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[84]  J. Bargh,et al.  The automated will: nonconscious activation and pursuit of behavioral goals. , 2001, Journal of personality and social psychology.

[85]  L. Squire Mechanisms of memory. , 1986, Lancet.

[86]  Tom L. Roberts,et al.  Proposing the online community self-disclosure model: the case of working professionals in France and the U.K. who use online communities , 2010, Eur. J. Inf. Syst..

[87]  K. A. Ericsson,et al.  Long-term working memory. , 1995, Psychological review.