It is not as simple as that: Playing out password security trainings in order to nudge password changes

The COVID-19 pandemic forced a number of companies to place their staff into home office. In terms of security awareness measures, this means that content or training can only be played out remotely. Within this work, we report about a security awareness campaign focusing on password security that was carried out at a German mid-size company (2000 employees). We compare the effect of remotely played out training content on user behavior, i.e, on getting employees to change their password. The first content was directly embedded into an e-mail, the second was compiled on an intranet web page, and the third content was embedded into a video. Password changes were observed solely within the IT backend on the basis of events and timestamps generated by the company’s Active Directory service. For the campaign four representative samples (140 employees per sample) among the staff were selected and assigned to the different training contents. A fourth group served as a control group. During a period of 6 weeks, the content was played out two times. Unexpectedly, the measured password change rate observed was very low. Further, compared to the control group’s behavior, none of the different content formats played out led to significant more password changes. Clearly, the campaign failed according to its aim. Based on our observations, we provide several possible explanations for which there is some evidence from the literature.

[1]  Kat Krol,et al.  The Great Authentication Fatigue - And How to Overcome It , 2014, HCI.

[2]  Markus Dürmuth,et al.  "You still use the password after all" - Exploring FIDO2 Security Keys in a Small Company , 2020, SOUPS @ USENIX Security Symposium.

[3]  M. Kendall Statistical Methods for Research Workers , 1937, Nature.

[4]  Mary Frances Theofanos,et al.  Security Fatigue , 2016, IT Professional.

[5]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[6]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[7]  M. Angela Sasse,et al.  Employee Rule Breakers, Excuse Makers and Security Champions:: Mapping the risk perceptions and emotions that drive security behaviors , 2015, NSPW.

[8]  Gary Charness,et al.  Journal of Economic Behavior & Organization , 2022 .

[9]  Peter Mayer,et al.  Addressing misconceptions about password security effectively , 2018, STAST '17.

[10]  Erdem Uçar,et al.  The positive outcomes of information security awareness training in companies - A case study , 2009, Inf. Secur. Tech. Rep..

[11]  Steven Furnell,et al.  A systematic review of approaches to assessing cybersecurity awareness , 2015, Kybernetes.

[12]  Steven Furnell,et al.  Recognising and addressing ‘security fatigue’ , 2009 .

[13]  Michael J. Wolf Measuring An Information Security Awareness Program , 2011, BIS 2011.

[14]  Zinaida Benenson,et al.  Specifying IT Security Awareness , 2014, 2014 25th International Workshop on Database and Expert Systems Applications.

[15]  N. Schwarz Self-reports: How the questions shape the answers. , 1999 .

[16]  Charles Dennis,et al.  Marketing the e-Business. 2nd edition , 2007 .

[17]  Lisa Harris,et al.  Marketing the e-business , 2002 .

[18]  Jason R. C. Nurse,et al.  Cyber Security Awareness Campaigns: Why do they fail to change behaviour? , 2014, ArXiv.

[19]  Rick Wash,et al.  Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites , 2016, SOUPS.

[20]  Ivan Kelić,et al.  Open-Rate Controlled Experiment in E-Mail Marketing Campaigns , 2016 .

[21]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.