Rational security: Modelling everyday password use

To inform the design of security policy, task models of password behaviour were constructed for different user groups-Computer Scientists, Administrative Staff and Students. These models identified internal and external constraints on user behaviour and the goals for password use within each group. Data were drawn from interviews and diaries of password use. Analyses indicated password security positively correlated with the sensitivity of the task, differences in frequency of password use were related to password security and patterns of password reuse were related to knowledge of security. Modelling revealed Computer Scientists viewed information security as part of their tasks and passwords provided a way of completing their work. By contrast, Admin and Student groups viewed passwords as a cost incurred when accessing the primary task. Differences between the models were related to differences in password security and used to suggest six recommendations for security officers to consider when setting password policy.

[1]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[2]  J. Muth Rational Expectations and the Theory of Price Movements , 1961 .

[3]  Adam Beautement,et al.  The economics of user effort in information security , 2009 .

[4]  Robert B. Allen,et al.  User Models: Theory, Method, and Practice , 1990, Int. J. Man Mach. Stud..

[5]  Gerhard Fischer,et al.  User Modeling in Human–Computer Interaction , 2001, User Modeling and User-Adapted Interaction.

[6]  M. Angela Sasse,et al.  A stealth approach to usable security: helping IT security managers to identify workable security solutions , 2010, NSPW '10.

[7]  Paul M. Salkovskis Empirically Grounded Clinical Interventions , 2002, Behavioural and Cognitive Psychotherapy.

[8]  Hilary Johnson,et al.  Using and managing multiple passwords: A week to a view , 2011, Interact. Comput..

[9]  Marco Casassa Mont,et al.  Economic Methods and Decision Making by Security Professionals , 2011, WEIS.

[10]  David J. Pym,et al.  Semantics for structured systems modelling and simulation , 2010, SimuTools.

[11]  Peter G. Polson,et al.  An experimental analysis of the mechanisms of a memory skill. , 1988 .

[12]  John R. Anderson,et al.  Reflections of the Environment in Memory Form of the Memory Functions , 2022 .

[13]  Peter Johnson,et al.  Towards a composite modelling approach for multitasking , 2004, TAMODIA '04.

[14]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[15]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[16]  Hansjörg Neth,et al.  Discretionary task interleaving: heuristics for time allocation in cognitive foraging. , 2007, Journal of experimental psychology. General.

[17]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[18]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[19]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[20]  Peter Johnson,et al.  Integrating task analysis into system design: Surveying designers' needs. , 1989, Ergonomics.

[21]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[22]  H. Simon,et al.  Models of Man. , 1957 .

[23]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[24]  Hilary Johnson,et al.  Representations and user-developer interaction in cooperative analysis and design , 1999 .

[25]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[26]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[27]  Richard L. Lewis,et al.  Rational adaptation under task and processing constraints: implications for testing theories of cognition and action. , 2009, Psychological review.

[28]  David J. Pym,et al.  A Logical and Computational Theory of Located Resource , 2009, J. Log. Comput..

[29]  Glenn J. Browne,et al.  Stopping rule use during information search in design problems , 2004 .

[30]  Colin Potts,et al.  Privacy practices of Internet users: Self-reports versus observed behavior , 2005, Int. J. Hum. Comput. Stud..

[31]  Peter Hoonakker,et al.  Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users: (578402012-006) , 2009 .

[32]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[33]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[34]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[35]  Jennifer Mankoff,et al.  When participants do the capturing: the role of media in diary studies , 2005, CHI.

[36]  Hilary Johnson,et al.  Towards modeling individual and collaborative construction of jigsaws using task knowledge structures (TKS) , 2003, TCHI.

[37]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[38]  Bettina Berendt,et al.  E-privacy in 2nd generation E-commerce: privacy preferences versus actual behavior , 2001, EC '01.

[39]  Angela J. Yu,et al.  Should I stay or should I go? How the human brain manages the trade-off between exploitation and exploration , 2007, Philosophical Transactions of the Royal Society B: Biological Sciences.

[40]  Stephen Rollnick,et al.  Motivational Interviewing: Preparing People for Change, 2nd Edition , 2002 .

[41]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[42]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[43]  Hermann Ebbinghaus (1885) Memory: A Contribution to Experimental Psychology , 2013, Annals of Neurosciences.

[44]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[45]  W. Miller,et al.  Motivational interviewing: preparing people for change. , 2002 .

[46]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[47]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[48]  Jacob P. Somervell,et al.  A model for notification systems evaluation—assessing user goals for multitasking activity , 2003, TCHI.

[49]  D. Kahneman A perspective on judgment and choice: mapping bounded rationality. , 2003, The American psychologist.

[50]  John Rieman,et al.  The diary study: a workplace-oriented research tool to guide laboratory efforts , 1993, INTERCHI.