A protection motivation theory approach to improving compliance with password guidelines

Usernames and passwords form the most widely used method of user authentication on the Internet. Yet, users still find compliance with password guidelines difficult. The primary objective of this research was to investigate how compliance with password guidelines and password quality can be improved. This study investigated how user perceptions of passwords and security threats affect compliance with password guidelines and explored if altering these perceptions would improve compliance. This research also examined if compliance with password guidelines can be sustained over time. This study focuses on personal security, particularly factors that influence compliance when using personal online accounts. The proposed research model is based on the Protection Motivation Theory (PMT) (Rogers, 1975, 1983), a model widely used in information systems security research. As studies have failed to consistently confirm the association between perceived vulnerability and information security practices, the model was extended to include exposure to hacking as a predictor of perceived vulnerability. Experimental research was used to test the model from two groups of Internet users, one of which received PMT based fear appeals in the form of a password security information and training exercise. To examine if password strength was improved by the fear appeals, passwords were collected. A password strength analysis tool was developed using Shannon’s (2001) formula for calculating entropy and coded in Visual Basic. Structural equation modeling was used to test the model. The proposed model explains compliance intentions moderately well, with 54% of the variance explained by the treatment model and 43% explained by the control group model. Overall, the results indicate that efficacy perceptions are a stronger predictor of compliance intentions than threat perceptions. This study identifies three variables that predict user intentions to comply with password guidelines as particularly important. These are perceived threat, perceived password effectiveness and password self-efficacy. The results show no association between perceived vulnerability to a security attack and a user’s decision to comply. The results also showed that those who are provided with password information and training are significantly more likely to comply, and create significantly stronger passwords. However, the fear appeals used in this study had no long-term effects on compliance intentions. The results on the long-term effects of password training on the participants’ ability to remember passwords were however promising. The group that received password training with a mnemonic training component was twice as likely to remember their passwords over time. The results of this research have practical implications for organizations. They highlight the need to raise the levels of concern for information systems security threats through training in order to improve compliance with security guidelines. Communicating to users what security responses are available is important; however, whether they implement them is dependent on how effective they feel the security responses are in preventing an attack. Regarding passwords, the single most important consideration by a user is whether they have the ability to create strong, memorable passwords. At the very least, users should be trained on how to create strong passwords, with emphasis on memorization strategies. This research found mnemonic password training to have some long-term effects on users’ ability to remember passwords, which is arguably one of the most vexing challenges associated with passwords. Future research should explore the extent to which the effects of PMT based information systems security communication can be maintained over time.

[1]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[2]  K. Witte Fear control and danger control: A test of the extended parallel process model (EPPM) , 1994 .

[3]  P. Bentler,et al.  Cutoff criteria for fit indexes in covariance structure analysis : Conventional criteria versus new alternatives , 1999 .

[4]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[5]  I. Ajzen The theory of planned behavior , 1991 .

[6]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[7]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[8]  A. Bandura Self-efficacy mechanism in human agency. , 1982 .

[9]  M. Fishbein A Reasoned Action Approach to Health Promotion , 2008, Medical decision making : an international journal of the Society for Medical Decision Making.

[10]  Jay Chen,et al.  Exploring Internet Security Perceptions and Practices in Urban Ghana , 2014, SOUPS.

[11]  S. K. Wurtele,et al.  Relative contributions of protection motivation theory components in predicting exercise intentions and behavior. , 1987, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[12]  E. Seydel,et al.  Protection Motivation Theory , 2022 .

[13]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[14]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[15]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[16]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[17]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[18]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[19]  Gavriel Salvendy,et al.  Perception of information security , 2010, Behav. Inf. Technol..

[20]  Scott R. Boss Control, perceived risk and information security precautions: External and internal motivations for security behavior , 2007 .

[21]  H. Leventhal,et al.  Findings and Theory in the Study of Fear Communications , 1970 .

[22]  W. R. Dillon,et al.  A simulation study to investigate the use of cutoff values for assessing model fit in covariance structure models , 2005 .

[23]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[24]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[25]  D. A. Kenny,et al.  The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. , 1986, Journal of personality and social psychology.

[26]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[27]  Robert E. Crossler,et al.  Understanding Compliance with Bring Your Own Device Policies Utilizing Protection Motivation Theory: Bridging the Intention-Behavior Gap , 2014, J. Inf. Syst..

[28]  I. Ajzen,et al.  Attitude-behavior relations: A theoretical analysis and review of empirical research. , 1977 .

[29]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[30]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[31]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[32]  Gerjo Kok,et al.  Threatening communication: A qualitative study of fear appeal effectiveness beliefs among intervention developers, policymakers, politicians, scientists, and advertising professionals , 2013, International journal of psychology : Journal international de psychologie.

[33]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[34]  I. Rosenstock,et al.  Social Learning Theory and the Health Belief Model , 1988, Health education quarterly.

[35]  Khaled El Emam,et al.  How Strong are Passwords Used to Protect Personal Health Information in Clinical Trials? , 2011, Journal of medical Internet research.

[36]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[37]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[38]  Irving L. Janis,et al.  Effects of Fear Arousal on Attitude Change: Recent Developments in Theory and Experimental Research1 , 1967 .

[39]  Jie Zhang,et al.  Impact of perceived technical protection on security behaviors , 2009, Inf. Manag. Comput. Secur..

[40]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[41]  Martin C. Libicki,et al.  Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar , 2014 .

[42]  Gavriel Salvendy,et al.  Factors affecting perception of information security and their impacts on IT adoption and security practices , 2011, Int. J. Hum. Comput. Stud..

[43]  B. Byrne Testing for multigroup equivalence of a measuring instrument: a walk through the process. , 2008, Psicothema.

[44]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[45]  L. T. DeCarlo On the meaning and use of kurtosis. , 1997 .

[46]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[47]  Merrill Warkentin,et al.  The Influence of Perceived Source Credibility on End User Attitudes and Intentions to Comply with Recommended IT Actions , 2010, J. Organ. End User Comput..

[48]  William C. McDowell,et al.  Am I Really at Risk? Determinants of Online Users' Intentions to Use Strong Passwords , 2009 .

[49]  B. Verplanken,et al.  Reflections on past behavior: A self-report index of habit strength , 2003 .

[50]  N D Weinstein,et al.  Why it won't happen to me: perceptions of risk factors and susceptibility. , 1984, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[51]  Steven Hernandez Cissp Official (ISC)2 Guide to the CISSP CBK , 2012 .

[52]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[53]  I. Ajzen Martin Fishbein’s Legacy , 2012 .

[54]  Joseph A. Cazier,et al.  Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times , 2006, Inf. Secur. J. A Glob. Perspect..

[55]  Steven Furnell,et al.  Assessing the security perceptions of personal Internet users , 2007, Comput. Secur..

[56]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[57]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[58]  Rex B. Kline,et al.  Principles and Practice of Structural Equation Modeling , 1998 .

[59]  N D Weinstein,et al.  Perceived probability, perceived severity, and health-protective behavior. , 2000, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[60]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[61]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[62]  Vicki S Conn,et al.  Meta-analysis research. , 2004, Journal of vascular nursing : official publication of the Society for Peripheral Vascular Nursing.

[63]  A. Boomsma,et al.  The robustness of LISREL modeling revisted. , 2001 .

[64]  Duncan Cramer,et al.  The Sage dictionary of statistics : a practical resource for students in the social sciences , 2004 .

[65]  Robert E. Crossler,et al.  Protection Motivation Theory: Understanding Determinants to Backing Up Personal Data , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[66]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[67]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[68]  Lauren I. Labrecque,et al.  Toward an Understanding of the Online Consumer's Risky Behavior and Protection Practices , 2009 .

[69]  Bradford W Hesse,et al.  Use of the Internet to Communicate with Health Care Providers in the United States: Estimates from the 2003 and 2005 Health Information National Trends Surveys (HINTS) , 2007, Journal of medical Internet research.

[70]  Cheng-Chi Lee,et al.  Password Authentication Schemes: Current Status and Key Issues , 2006, Int. J. Netw. Secur..

[71]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[72]  Birgy Lorenz,et al.  "The Four Most-Used Passwords Are Love, Sex, Secret, and God": Password Security and Training in Different User Groups , 2013, HCI.

[73]  Tom L. Roberts,et al.  Motivating the Insider to Protect Organizational Information Assets: Evidence from Protection Motivation Theory and Rival Explanations , 2011 .

[74]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[75]  Wesley G. Skogan,et al.  Coping With Crime: Individual and Neighborhood Reactions , 1981 .

[76]  P. Bentler,et al.  Fit indices in covariance structure modeling : Sensitivity to underparameterized model misspecification , 1998 .

[77]  Dominic Abrams,et al.  Exploring teenagers' adaptive and maladaptive thinking in relation to the threat of hiv infection. , 1994, Psychology & health.

[78]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[79]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[80]  D. C. Howell Statistical Methods for Psychology , 1987 .

[81]  R. W. Rogers,et al.  Protection Motivation Theory and preventive health: beyond the Health Belief Model , 1986 .

[82]  M. Fishbein,et al.  The Role of Theory in Developing Effective Health Communications , 2006 .

[83]  R. Ryan,et al.  Control and information in the intrapersonal sphere: An extension of cognitive evaluation theory. , 1982 .

[84]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[85]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[86]  A. Boomsma Reporting Analyses of Covariance Structures , 2000 .

[87]  Michael R. Mullen,et al.  Structural equation modelling: guidelines for determining model fit , 2008 .

[88]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[89]  S. Mulaik,et al.  EVALUATION OF GOODNESS-OF-FIT INDICES FOR STRUCTURAL EQUATION MODELS , 1989 .

[90]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[91]  S. Orbell,et al.  Can protection motivation theory predict behaviour? A longitudinal test exploring the role of previous behaviour , 1998 .

[92]  Karen A. Scarfone,et al.  Guide to Enterprise Password Management , 2009 .

[93]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[94]  Jeffrey L. Jenkins,et al.  Forget the Fluff: Examining How Media Richness Influences the Impact of Information Security Training on Secure Behavior , 2012, 2012 45th Hawaii International Conference on System Sciences.

[95]  Jean Hitchings,et al.  Deficiencies of the traditional approach to information security and the requirements for a new methodology , 1995, Comput. Secur..

[96]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[97]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychology Review.

[98]  Johannes Brug,et al.  Short-term efficacy of a web-based computer-tailored nutrition intervention: Main Effects and Mediators , 2005, Annals of behavioral medicine : a publication of the Society of Behavioral Medicine.

[99]  R. Plotnikoff,et al.  Protection Motivation Theory and exercise behaviour change for the prevention of heart disease in a high-risk, Australian representative community sample of adults , 2002 .

[100]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[101]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[102]  J. Schafer,et al.  Missing data: our view of the state of the art. , 2002, Psychological methods.

[103]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.

[104]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[105]  P. Schoemaker The Expected Utility Model: Its Variants, Purposes, Evidence and Limitations , 1982 .

[106]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[107]  N. Weinstein Testing four competing theories of health-protective behavior. , 1993, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[108]  Detmar W. Straub,et al.  Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment , 2013, 2013 46th Hawaii International Conference on System Sciences.

[109]  Younghwa Lee,et al.  An empirical investigation of anti-spyware software adoption: A multitheoretical perspective , 2008, Inf. Manag..

[110]  H. Marsh,et al.  In Search of Golden Rules: Comment on Hypothesis-Testing Approaches to Setting Cutoff Values for Fit Indexes and Dangers in Overgeneralizing Hu and Bentler's (1999) Findings , 2004 .

[111]  Noel T Brewer,et al.  Meta-analysis of the relationship between risk perception and health behavior: the example of vaccination. , 2007, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[112]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[113]  Malka N. Halgamuge,et al.  Universal serial bus based software attacks and protection solutions , 2011, Digit. Investig..

[114]  A. Bandura Social cognitive theory of self-regulation☆ , 1991 .

[115]  H. de Vries,et al.  Short- and long-term effects of tailored information versus general information on determinants and intentions related to early detection of cancer. , 2004, Preventive medicine.

[116]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[117]  P. Sheeran,et al.  Combining motivational and volitional interventions to promote exercise participation: protection motivation theory and implementation intentions. , 2002, British journal of health psychology.

[118]  P. Sheeran,et al.  Does changing behavioral intentions engender behavior change? A meta-analysis of the experimental evidence. , 2006, Psychological bulletin.

[119]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[120]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[121]  D. Ronis,et al.  Conditional health threats: health beliefs, decisions, and behaviors among adults. , 1992, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[122]  Namjoo Choi,et al.  Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action , 2008, Inf. Manag. Comput. Secur..

[123]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[124]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[125]  Lorne Olfman,et al.  Improving End User Behaviour in Password Utilization: An Action Research Initiative , 2008 .

[126]  I. Rosenstock Historical Origins of the Health Belief Model , 1974 .

[127]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[128]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[129]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[130]  Paul Benjamin Lowry,et al.  Improving Password Cybersecurity Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals , 2014, Inf. Technol. Dev..

[131]  Kim Witte,et al.  Fear appeals and persuasion: A review and update of the Extended Parallel Process Model. , 2011 .

[132]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[133]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[134]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[135]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[136]  Qing Hu,et al.  Why Individuals Commit Information Security Violations: Neural Correlates of Decision Processes and Self-Control , 2014, 2014 47th Hawaii International Conference on System Sciences.

[137]  Marjan Hericko,et al.  Password security — No change in 35 years? , 2014, 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[138]  B. Byrne,et al.  Testing for the equivalence of factor covariance and mean structures: The issue of partial measurement invariance. , 1989 .

[139]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[140]  Tse-Hua Shih,et al.  Comparing Response Rates from Web and Mail Surveys: A Meta-Analysis , 2008 .

[141]  Kregg Aytes,et al.  Computer Security and Risky Computing Practices: A Rational Choice Perspective , 2004, J. Organ. End User Comput..

[142]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[143]  Rui Chen,et al.  Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service , 2014, Inf. Syst. J..

[144]  Kim-Phuong L. Vu,et al.  Effects of a Mnemonic Technique on Subsequent Recall of Assigned and Self-generated Passwords , 2009, HCI.

[145]  Steven Furnell,et al.  An assessment of website password practices , 2007, Comput. Secur..

[146]  Jeffrey J. Johnson,et al.  The adoption of computer security: an analysis of home personal computer user behavior using the health belief model , 2011 .

[147]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[148]  Gary Klein,et al.  A Longitudinal Study to Determine Non-technical Deterrence Effects of Severity and Communication of Internet Use Policy for Reducing Employee Internet Abuse , 2014, 2014 47th Hawaii International Conference on System Sciences.

[149]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[150]  K. Sathian,et al.  Mnemonic strategy training improves memory for object location associations in both healthy elderly and patients with amnestic mild cognitive impairment: a randomized, single-blind study. , 2012, Neuropsychology.

[151]  N. Weinstein Effects of personal experience on self-protective behavior. , 1989, Psychological bulletin.

[152]  Kevin F. McCrohan,et al.  Influence of Awareness and Training on Cyber Security , 2010 .

[153]  Merrill Warkentin,et al.  Introducing the Check-Off Password System (COPS): An Advancement in User Authentication Methods and Information Security , 2004, J. Organ. End User Comput..

[154]  Steven Prentice-Dunn,et al.  Protection motivation theory. , 1997 .

[155]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[156]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[157]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[158]  M. Becker,et al.  The Health Belief Model: A Decade Later , 1984, Health education quarterly.

[159]  Xin Luo,et al.  Improving multiple-password recall: an empirical study , 2009, Eur. J. Inf. Syst..

[160]  S. West,et al.  The robustness of test statistics to nonnormality and specification error in confirmatory factor analysis. , 1996 .

[161]  Michael S. LaTour,et al.  There are Threats and (Maybe) Fear-Caused Arousal: Theory and Confusions of Appeals to Fear and Fear Arousal Itself , 1997 .

[162]  Kenneth A. Bollen,et al.  Overall Fit in Covariance Structure Models: Two Types of Sample Size Effects , 1990 .

[163]  Kieran Mathieson,et al.  Predicting User Intentions: Comparing the Technology Acceptance Model with the Theory of Planned Behavior , 1991, Inf. Syst. Res..

[164]  Dennis Guster,et al.  Weak Password Security: An Empirical Study , 2008, Inf. Secur. J. A Glob. Perspect..

[165]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[166]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[167]  B. Byrne Structural equation modeling with EQS : basic concepts, applications, and programming , 2000 .

[168]  Hilary Johnson,et al.  Using and managing multiple passwords: A week to a view , 2011, Interact. Comput..

[169]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[170]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.