Using Gamification to Improve Information Security Behavior: A Password Strength Experiment

Information security emphasizes the importance of motivating end users to improve their security behavior towards protecting their private and organizational information assets. Password authentication is widely used as a user authentication method to safeguard information resources from unauthorized access. Despite its prevalence password best practice is not often followed and the use of weak passwords persist. Although password strength feedback mechanisms commonly aim to extrinsically motivate users to improve their password creating behavior, it is not yet clear how other methods, specifically gamification, influences security behavior regarding password creation behavior. The purpose of this study is to examine the effect gamification on user information security behavior, specifically regarding password creation. This study presents results from an online experiment of 232 respondents, who interacted with two different password strength feedback methods, namely a meter feedback method and a gamified feedback method using gamification points. A significant difference between the methods was found when measuring password strength using the number of guesses needed to crack the password, with the points method resulting in stronger passwords. The results of the study reveal that gamified feedback can lead to increased engagement and stronger password creation.

[1]  Ping Zhang,et al.  Technical opinionMotivational affordances , 2008 .

[2]  E. Deci,et al.  Self‐determination theory and work motivation , 2005 .

[3]  Sebastian Deterding,et al.  The Lens of Intrinsic Skill Atoms: A Method for Gameful Design , 2015, Hum. Comput. Interact..

[4]  Juho Hamari,et al.  Does Gamification Work? -- A Literature Review of Empirical Studies on Gamification , 2014, 2014 47th Hawaii International Conference on System Sciences.

[5]  Detmar W. Straub,et al.  Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment , 2013, 2013 46th Hawaii International Conference on System Sciences.

[6]  Sebastian Lins,et al.  Gamifying Information Systems - a synthesis of Gamification mechanics and Dynamics , 2014, ECIS.

[7]  Laura A. Dabbish,et al.  YourPassword: applying feedback loops to improve security behavior of managing multiple passwords , 2014, AsiaCCS.

[8]  Blase Ur,et al.  A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior , 2015, CHI.

[9]  P. Jordan Designing Pleasurable Products: An Introduction to the New Human Factors , 2000 .

[10]  Lennart E. Nacke,et al.  From game design elements to gamefulness: defining "gamification" , 2011, MindTrek.

[11]  Tanya J. McGill,et al.  Improving Compliance with Password Guidelines: How User Perceptions of Passwords and Security Threats Affect Compliance with Guidelines , 2014, 2014 47th Hawaii International Conference on System Sciences.

[12]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[13]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[14]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[15]  E. Deci,et al.  Intrinsic and Extrinsic Motivations: Classic Definitions and New Directions. , 2000, Contemporary educational psychology.

[16]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[17]  Wouter Joosen,et al.  Password Meters and Generators on the Web: From Large-Scale Empirical Study to Getting It Right , 2015, CODASPY.

[18]  M. Orne Demand Characteristics and the Concept of Quasi-Controls1 , 2009 .

[19]  John W. Creswell,et al.  Research Design: Qualitative, Quantitative, and Mixed Methods Approaches , 2010 .

[20]  Steven Furnell,et al.  Essential Lessons Still Not Learned? Examining the Password Practices of End-Users and Service Providers , 2013, HCI.

[21]  Paul A. Cairns,et al.  A practical approach to measuring user engagement with the refined user engagement scale (UES) and new UES short form , 2018, Int. J. Hum. Comput. Stud..

[22]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[23]  Nathan W. Twyman,et al.  Taking "Fun and Games" Seriously: Proposing the Hedonic-Motivation System Adoption Model (HMSAM) , 2012, J. Assoc. Inf. Syst..

[24]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[25]  J. Tirole,et al.  Intrinsic and Extrinsic Motivation , 2003 .

[26]  E. Deci,et al.  Handbook of Self-Determination Research , 2002 .

[27]  Jan Marco Leimeister,et al.  Gamification , 2013, Business & Information Systems Engineering.

[28]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.