Improving compliance with password guidelines: How user perceptions of passwords and security threats affect compliance with guidelines

Proceedings of the Annual Hawaii International Conference on System Sciences

Volumn , Issue , 2014, Pages 3188-3197

  Mwagwabi, Florence ^a   McGill, Tanya ^a   Dixon, Michael ^a  

^a MURDOCH UNIVERSITY   (Australia)

Author keywords

[No Author keywords available]

Indexed keywords

SECURITY SYSTEMS; SYSTEMS SCIENCE;

BEHAVIORAL INTENTION; PASSWORD SECURITY; PROTECTION MOTIVATION THEORY; SECURITY ISSUES; SECURITY THREATS; TRAINING PROGRAM; USER AUTHENTICATION; USER PERCEPTIONS;

AUTHENTICATION;

EID: 84902243096     PISSN: 15301605     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/HICSS.2014.396     Document Type: Conference Paper

References (41)

1. Stewart, J.M., Tittel, E., and Chapple, M., Cissp: Certified Information Systems Security Professional Study Guide Sybex, San Francisco, CA 2008.
2. Tsai, CS, Lee, C.C, and Hwang, M.S., "Password Authentication Schemes: Current Status and Key Issues,", International Journal of Network Security 2006, 3(2), pp. 101-115.
3. Yan, J, Blackwell, A, Anderson, R, and Grant, ASan Francisco, "Password Memorability and Security: Empirical Results,", IEEE Security & Privacy 2004, 2(5), pp. 25-31.
4. Inglesant, P.G., and Sasse, MA, "The True Cost of Unusable Password Policies: Password Use in the Wild,", Proceedings of the 28th International Conference on Human Factors in Computing Systems, 2010 pp. 383-392.
5. Ur, B, Kelley, P.G, Komanduri, S, Lee, J, Maass, M, Mazurek, M, Passaro, T, Shay, R, Vidas, T, and Bauer, L, "How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation,", Proceedings of the 21st USENIX Conference on Security Symposium, 2012
6. Florêncio, D., and Herley, C., "A Large-Scale Study of Web Password Habits,", Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta, Canada, 2007 pp. 657-666.
7. Calin, B., "Statistics from 10,000 Leaked Hotmail Passwords,", Retrieved 7 May 2013 from the World Wide Web, 2009.
8. Coursey, D., "25 "Worst Passwords" of 2011 Revealed,", Retrieved May 2013 from the World Wide Web, 2011.
9. Deloitte, "P @ $$1234: The End of Strong Password-Only Security,", Deloitte 2013
10. Florêncio, D., and Herley, C., "Where Do Security Policies Come From?,", Symposium on Usable Privacy and Security (SOUPS), Microsoft in Redmond, WA, 2010 pp. 83-93.
11. Vance, A., David, E., Kirk, O., and Detmar, S., "Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment,", 2013 46th Hawaii International Conference on System Sciences (HICSS), Hawaii, 2013 pp. 2988-2997.
12. Bonneau, J., and Preibusch, S., "The Password Thicket: Technical and Market Failures in Human Authentication on the Web,", Proceedings of the Ninth Workshop on the Economics of Information Security, Harvard University, USA, 2010
13. Keith, M., Shao, B., and Steinbart, P., "A Behavioral Analysis of Passphrase Design and Effectiveness,", Journal of the Association for Information Systems 2009, 10(2), pp. 63-89.
14. Miller, G., "The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information,", Psychological Review 1956, 63(2), pp. 81-97.
15. Zviran, M., and Haga, W., "Password Security: An Empirical Study,", Journal of Management Information Systems 1999, 15(4), pp. 161-185.
16. Woon, I., Tan, G., and Low, R., "A Protection Motivation Theory Approach to Home Wireless Security,", Proceedings of the Twenty-Sixth International Conference on Information Systems, Las Vegas, 2005 pp. 367-380.
17. Johnston, A., and Warkentin, M., "Fear Appeals and Information Security Behaviors: An Empirical Study,", MIS Quarterly 2010, 34(3), pp. 549-566.
18. Zhang, L., and McDowell, W., "Am I Really at Risk? Determinants of Online Users' Intentions to Use Strong Passwords,", Journal of Internet Commerce 2009, 8(3), pp. 180-197.
19. Liang, H., and Xue, Y., "Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective,", Journal of the Association for Information Systems 2010, 11(7), pp. 394-413.
20. Vance, A., Siponen, M., and Pahnila, S., "Motivating Is Security Compliance: Insights from Habit and Protection Motivation Theory,", Information & Management 2012, 49(3-4), pp. 190-198.
21. Lee, Y., and Larsen, K.R., "Threat or Coping Appraisal: Determinants of Smb Executives Decision to Adopt Anti-Malware Software,", European Journal of Information Systems 2009, 18(2), pp. 177-187.
22. Workman, M., Bommer, W.H., and Straub, D., "Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test,", Computers in Human Behavior 2008, 24(6), pp. 2799-2816.
23. Adams, A., Sasse, M., and Lunt, P., "Making Passwords Secure and Usable,", People and Computers 1997, pp. 1-20.
24. Maddux, J., and Rogers, R., "Protection Motivation and Self-Efficacy: A Revised Theory of Fear Appeals and Attitude Change,", Journal of Experimental Social Psychology 1983, 19(5), pp. 469-479.
25. Rogers, R., "A Protection Motivation Theory of Fear Appeals and Attitude Change,", Journal of Psychology 1975, 91(1), pp. 93-114.
26. Herath, T., and Rao, H.R., "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations,", European Journal of Information Systems 2009, 18(2), pp. 106-125.
27. Siponen, M., Pahnila, S., and Mahmood, M.A., "Compliance with Information Security Policies: An Empirical Investigation,", Computer 2010, 43(2), pp. 64-71.
28. Skogan, W., and Maxfield, M., Coping with Crime: Individual and Neighborhood Reactions Sage Publications, Beverly Hills, CA 1981.
29. Boss, S.: 'Control, Perceived Risk and Information Security Precautions: External and Internal Motivations for Security Behavior'. PhD Thesis, University of Pittsburgh, 2007.
30. Creese, S., Hodges, D., Jamison-Powell, S., and Whitty, M. (2013). Relationships between Password Choices, Perceptions of Risk and Security Expertise Human Aspects of Information Security, Privacy, and Trust (pp. 80-89): Springer.
31. Milne, S., and Milne, "Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory,", Journal of Applied Social Psychology 2000, 30(1), pp. 106.
32. Rippetoe, P., and Rogers, R., "Effects of Components of Protection-Motivation Theory on Adaptive and Maladaptive Coping with a Health Threat,", Journal of Personality and Social Psychology 1987, 52(3), pp. 596-604.
33. Milne, S., Orbell, S., and Sheeran, P., "Combining Motivational and Volitional Interventions to Promote Exercise Participation: Protection Motivation Theory and Implementation Intentions,", British Journal of Health Psychology 2002, 7(2), pp. 163-184.
34. Compeau, D., and Higgins, C., "Computer Self-Efficacy: Development of a Measure and Initial Test,", MIS Quarterly 1995, 19(2), pp. 189-211.
35. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness,", MIS Quarterly 2010, 34(3), pp. 523-548.
36. Scarfone, K., and Souppaya, M. (2009). Guide to Enterprise Password Management (Draft) Recommendations of the National Institute of Standards and Technology (Nist). Gaithersburg, MD: NIST Special Publication 800-118.
37. McDowell, M., Rafail, J., and Hernan, S., "Choosing and Protecting Passwords,", Retrieved October 2010 from the World Wide Web, 2009.
38. Hair, J., Black, W., Babin, B., Anderson, R., and Tatham, R., Multivariate Data Analysis Prentice Hall, Upper Saddle River, NJ 2010.
39. Byrne, B.M., "Testing for Multigroup Equivalence of a Measuring Instrument: A Walk through the Process,", Psicothema 2008, 20(4), pp. 872-882.
40. Jenkins, J.L., Durcikova, A., and Burns, M.B., "Forget the Fluff: Examining How Media Richness Influences the Impact of Information Security Training on Secure Behavior,", System Science (HICSS), 2012 45th Hawaii International Conference on, 2012 pp. 3288-3296.
41. Weinstein, N., "Perceived Probability, Perceived Severity, and Health-Protective Behavior,", Health Psychology 2000, 19(1), pp. 65-74.