Eryn Ma,Summer Hasama,Eshaan Lumba,Eleanor Birrell

DOI: https://doi.org/10.48550/arXiv.2201.01350

2022-01-04

Cryptography and Security

Abstract:User-chosen passwords remain essential to online security, and yet people continue to choose weak, insecure passwords. In this work, we investigate whether prospect theory, a behavioral model of how people evaluate risk, can provide insights into how users choose passwords and whether it can motivate new designs for password selection mechanisms that will nudge users to select stronger passwords. We ran a user study with 762 participants, and we found that an intervention guided by prospect theory -- which leverages the reference-dependence effect by framing selecting weak passwords as a loss relative to choosing a stronger password -- causes approximately 25% of users to improve the strength of their password (significantly more than alternative interventions) and reduced the final number of weak passwords by approximately 25%. We also evaluate the relation between user behavior and users' mental models of hacking and password attacks. These results provide guidance for designing and implementing account registration mechanisms that will significantly improve the strength of user-selected passwords, thereby leveraging insights from prospect theory to improve the security of systems that use password-based authentication.

Alaa Nehme,Meng (Leah) Li,Merrill Warkentin

DOI: https://doi.org/10.1016/j.cose.2024.103941

IF: 5.105

2024-06-08

Computers & Security

Abstract:Robust password management is crucial for users' information security. The use of password manager technology, which constitutes adaptive coping, is the dominant method for robust password management. Nonetheless, many users engage in maladaptive coping, adopting poor password management behaviors, such as using easy-to-remember passwords and using the same password across multiple accounts. Against this backdrop, this paper considers both adaptive and maladaptive coping factors for studying password manager use. As such, we incorporate the adaptive coping factor of password manager trustworthiness and the maladaptive coping factor of password mismanagement convenience into a research model that draws upon Hope-extended Protection Motivation Theory. We tested our model with a survey of US users. Our main findings indicate that password manager trustworthiness drives users' appraised coping potential and that password mismanagement convenience has a context-specific (i.e., specific to the password manager use context) intricacy in how it reduces password manager use. Our theoretical contributions include expanding the range of Protection Motivation Theory's input sources, expanding the range of the studied context-specific factors in the password manager use context, and unveiling the uniqueness of the password manager context. This work also informs practice, especially with respect to how messages that aim to promote password manager use may be designed.

computer science, information systems

Shengqian Wang,Amirali Salehi-Abari,Julie Thorpe

2023-09-29

Abstract:Passwords, a first line of defense against unauthorized access, must be secure and memorable. However, people often struggle to create secure passwords they can recall. To address this problem, we design Password inspiration by eXploring information (PiXi), a novel approach to nudge users towards creating secure passwords. PiXi is the first of its kind that employs a password creation nudge to support users in the task of generating a unique secure password themselves. PiXi prompts users to explore unusual information right before creating a password, to shake them out of their typical habits and thought processes, and to inspire them to create unique (and therefore stronger) passwords. PiXi's design aims to create an engaging, interactive, and effective nudge to improve secure password creation. We conducted a user study ($N=238$) to compare the efficacy of PiXi to typical password creation. Our findings indicate that PiXi's nudges do influence users' password choices such that passwords are significantly longer and more secure (less predictable and guessable).

Cryptography and Security

Yusuf Albayram,Jaden Walker

DOI: https://doi.org/10.1080/10447318.2024.2404721

IF: 4.92

2024-10-05

International Journal of Human-Computer Interaction

Abstract:The ever-increasing number of data breaches targeting user credentials has become undeniable reality in our digital age. Although there are third-party breach notification services (e.g., Have I Been Pwned, Firefox Monitor) that allow users to check whether their credentials have been involved in data breaches, the number of users who are aware of or use such services may be limited. To better inform users about the breach status of their accounts, we designed a prototype registration system where the website uses readily available information (e.g., email address) to check whether this account was involved in a data breach, and then inform the user about the breach status of the email address while signing up for a website. We investigated the effectiveness of this system by performing an online study ( n = 373) in which participants were asked to register to a mock-up website that presented them with a data breach notification based on Protection Motivation Theory (PMT). We found that 64% of participants were exposed in one or more breaches. A follow-up survey, 3 days after the initial survey, was conducted to determine if there were any behavior changes (e.g., changing passwords) of participants whose accounts were involved in some data breaches. We found that 40% of the participants changed their passwords on their some accounts. Finally, we present our qualitative data analysis to shed light on participants' motivations behind their decisions as well as their perceptions of the integration of our prototype registration system.

computer science, cybernetics,ergonomics

Philip Menard,Gregory J. Bott,Robert E. Crossler

DOI: https://doi.org/10.1080/07421222.2017.1394083

IF: 7.582

2017-10-02

Journal of Management Information Systems

Abstract:Managers desiring to protect information systems must understand how to most effectively motivate users to engage in secure behaviors. Information security researchers have frequently studied individuals’ performance of secure behaviors in response to threats. Protection motivation theory (PMT) has been used to explain individuals’ propensity to engage in voluntary secure behaviors, but the adaptation of this theory has yielded inconsistent results. Motivation as a measurable construct, as derived from self-determination theory (SDT), has never been included in or compared against PMT. In this study, we construct security messages that appeal to individuals’ intrinsic motivation, rather than fear, as a way to elicit secure responses. Using three sets of respondents, we integrated the SDT and PMT models and compared the native models in the context of security behaviors. We demonstrate that by using data- and individual-focused appeals and providing choices for users, managers may observe greater intention to engage in secure behavior among employees.

information science & library science,management,computer science, information systems

Varun Shiri,Maggie Xiong,Jinghui Cheng,Jin L.C. Guo

DOI: https://doi.org/10.1145/3643834.3661544

2024-05-07

Abstract:In modern technology environments, raising users' privacy awareness is crucial. Existing efforts largely focused on privacy policy presentation and failed to systematically address a radical challenge of user motivation for initiating privacy awareness. Leveraging the Protection Motivation Theory (PMT), we proposed design ideas and categories dedicated to motivating users to engage with privacy-related information. Using these design ideas, we created a conceptual prototype, enhancing the current App Store product page. Results from an online experiment and follow-up interviews showed that our design effectively motivated participants to attend to privacy issues, raising both the threat appraisal and coping appraisal, two main factors in PMT. Our work indicated that effective design should consider combining PMT components, calibrating information content, and integrating other design elements, such as visual cues and user familiarity. Overall, our study contributes valuable design considerations driven by the PMT to amplify the motivational aspect of privacy communication.

Human-Computer Interaction

Cori Faklaris,Laura Dabbish,Jason I. Hong

DOI: https://doi.org/10.48550/arXiv.2205.06937

2022-05-14

Abstract:Behavior change ideas from health psychology can also help boost end user compliance with security recommendations, such as adopting two-factor authentication (2FA). Our research adapts the Transtheoretical Model Stages of Change from health and wellness research to a cybersecurity context. We first create and validate an assessment to identify workers on Amazon Mechanical Turk who have not enabled 2FA for their accounts as being in Stage 1 (no intention to adopt 2FA) or Stages 2-3 (some intention to adopt 2FA). We randomly assigned participants to receive an informational intervention with varied content (highlighting process, norms, or both) or not. After three days, we again surveyed workers for Stage of Amazon 2FA adoption. We found that those in the intervention group showed more progress toward action/maintenance (Stages 4-5) than those in the control group, and those who received content highlighting the process of enabling 2FA were significantly more likely to progress toward 2FA adoption. Our work contributes support for applying a Stages of Change Model in usable security.

Human-Computer Interaction,Cryptography and Security

Daniele Lain,Tarek Jost,Sinisa Matetic,Kari Kostiainen,Srdjan Capkun

DOI: https://doi.org/10.1145/3658644.3690348

2024-09-03

Abstract:A common form of phishing training in organizations is the use of simulated phishing emails to test employees' susceptibility to phishing attacks, and the immediate delivery of training material to those who fail the test. This widespread practice is dubbed embedded training; however, its effectiveness in decreasing the likelihood of employees falling for phishing again in the future is questioned by the contradictory findings of several recent field studies. We investigate embedded phishing training in three aspects. First, we observe that the practice incorporates different components -- knowledge gains from its content, nudges and reminders from the test itself, and the deterrent effect of potential consequences -- our goal is to study which ones are more effective, if any. Second, we explore two potential improvements to training, namely its timing and the use of incentives. Third, we analyze employees' reception and perception of the practice. For this, we conducted a large-scale mixed-methods (quantitative and qualitative) study on the employees of a partner company. Our study contributes several novel findings on the training practice: in particular, its effectiveness comes from its nudging effect, i.e., the periodic reminder of the threat rather than from its content, which is rarely consumed by employees due to lack of time and perceived usefulness. Further, delaying training to ease time pressure is as effective as currently established practices, while rewards do not improve secure behavior. Finally, some of our results support previous findings with increased ecological validity, e.g., that phishing is an attention problem, rather than a knowledge one, even for the most susceptible employees, and thus enforcing training does not help.

Cryptography and Security

Gilbert Notoatmodjo,Clark D. Thomborson

2009-01-01

Abstract:The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the 'weakest link' in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. We have studied how users perceive their accounts and their passwords. Our participants mentally classified their accounts and passwords into a few groups, based on a small number of perceived similarities. Our participants used stronger passwords, and reused passwords less, in account groups which they considered more important. Our participants thus demonstrated awareness of the basic tenets of password safety, but they did not behave safely in all respects. Almost half of our participants reused at least one of the passwords in their high-importance accounts. Our findings add to the body of evidence that a typical computer user suffers from 'password overload'. Our concepts of password and account grouping point the way toward more intuitive user interfaces for password-and account-management systems.

Yiming Zhao,Wenting Li,Zijian Zhang,Ping Wang

DOI: https://doi.org/10.1109/BigDataService.2019.00029

2019-01-01

Abstract:Based on the ecological user memory, this paper establishes a security strategy model (SSM) to quantify the memory cost of passwords and the value of accounts to users in assword expiration strategy. This paper introduces the theory of human ecological memory to explain the memory cost of account password to users. We experiment on 304 users to prove that when users modify a single account, the security benefits of modifying a high-value account are greater for users. In the case of modifying multiple accounts, modifying accounts with password reuse will gain greater security for users. Experimental results show that when users modify password accounts, adding personal information can increase password strength to some extent while minimizing memory costs. In this paper, we for the first time use user ecological memory as one of the criteria to evaluate user security benefits, which might be the trend of future research on user behavior creating and password modification policy.

Fabia Marie Hettler,Jan-Philip Schumacher,Eduard Anton,Berna Eybey,Frank Teuteberg

DOI: https://doi.org/10.1007/s10660-024-09825-6

2024-03-19

Electronic Commerce Research

Abstract:Given the nascent understanding of user perceptions toward digital nudges in e-commerce, our study examines key factors: perceived usefulness, ease of use, trust, and privacy risks. Via an online experiment of 273 participants, we examined the influence of digital nudging interventions – social norms, defaults, and scarcity warnings – against a control group. Employing descriptive and inferential statistics, notable trust variations were found between default and scarcity warning groups versus controls. To assess these findings, we interviewed 11 information systems and psychology experts. This research enriches our understanding of digital nudges in e-commerce and provides design insights. Theoretical implications span from providing propositions in order to enhance user involvement, conducting narrative accompanying research, analyzing diverse time points of nudging. Practical implications focus on emphasizing to users their choice autonomy and the highlighting that defaults and scarcity warnings are designed to mitigate inherent heuristics and biases for combining nudging with boosting elements.

management,business

Maria Bada,Angela M. Sasse,Jason R. C. Nurse

DOI: https://doi.org/10.48550/arXiv.1901.02672

2019-01-09

Abstract:The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people's behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving information-security behaviours for citizens, consumers and employees. In particular, our work considers these challenges from a Psychology perspective, as we believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours - firstly, people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so - and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour. We review the suitability of persuasion techniques, including the widely used 'fear appeals'. From this range of literature, we extract essential components for an awareness campaign as well as factors which can lead to a campaign's success or failure. Finally, we present examples of existing awareness campaigns in different cultures (the UK and Africa) and reflect on these.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Jongpil Park,Jai-Yeol Son,Kil-Soo Suh

DOI: https://doi.org/10.1108/intr-01-2021-0065

IF: 5.9

2021-09-16

Internet Research

Abstract:Purpose Firms continue to struggle with end users who do not follow recommended actions for safeguarding information security. Thus, the authors utilize insights gained from studies on heuristic processing of risk information to design cues in fear appeal messages more effectively so as to more strongly engender fear among users, which can in turn lead them to take protective actions toward information security. Specifically, four types of fear appeal cues are identified: numeric risk communication, social distance and goal framing in verbal risk communication and visual risk communication. Design/methodology/approach Drawing from protection motivation theory, the authors hypothesize that these fear appeal cues can engender fear among users to a greater extent. In addition, the authors hypothesize that users will perceive a higher level of severity and susceptibility when they perceive a large amount of fear. The research hypotheses were tested employing data collected through a laboratory experiment. Analysis of variance (ANOVA) and regression analyses were performed to analyze the data. Findings The study's results suggest that numeric and visual risk communication cues in security notices can significantly increase the amount of fear felt by users. In addition, social distance was found to marginally increase the amount of fear felt by users. However, unlike our expectation, goal framing was not found to increase the amount of fear when the other three types of fear appeal cues were also given in a security notice. It was also found that induced fear can increase the severity and susceptibility of threats as perceived by users. Originality/value The study contributes to the literature on fear appeal cues designed to promote users' security protection behaviors. No prior study has designed security notices featuring the four different types of fear appeal cues and empirically tested the effectiveness of those cues in inducing fear among users. The findings suggest that the design of fear appeal cues can be improved by understanding individuals' heuristic processing of risk information, which can be subject to cognitive biases.

computer science, information systems,telecommunications,business

Assaf Morag,Liron David,Eran Toch,Avishai Wool

2024-06-06

Abstract:Passwords are the primary authentication method online, but even with password policies and meters, users still find it hard to create strong and memorable passwords. In this paper, we propose DPAR: a Data-driven PAssword Recommendation system based on a dataset of 905 million leaked passwords. DPAR generates password recommendations by analyzing the user's given password and suggesting specific tweaks that would make it stronger while still keeping it memorable and similar to the original password. We conducted two studies to evaluate our approach: verifying the memorability of generated passwords (n=317), and evaluating the strength and recall of DPAR recommendations against password meters (n=441). In a randomized experiment, we show that DPAR increased password strength by 34.8 bits on average and did not significantly affect the ability to recall their password. Furthermore, 36.6% of users accepted DPAR's recommendations verbatim. We discuss our findings and their implications for enhancing password management with recommendation systems.

Cryptography and Security,Human-Computer Interaction

Ming Xu,Weili Han

DOI: https://doi.org/10.1155/2019/5184643

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Textual passwords are still dominating the authentication of remote file sharing and website logins, although researchers recently showed several vulnerabilities about this authentication mechanism. When a user creates or changes a password, a website usually leverages a password strength meter (PSM for short) to show the strength of the password. When the password is evaluated as a weak one, the user may replace the password with a stronger or securer one. However, the user is usually confused when the password, especially a frequently used password, is shown as a weak one. We argue that an explainable password strength meter addon, which could show the reasons of weak, may help users to more effectively create a secure password. Unfortunately, we find few sites in Alexa global top 100 showing these details. Motivated to help users with an explainable PSM, this paper proposes an addon to PSMs providing feedbacks in the form of pattern passwords explaining why a password is weak. This PSM addon can detect twelve types of patterns, which cover a very large proportion among 70 million of leaked real passwords from high-profile websites. According to our evaluation and user study, our PSM addon, which leverages textual pattern passwords, can effectively detect these popular patterns and effectively help users create securer passwords.

Casey Inez Canfield,Baruch Fischhoff

DOI: https://doi.org/10.1111/risa.12917

Abstract:Phishing risk is a growing area of concern for corporations, governments, and individuals. Given the evidence that users vary widely in their vulnerability to phishing attacks, we demonstrate an approach for assessing the benefits and costs of interventions that target the most vulnerable users. Our approach uses Monte Carlo simulation to (1) identify which users were most vulnerable, in signal detection theory terms; (2) assess the proportion of system-level risk attributable to the most vulnerable users; (3) estimate the monetary benefit and cost of behavioral interventions targeting different vulnerability levels; and (4) evaluate the sensitivity of these results to whether the attacks involve random or spear phishing. Using parameter estimates from previous research, we find that the most vulnerable users were less cautious and less able to distinguish between phishing and legitimate emails (positive response bias and low sensitivity, in signal detection theory terms). They also accounted for a large share of phishing risk for both random and spear phishing attacks. Under these conditions, our analysis estimates much greater net benefit for behavioral interventions that target these vulnerable users. Within the range of the model's assumptions, there was generally net benefit even for the least vulnerable users. However, the differences in the return on investment for interventions with users with different degrees of vulnerability indicate the importance of measuring that performance, and letting it guide interventions. This study suggests that interventions to reduce response bias, rather than to increase sensitivity, have greater net benefit.

Sanam Ghorbani Lyastani,Michael Schilling,Sascha Fahl,Sven Bugiel,Michael Backes

DOI: https://doi.org/10.48550/arXiv.1712.08940

2017-12-24

Abstract:Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systematically. In this paper, we provide the first large-scale study of the password managers' influence on users' real-life passwords. From 476 participants of an online survey on users' password creation and management strategies, we recruit 170 participants that allowed us to monitor their passwords in-situ through a browser plugin. In contrast to prior work, we collect the passwords' entry methods (e.g., human or password manager) in addition to the passwords and their metrics. Based on our collected data and our survey, we gain a more complete picture of the factors that influence our participants' passwords' strength and reuse. We quantify for the first time that password managers indeed benefit the password strength and uniqueness, however, also our results also suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.

Cryptography and Security

Hirak Ray,Flynn Wolf,Ravi Kuber,Adam J. Aviv

DOI: https://doi.org/10.48550/arXiv.2010.01973

2020-10-05

Cryptography and Security

Abstract:Password managers (PMs) are considered highly effective tools for increasing security, and a recent study by Pearman et al. (SOUPS'19) highlighted the motivations and barriers to adopting PMs. We expand these findings by replicating Pearman et al.'s protocol and interview instrument applied to a sample of strictly older adults (>60 years of age), as the prior work focused on a predominantly younger cohort. We conducted n=26 semi-structured interviews with PM users, built-in browser/operating system PM users, and non-PM users. The average participant age was 70.4 years. Using the same codebook from Pearman et al., we showcase differences and similarities in PM adoption between the samples, including fears of a single point of failure and the importance of having control over one's private information. Meanwhile, older adults were found to have higher mistrust of cloud storage of passwords and cross-device synchronization. We also highlight PM adoption motivators for older adults, including the power of recommendations from family members and the importance of education and outreach to improve familiarity.

Ellie Kay,Paul Bostock

DOI: https://doi.org/10.5204/ssj.2848

2023-07-13

Student Success

Abstract:Providing timely nudges to students has been shown to improve engagement and persistence in tertiary education. However, many studies focus on small-scale pilots rather than institution-wide initiatives. This article assesses the impact of a pan-institution Early Alert System at the University of Canterbury that utilises nudging when students are at risk of disengagement. Once flagged, students received an automated text message and email encouraging re-engagement with the learning management system. Students who received the nudge re-engaged at a higher rate and spent more time engaging with online material. These benefits were sustained over two weeks, demonstrating a measurable benefit over time. Unexpectedly, the nudge resulted in persistence and engagement in other enrolled courses where a nudge was not provided, showing the transferability of benefits to other courses. Although no significant differences in GPA were found between test and control groups, future development will enable further research.

Nicolás E. Díaz Ferreyra,Sina Ostendorf,Esma Aïmeur,Maritta Heisel,Matthias Brand

DOI: https://doi.org/10.1145/3549015.3555674

2022-08-19

Abstract:Online self-disclosure is perhaps one of the last decade's most studied communication processes, thanks to the introduction of Online Social Networks (OSNs) like Facebook. Self-disclosure research has contributed significantly to the design of preventative nudges seeking to support and guide users when revealing private information in OSNs. Still, assessing the effectiveness of these solutions is often challenging since changing or modifying the choice architecture of OSN platforms is practically unfeasible. In turn, the effectiveness of numerous nudging designs is supported primarily by self-reported data instead of actual behavioral information. This work presents ENAGRAM, an app for evaluating preventative nudges, and reports the first results of an empirical study conducted with it. Such a study aims to showcase how the app (and the data collected with it) can be leveraged to assess the effectiveness of a particular nudging approach. We used ENAGRAM as a vehicle to test a risk-based strategy for nudging the self-disclosure decisions of Instagram users. For this, we created two variations of the same nudge and tested it in a between-subjects experimental setting. Study participants (N=22) were recruited via Prolific and asked to use the app regularly for 7 days. An online survey was distributed at the end of the experiment to measure some privacy-related constructs. From the data collected with ENAGRAM, we observed lower (though non-significant) self-disclosure levels when applying risk-based interventions. The constructs measured with the survey were not significant either, except for participants' External Information Privacy Concerns. Our results suggest that (i) ENAGRAM is a suitable alternative for conducting longitudinal experiments in a privacy-friendly way, and (ii) it provides a flexible framework for the evaluation of a broad spectrum of nudging solutions.

Human-Computer Interaction,Computers and Society,Social and Information Networks