Rational security: modelling everyday password use

Geoffrey B Duggan; Hilary Johnson; Beate Grawemeyer

doi:10.1016/j.ijhcs.2012.02.008

Rational security: modelling everyday password use

Geoffrey B Duggan, Hilary Johnson, Beate Grawemeyer

Research output: Contribution to journal › Article › peer-review

41 Citations (SciVal)

372 Downloads (Pure)

Abstract

To inform the design of security policy, task models of password behaviour were constructed for different user groups—Computer Scientists, Administrative Staff and Students. These models identified internal and external constraints on user behaviour and the goals for password use within each group. Data were drawn from interviews and diaries of password use. Analyses indicated password security positively correlated with the sensitivity of the task, differences in frequency of password use were related to password security and patterns of password reuse were related to knowledge of security. Modelling revealed Computer Scientists viewed information security as part of their tasks and passwords provided a way of completing their work. By contrast, Admin and Student groups viewed passwords as a cost incurred when accessing the primary task. Differences between the models were related to differences in password security and used to suggest six recommendations for security officers to consider when setting password policy.

Original language	English
Pages (from-to)	415-431
Number of pages	18
Journal	International Journal of Human-Computer Studies
Volume	70
Issue number	6
Early online date	3 Mar 2012
DOIs	https://doi.org/10.1016/j.ijhcs.2012.02.008
Publication status	Published - Jun 2012

Access to Document

10.1016/j.ijhcs.2012.02.008

Duggan,_Johnson_&_Grawemeyer,_12.pdf
NOTICE: this is the author’s version of a work that was accepted for publication in International Journal of Human-Computer Studies. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Journal of Human-Computer Studies, 70, 6, 2012. DOI: 10.1016/j.ijhcs.2012.02.008
Accepted author manuscript, 673 KB

Cite this

@article{7104b1b0779a4a739a7b8a36573558c6,

title = "Rational security: modelling everyday password use",

abstract = "To inform the design of security policy, task models of password behaviour were constructed for different user groups—Computer Scientists, Administrative Staff and Students. These models identified internal and external constraints on user behaviour and the goals for password use within each group. Data were drawn from interviews and diaries of password use. Analyses indicated password security positively correlated with the sensitivity of the task, differences in frequency of password use were related to password security and patterns of password reuse were related to knowledge of security. Modelling revealed Computer Scientists viewed information security as part of their tasks and passwords provided a way of completing their work. By contrast, Admin and Student groups viewed passwords as a cost incurred when accessing the primary task. Differences between the models were related to differences in password security and used to suggest six recommendations for security officers to consider when setting password policy.",

author = "Duggan, {Geoffrey B} and Hilary Johnson and Beate Grawemeyer",

year = "2012",

month = jun,

doi = "10.1016/j.ijhcs.2012.02.008",

language = "English",

volume = "70",

pages = "415--431",

journal = "International Journal of Human-Computer Studies",

issn = "1071-5819",

publisher = "Elsevier Academic Press Inc",

number = "6",

}

TY - JOUR

T1 - Rational security: modelling everyday password use

AU - Duggan, Geoffrey B

AU - Johnson, Hilary

AU - Grawemeyer, Beate

PY - 2012/6

Y1 - 2012/6

N2 - To inform the design of security policy, task models of password behaviour were constructed for different user groups—Computer Scientists, Administrative Staff and Students. These models identified internal and external constraints on user behaviour and the goals for password use within each group. Data were drawn from interviews and diaries of password use. Analyses indicated password security positively correlated with the sensitivity of the task, differences in frequency of password use were related to password security and patterns of password reuse were related to knowledge of security. Modelling revealed Computer Scientists viewed information security as part of their tasks and passwords provided a way of completing their work. By contrast, Admin and Student groups viewed passwords as a cost incurred when accessing the primary task. Differences between the models were related to differences in password security and used to suggest six recommendations for security officers to consider when setting password policy.

AB - To inform the design of security policy, task models of password behaviour were constructed for different user groups—Computer Scientists, Administrative Staff and Students. These models identified internal and external constraints on user behaviour and the goals for password use within each group. Data were drawn from interviews and diaries of password use. Analyses indicated password security positively correlated with the sensitivity of the task, differences in frequency of password use were related to password security and patterns of password reuse were related to knowledge of security. Modelling revealed Computer Scientists viewed information security as part of their tasks and passwords provided a way of completing their work. By contrast, Admin and Student groups viewed passwords as a cost incurred when accessing the primary task. Differences between the models were related to differences in password security and used to suggest six recommendations for security officers to consider when setting password policy.

UR - http://www.scopus.com/inward/record.url?scp=84858182438&partnerID=8YFLogxK

UR - http://dx.doi.org/10.1016/j.ijhcs.2012.02.008

U2 - 10.1016/j.ijhcs.2012.02.008

DO - 10.1016/j.ijhcs.2012.02.008

M3 - Article

SN - 1071-5819

VL - 70

SP - 415

EP - 431

JO - International Journal of Human-Computer Studies

JF - International Journal of Human-Computer Studies

IS - 6

ER -

Rational security: modelling everyday password use

Abstract

Access to Document

Other files and links

Fingerprint

Cite this