32.5. Users and Password Behavior Insecure work practices and low security motivation have been identified by research on information security as major problems that must be addressed.[16],[17],[18],[19] The research presented here does, however, clearly identify the cause of these user-related problems; in the sidebar "Recommendations," we summarize methods for addressing these problems. There is an implicit assumption that users are not inherently motivated to adopt secure behavior, but that such behavior can be achieved through drills and threats of punishment in case of noncompliance. Knowledge from psychology and human-computer interaction indicates that users' behavior is likely to be more complex than a simple conditioned response. This study demonstrates that users forced to comply with password mechanisms incompatible with work practices may produce responses that circumvent the whole procedure. Insecure work practices and low security motivation among users can be caused [16] DeAlvare, Crackers.
[17] Davis.
[18] W. Ford, Computer Communications Security: Principles, Standard Protocols and Techniques (Englewood Cliffs, NJ: Prentice Hall, 1994).
[19] S. Gordon, Social Engineering: Techniques and Prevention (Computer Security, 1995).
RECOMMENDATIONS The results from the studies reported have led to the formulation of the recommendations summarized here. The construction of secure passwords can be supported through the recommendations under "Password Content" and "Multiple Passwords." Recommended ways of ensuring that users comply with security mechanisms are described under "Users' Perceptions of Security" and "Work Practices." Password Content Provide instruction and training on how to construct usable and secure passwords. Users must be shown, proactively, how to construct memorable passwords that do not circumvent security mechanisms. Provide constructive online feedback during the password construction process, incorporating explanation if/when a password is rejected as insecure. This should also help to refresh users' knowledge of password design procedures.
Multiple Passwords Asking users to remember multiple passwords decreases memorability and increases cognitive overheads associated with the password mechanism. If multiple passwords cannot be avoided, four or five is the maximum for unrelated, regularly used passwords that users can be expected to cope with. The number is lower if passwords are used infrequently. Related passwords are a frequently used technique employed by users who have to remember multiple passwords, but within-list interference creates another, even worse, memory problem. Where users have to work with a large number of different systems, single sign-on and physical security mechanisms such as smart cards should be considered to alleviate memory problems.
Users' Perceptions of Security System security needs to be visible and seen to be taken seriously by the organization. Providing feedback during the password construction process not only assists users in the construction of secure passwords, but also is an example of security in action and increases users' awareness of system security and its importance. Inform users about existing and potential threats to the organization's systems and sensitivity of information contained in them. Awareness of threats and potential loss to the organization is the raison d'être for security mechanisms; without it, users are likely to perceive security mechanisms as tedious motions they have to go through. The role of passwords in the fight against perceived threats should be made explicit. Users' awareness of the importance of security and threats to it needs to be maintained over time. This requires a balancing act. While we advise against "punishing" users who circumvent security mechanisms, such behavior needs to be detected and challenged in a constructive manner: if security is compromised and no action is taken, users tend to assume that "it doesn't matter anyway." At the same time, an environment giving the impression that its security mechanisms are invincible is likely to foster careless behavior among users, because the level of perceived threats to security is low. Provide users with guidance as to which systems and information are sensitive, and why. The current tendency is for security departments to treat all information as equally sensitive, with as little explanation as possible. Without such indicators and guidance, users tend to make arbitrary judgments based on their ownusually patchyknowledge and experience. Explain how security levels relate to different levels of information sensitivity.
Work Practices |
by security mechanisms and policies that take no account of users' work practices , organizational strategies, and usability. These factors are pivotal in the design and implementation of most computer systems today. Designers of security mechanisms must realize that they are the key to successful security systems. Unless security departments understand how the mechanisms they design are used in practice, there will remain the danger that mechanisms that look secure on paper will fail in practice. |
