Section 32.2. Users Lack Security Knowledge

32.2. Users Lack Security Knowledge

Parker^[13] points out that a major doctrine in password security, adopted from the military, is the need-to-know principle. The assumption is that the more that is known about a security mechanism, the easier it is to attack; restricting access to this knowledge therefore increases security. Users are often told as little as possible because security departments see them as "inherently insecure." One clear finding from this study is that inadequate knowledge of password procedures, content, and cracking lies at the root of users' "insecure" behaviors.

^[13] D. B. Parker, "Restating the Foundation of Information Security," in G. C. Gable and W. J. Caelli (eds.), IT Security: The Need for International Co-operation (Holland: Elsevier Science Publishers, 1992).

Both Organizations A and B had replaced system-generated passwords with user-generated ones, thus shifting the responsibility for creating secure passwords to the users. However, known rules for creating secure passwords were rarely communicated to users. Users were asked to complete a skilled design job without adequate training or online feedback. This problem was compounded by the security departments' implicit need-to-know policy on the sensitivity of particular information, potential security breaches, and risks. Users perceived threats to the organization to be low because of their own judgments of the information's lack of importance or visible threats. This misunderstanding led to the general misconception that password cracking is done on a "personal" basis. They perceived the risk to be low because their role in the system was not important. Organization A decided to provide online support and feedback to users in the process of password design; a cracker program was installed, with constructive advice provided on secure password design for all users whose passwords were cracked. Online information on threats to password security ("Monthly security report and update") is also being considered.

Finally, we found that users do not understand the authentication process, confusing the user identification (ID) and password sections. Many users assumed that IDs were another form of password to be secured and recalled in the same manner. This increased users' perception of the mental workload associated with passwords, which then reduced their motivation to comply with the suggested behavior. The IDs, within the organizations investigated, could have caused this misconception by having no standardized format for different applications and often being nonwords without meaning. In response to this finding, Organization A decided to introduce a single sign-on for users with a high number of passwords and is considering the use of smart cards as an identification mechanism. User authentication using physical attributes (biometrics) does not require ID recall, and thus offers a mechanism with reduced mental overhead. The main drawback of these methods is the cost of both installation and monitoring. Organizations also have to consider whether the level and consequences of "false positive" alarms are acceptable to their business. Finally, there is a question of how to combine the specialized equipment required for such methods with remote access to systems, which is an increasing requirement in an age of nomadic professionals.