Abstract
Passwords remains the standard mechanism by which organisations protect their data from unauthorised entities accessing, changing or misusing their information. Organisations go to great lengths to educate their workers on the importance of creating and maintaining secure passwords.
Extensive research has been conducted on how users create and manage their passwords. To date, there is limited insight on how the behaviour of IT workers may differ from that of non-IT workers. It is generally assumed that IT workers have a greater understanding of what a secure password entails and how insecure password behaviour may put an organisation’s resources at risk by the nature of their roles. Consequently, they are expected to have a positive influence on non-IT workers’ password behaviour.
This research sets out to test this assumption. The findings suggest significant differences between the password practices applied when IT and non-IT workers create and manage their passwords. However, poor security behaviour by both IT and non-IT workers was evident.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Kävrestad, J., Lennartsson, M., Birath, M., Nohlberg, M.: Constructing secure and memorable passwords. Inf. Comput. Secur. 28(5), 701–717 (2020). https://doi.org/10.1108/ICS-07-2019-0077
Gehringer, E.F.: Choosing passwords: security and human factors. In: IEEE 2002 International Symposium on Technology and Society (ISTAS'02). Social Implications of Information and Communication Technology. Proceedings (Cat. No.02CH37293), pp. 369–373 (2002). https://doi.org/10.1109/ISTAS.2002.1013839
Butler, R., Butler, M.: Some password users are more equal than others: towards customisation of online security initiatives. SA J. Inf. Manag. 20(1), 1 (2018). https://doi.org/10.4102/sajim.v20i1.920
Al Awawdeh, S., Tubaishat, A.: An information security awareness program to address common security concerns in IT unit. In: Proceedings of 11th International Conference on Information Technology: New Generation – ITNG 2014, pp. 273–278 (2014). https://doi.org/10.1109/ITNG.2014.67
Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32(1), 242–251 (2013). https://doi.org/10.1016/j.cose.2012.10.003
Kothari, V., Blythe, J., Smith, S.W., Koppel, R.: Measuring the security impacts of password policies using cognitive behavioral agent-based modeling. In: ACM International Conference Proceedings, pp. 1–9, 21–22 April 2015. https://doi.org/10.1145/2746194.2746207
Loutfi, I., Jøsang, A.: Passwords are not always stronger on the other side of the fence. In: Proceedings Networks and Distributed Systems Security Conference USEC Work, no. February, pp. 1–10 (2015). https://doi.org/10.14722/usec.2015.23005
Kumar, A., Singh, P.: Information technology as facilitator of workforce. Bus. Manag. Dyn. 3(12), 15–20 (2014)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: Passwords and the evolution of imperfect authentication. Commun. ACM 58(7), 78–87 (2015)
Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Comput. Secur. 14(3), 233–249 (1995). https://doi.org/10.1016/0167-4048(95)00003-Q
Florêncio, D., Herley, C.: Where do security policies come from? In: Proceedings of the Sixth Symposium on Usable Privacy and Security – SOUPS 2010, p. 1 (2010). https://doi.org/10.1145/1837110.1837124
Zhang-Kennedy, L., Chiasson, S., Van Oorschot, P.: Revisiting password rules: facilitating human management of passwords. In: eCrime Researchers Summit, eCrime 2016, vol. 2016-June, pp. 81–90 (2016). https://doi.org/10.1109/ECRIME.2016.7487945
Hussain, T.: Passwords and user behavior. J. Comput. 13(6), 692–704 (2018). https://doi.org/10.17706/jcp.13.6.692-704
Kevin, B.: Hacking For Dummies, 4th edn (2013)
Obedur, S.R.: Strategies for password management Master thesis Shazia Rahman Obedur. University of Oslo (2013)
Kaplan-Leiserson, E.: People and plans: training’s role in homeland security. T+D 57(9), 66–74 (2003)
Nathan, A.J., Scobell, A.: 2020 Data Breach Investigations Report (2020). https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf, https://bfy.tw/HJvH
Davidson, A., King, S.: Data breaches continue to rise: how financial institutions can prepare & respond. In: Risk Webinar, pp. 2–3 (2016)
Butler, R., Butler, M.: The password practices applied by South African online consumers: perception versus reality. SA J. Inf. Manag. 17(1), 1–11 (2015). https://doi.org/10.4102/sajim.v17i1.638
Florêncio, D., Herley, C., Van Oorschot, P.: An administrator’s guide to internet password research. In: 28th Large Installation System Administration Conference (LISA 2014), pp. 35–52 (2014)
Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: Proceedings - IEEE Symposium on Security and Privacy, pp. 523–537 (2012). https://doi.org/10.1109/SP.2012.38
Komanduri, S., Shay, R., Cranor, L.F., Herley, C., Schechter, S.: Telepathwords: preventing weak passwords by reading users’ minds. In: Proceedings of 23rd USENIX Security Symposium, pp. 591–606 (2014)
Hicock, R.: Microsoft Password Guidance (2016)
Julisch, K.: Understanding and overcoming cyber security anti-patterns. Comput. Net. 57(10), 2206–2211 (2013). https://doi.org/10.1016/j.comnet.2012.11.023
Toulouse, S.: On changing password guidance: a good first step from Microsoft. Leviathan Security Group (2017)
Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users (2009)
Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds.): PASSWORDS 2015. LNCS, vol. 9551. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29938-9
Tam, L., Glassman, M., Vandenwauver, M.: The psychology of password management: a tradeoff between security and convenience. Behav. Inf. Technol. 29(3), 233–244 (2010). https://doi.org/10.1080/01449290903121386
Veras, R., Collins, C., Veras, R., Thorpe, J., Collins, C.: Visualizing semantics in passwords : the role of dates. In: Proceedings of 9th International Symposium on Visualization for Cyber Security, pp. 88–95 (2012). https://doi.org/10.1145/2379690.2379702
Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. People Comput. 34(1), 1–15 (1997). https://doi.org/10.1145/99977.99993
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999). https://doi.org/10.1145/322796.322806
Stobertm E., Biddle, R.: The password life cycle: user behaviour in managing passwords. In: Proceedings of 10th Symposium on Usable Privacy and Security – (SOUPS 2014), pp. 243–255 (2014)
Weirich, D., Sasse, M.A.: Pretty good persuasion: a first step towards effective password security in the real world. In: Proceedings of the New Security Paradigms Workshops – NSPW 2001, pp. 137–143 (2001). https://doi.org/10.1145/508171.508195
Porter, S.N.: A password extension for improved human factors. Comput. Secur. 1(1), 54–56 (1982)
Khatib, R., Barki, H.: An activity theory approach to information security non-compliance. Inf. Comput. Secur. 28(4), 485–501 (2020). https://doi.org/10.1108/ICS-11-2018-0128
Joudaki, Z., Thorpe, J., Vargas Martin, M.: Enhanced tacit secrets: system-assigned passwords you can’t write down, but don’t need to. Int. J. Inf. Secur. 18(2), 239–255 (2019). https://doi.org/10.1007/s10207-018-0408-2
Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: a week to a view. Interact. Comput. 23(3), 256–267 (2011). https://doi.org/10.1016/j.intcom.2011.03.007
Notoatmodjo, G., Thomborson, C.: Passwords and perceptions. Conf. Res. Pract. Inf. Technol. Ser. 98, 71–78 (2009)
Ives, B.B., Walsh, K.R.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)
Rainer, R.K., Jr., Marshall, T.E., Knapp, K.J., Montgomery, G.H.: Do information security professionals and business managers view information security issues differently? Inf. Syst. Secur. 16, 100–108 (2007). https://doi.org/10.1080/10658980701260579
Shay, R., et al.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, 1–20 July 2010. https://doi.org/10.1145/1837110.1837113
Koppell, R., Blythe, J., Kothari, V., Smith, S.: Beliefs about cybersecurity rules and passwords: a comparison of two survey samples of cybersecurity professionals versus regular users. In: Proceedings of 12th Symposium on Usable Privacy and Security (SOUPS 2016) (2016). https://www.usenix.org/conference/soups2016/workshop-program/wsf/presentation/koppel
Kothari, V., Blythe, J., Smith, S., Koppell, R.: Measuring the security impacts of password policies using cognitive behavioral agent-based modeling. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, pp. 1–9 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Brockbanks, P., Butler, M.J. (2021). The One-Eyed Leading the Blind: Understanding Differences Between IT Professionals and Non-IT Staff When Creating and Managing Passwords. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2021. IFIP Advances in Information and Communication Technology, vol 613. Springer, Cham. https://doi.org/10.1007/978-3-030-81111-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-81111-2_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81110-5
Online ISBN: 978-3-030-81111-2
eBook Packages: Computer ScienceComputer Science (R0)
