Peter Mayer, Fabian Ballreich, Reyhan Düzgün, Christian Schwartz, Melanie Volkamer

Erstellung von effektiven Sensibilisierungsmaterialien zur Passwortsicherheit

Zusammenfassung

Die Verwendung sicherer Passwörter ist ein wichtiges Element jedes Informationssicherheitskonzepts. Daher hat eine effektive Sensibilisierung von Mitarbeitern für mögliche Angriffe auf Passwörter und die Vermittlung des für eine geeignete Passwortwahl erforderlichen Wissens eine große Bedeutung für Unternehmen. Der vorliegende Beitrag beschreibt einen iterativen Prozess zur Erstellung von effektiven Materialien für die Sensibilisierung von Mitarbeitern für Passwortsicherheit. Dessen Effektivität wurde durch eine Evaluierung der Materialien in drei mittelständischen Unternehmen überprüft. Die Evaluation zeigte, dass die teilnehmenden Mitarbeiter ihre Fähigkeit zur Erkennung von unsicherem passwortbezogenen Verhalten sowie der zutreffenden Einschätzung der Sicherheit von Passwörtern durch den Einsatz der Materialien signifikant verbessern konnten und diese signifiankte Verbesserung auch nach mehreren Monaten noch nachweisbar war.

This is a preview of subscription content, log in to check access.

Literatur

  1. 1.

    Apple Inc. Face ID Security. Tech. rep., 2017.

  2. 2.

    Bada, M., and Sasse, A. Cyber Security Awareness Campaigns – Why do they fail to change behaviour? Tech. rep., July 2014.

  3. 3.

    Bock, C. Fujitsu and Microsoft focused on advancing security in the modern workplace, 2018.

  4. 4.

    Bonneau, J., Bursztein, E., Caron, I., Jackson, R., and Williamson, M. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In International Conference on World Wide Web (2015), pp. 141–150.

  5. 5.

    Bonneau, J., Herley, C., van Oorschot, P. C., and Stajano, F. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In IEEE Symposium on Security and Privacy (2012), pp. 553–567.

  6. 6.

    Bonneau, J., Just, M., and Matthews, G. What’s in a Name? In International Conference on Financial Cryptography and Data Security (2010), pp. 98–113.

  7. 7.

    Bulgurcu, B., Cavusoglu, H., and Benbasat, I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly (2010).

  8. 8.

    Burnett, M. Today I Am Releasing Ten Million Passwords, Feb. 2015.

  9. 9.

    Cohen, J. Statistical power analysis for the behavioral sciences (2nd ed.). Academic Press (1988).

  10. 10.

    Eminagaoglu, M., Uçar, E., and Eren, S. The positive outcomes of information security awareness training in companies – A case study. Information Security Technical Report 14, 4 (Nov. 2009), 223–229.

    Article  Google Scholar 

  11. 11.

    Florêncio, D., Herley, C., and van Oorschot, P. C. An Administrator’s Guide to Internet Password Research. In Large Installation System Administration Conference (2014), pp. 35–52.

  12. 12.

    Fuller, E., Rabin, J. M., and Harel, G. Intellectual Need and Problem-Free Activity in the Mathematics Classroom. International Journal for Studies in Mathematics Education 4, 1 (2011), 80–114.

    Google Scholar 

  13. 13.

    Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richter, J. P., Lefkovitz, N. B., Danker, J. M., Choong, Y.-Y., Greene, K. K., and Theofanos, M. F. Digital Identity Guidelines: Authentication and Lifecycle Management. Tech. rep., June 2017.

  14. 14.

    Haeussinger, F., and Kranz, J. Antecedents of Employees’ Information Security Awareness – Review, Synthesis, and Directions for Future Research. In European Conference on Information Systems (July 2017), pp. 1–20.

  15. 15.

    Hänsch, N., and Benenson, Z. Specifying IT Security Awareness. Database and Expert Systems Applications (DEXA), 2014 25th International Workshop on (2014), 326–330.

  16. 16.

    Inglesant, P. G., and Sasse, M. A. The true cost of unusable password policies. In Conference on Human Factors in Computing Systems (2010), pp. 383–392.

  17. 17.

    Ion, I., Reeder, R., and Consolvo, S. “...no one can hack my mind”: Comparing Expert and Non-Expert Security Practices. In Symposium on Usable Privacy and Security (2015), pp. 327–346.

  18. 18.

    Kajtazi, M., and Bulgurcu, B. Information Security Policy Compliance: An Empirical Study on Escalation of Commitment. In Americas Conference on Information Systems (2013).

  19. 19.

    Lebek, B., Uffen, J., Neumann, M., Hohler, B., and Breitner, M. H. Information security awareness and behavior: a theory-based literature review. Management Research Review 37, 12 (2014), 1049–1092.

    Article  Google Scholar 

  20. 20.

    Lin, C., and Kunnathur, A. S. Toward Developing a Theory of End User Information Security Competence. In Americas Conference on Information Systems (2013), pp. 1–10.

  21. 21.

    Murray, H., and Malone, D. Evaluating password advice. In Irish Signals and Systems Conference (2017).

  22. 22.

    Neumann, S., Reinheimer, B., and Volkamer, M. Don’t Be Deceived: The Message Might Be Fake. In International Conference on Trust and Privacy in Digital Business (2017), pp. 199–214.

  23. 23.

    Ögütçü, G., Testik, Ö. M., and Chouseinoglou, O. Analysis of personal information security behavior and awareness. Computers & Security 56 (Feb. 2016), 83–93.

    Article  Google Scholar 

  24. 24.

    PCI Security Standards Council LLC. Payment Card Industry (PCI) Data Security Standard (Version 3.2), Apr. 2016.

  25. 26.

    Safa, N. S., Sookhak, M., von Solms, R., Furnell, S., Ghani, N. A., and Herawan, T. Information security conscious care behaviour formation in organizations. Computers & Security 53 (2015), 65–78.

    Article  Google Scholar 

  26. 27.

    Stobert, E., and Biddle, R. The Password Life Cycle: User Behaviour in Managing Passwords. In Symposium on Usable Privacy and Security (2014), pp. 243–255.

  27. 28.

    Stobert, E., and Biddle, R. Expert Password Management. In International Conference on Passwords (2015), pp. 3–20.

  28. 29.

    Stockhardt, S., Reinheimer, B., Volkamer, M., Mayer, P., Kunz, A., Rack, P., and Lehmann, D. Teaching Phishing-Security: Which Way is Best? In ICT Systems Security and Privacy Protection. 2016, pp. 135–149.

  29. 30.

    Tsohou, A., Karyda, M., and Kokolakis, S. Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs. Computers & Security 52 (July 2015), 128–141.

    Article  Google Scholar 

  30. 31.

    Ur, B., Noma, F., Bees, J., Segreti, S. M., Shay, R., Bauer, L., Christin, N., and Cranor, L. F. “Added’!’at the End to Make It Secure”: Observing Password Creation in the Lab. In Symposium on Usable Privacy and Security (2015), pp. 123–140.

  31. 32.

    Verizon. 2016 Data Breach Investigations Report. Tech. rep., 2016.

  32. 33.

    Verizon. 2017 Data Breach Investigations Report. Tech. rep., 2017.

  33. 34.

    Volkamer, M., Renaud, K., Reinheimer, B. M., Rack, P., Ghiglieri, M., Mayer, P., Kunz, A., and Gerber, N. Phishing detection: Developing and evaluating a five minutes security awareness video [in press]. In Proceedings of the 15th International Conference on Trust, Privacy and Security in Digital Business – TrustBus 2018, Regensburg, 5.-6. September 2018 (2018).

  34. 35.

    Wilson, M., and Hash, J. Building an Information Technology Security Awareness and Training Program. Tech. Rep. 800-50, National Institute of Standards and Technology, Oct. 2003.

  35. 36.

    Zhang-Kennedy, L., Chiasson, S., and Biddle, R. Password advice shouldn’t be boring: Visualizing password guessing attacks. In eCrime Researchers Summit (2013).

  36. 37.

    Zhang-Kennedy, L., Chiasson, S., and van Oorschot, P. Revisiting Password Rules: Facilitating Human Management of Passwords. In APWG Symposium on Electronic Crime Research (2016).

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Dr. Peter Mayer.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Mayer, P., Ballreich, F., Düzgün, R. et al. Erstellung von effektiven Sensibilisierungsmaterialien zur Passwortsicherheit . Datenschutz Datensich 44, 522–527 (2020). https://doi.org/10.1007/s11623-020-1318-9

Download citation