Children’s Password-Related Books: Efficacious, Vexatious and Incongruous

Software is developed specifically for children and this often requires them to authenticate themselves, usually by entering a password. Password hygiene is important for children, because the principles they learn in early life will often endure across their life span. Children learn from their parents, siblings, teachers, and peers. They also learn from educational resources, such as children’s books. We carried out a content analysis of a range of children’s books that aims to educate children about passwords. We used directional coding, as informed by a systematic literature review of methods, such as those used in other content analysis-based studies of children’s books. We examined the principles the books taught, and whether these were correct. We also analysed how the books portrayed the genders of characters, in various roles. We found that principle coverage was variable, with books sometimes teaching outdated principles. Genders were evenly represented in the books. Finally, our analysis revealed conflation of the terms “safety” and “security” in the cyber domain. We conclude the paper by justifying the adjectives we use in the title.


Introduction
The use of digital technology by children has increased dramatically in recent years (Brittan et al. 2018). Forty two percent of UK children aged 5-7 own a tablet, and 5% own mobile phones (Ofcom 2019). It is fair to say that primary school children have never known life without technology, and also that many are increasingly using digital technology without supervision.
A range of IT systems are designed specifically for use by children. 1 Many of these require them to authenticate themselves, presumably to protect the child's account from impersonators. This is warranted when one realises that children are at increased risk of falling victim to a cyber crime (Power 2011). There is an urgent need for children to be educated about cyber security (Edwards et al. 2015;Willard 2012), and for them to learn the right concepts from the outset ). Lo (2001, p. 84) argues, "The best and most authentic materials by which to understand another culture are the books and stories written by authors of that culture for the participants of the culture." We thus focus on children's books, examining how they reflect the culture related to teaching children password "best practice." Despite the growth of the Internet and the global move to reliance on online sources (Coughlan 2013), young children still enjoy reading and being read to. Ofcom (2016) reported that reading was the third most popular activity of primary school-aged children. Given the growth in online content consumption by children, it is gratifying that the children's book market is still growing (Onwuemezi 2016).
Our investigation focuses on what children can learn about passwords from children's books. In carrying out this research, we aimed to answer two research questions: RQ1 How effectively do children's books teach password "best practice" principles? RQ2 Do the books perpetuate, or alleviate, existing cyberrelated gender stereotypes?
We commence, in the Children Authenticating section, by outlining the context of this investigation, and explaining the rationale behind the two research questions outlined above. Then, in the Password Hygiene Principles section, we report on a systematic literature review we carried out to gain insights into the methods used by other researchers to carry out this kind of investigation. Having used these insights to choose the best method, the Gender Representation section reports on our content analysis of children's books. The Systematic Literature Review section reflects on our findings and highlights their implications. We also discuss the limitations of our study and its ethical considerations, and conclude with the Searching and Refining section.

Children Authenticating
Designing authentication specifically for children is a neglected topic Renaud 2009). Issues such as heterogeneity in ability (Tomlinson 2001), language proficiency (Loban 1963) and the ethics of usability testing with children (Hanna et al. 1997) can leave developers unsure about how to design and implement authentication for this particular target user group. Usability testing with children is constrained by strict ethical requirements (Mac-Farlane et al. 2003) which might put developers off innovating with this target group. The reality is that most developers choose to deploy the password.

Password Hygiene Principles
Because children are using passwords, it is important to ensure that they are learning the correct principles from the outset (National Research Council 1996;Renaud et al. 2019). Teachers and parents need guidance in educating children about the cyber domain (Karuppiah 2015;Metz 2008;Appleton 2003;Harlen 1997) and might well rely on a book to gather insights themselves.
In this paper, we analyse a range of publicly-available children's books to see which password principles were being covered and whether they were correct.

Gender Representation
The IT industry has a well-known gender bias (Wang et al. 2019), as does the field of cyber security (Bagchi-Sen et al. 2010). Peacock and Irons (2017) highlight the barriers that female cyber security professionals face and the gender inequality in recruitment, opportunities, and progression. LeClair et al. (2014) and Caldwell (2013) point out that the cyber skills gap (GOV.UK 2018) could be closed much more quickly if both genders were recruited with equal success. Johnson Cobb (2018) refers to the female work force as an "untapped resource." Pescosolido et al. (1997) argue that children's literature is highly sensitive to existing social forces. That being so, an important cultural aspect that the books allow us to explore is that of portrayed gender representation in the cyber field. Kelly ( , p. 1191 argue, The gender balance of scientists featured in children's science trade books matters because it can activate stereotypes and affect students' comprehension.  argue that showing a particular gender less frequently than their population proportion reduces the value attributed to that gender in the narrative's domain. Weitzman et al. (1972Weitzman et al. ( , p. 1128 argue that most children's books are about boys, men, and male animals, and most deal exclusively with male adventures. This is confirmed by more recent studies (Paynter 2011;Filipović 2018). Other studies have shown that exposure to gender stereotypic stories leads to children conforming to these roles (Fagot and Leinbach 1989).
We examined children's password-related books to determine whether existing gender imbalances in the cyber domain were being unwittingly reinforced, or whether genders were portrayed in a balanced way.

Systematic Literature Review
We planned to carry out a content analysis of a sample of children's books to answer our research questions. Content analysis is defined as a research technique for making replicable and valid inferences from texts (or other meaningful matter) to the contexts of their use (White and Marsh 2006, pp. 26-27). The constructs used to inform this kind of analysis can originate, according to (White and Marsh 2006), from existing theories, knowledge experts or previous research. Our study is informed by our expert knowledge of password best practice principles as cyber security academics.
Before proceeding with our content analysis, we reviewed methodologies used by other researchers.

Searching and Refining
We searched for peer-reviewed research papers published, in English, between 2008 and 2019, using the keywords children's books and analysis.
As recommended by (Lowry 2002), we searched Academic Search Premier, SCOPUS, Social Science Citation Index, Science Citation Index, ACM Digital Library, IEEE Xplore, Springer, JSTOR, ProQuest, PsychInfo and ERIC. We also searched for theses that were available without payment (from Ethos, DART, PQDT, EBSCO Open Dissertations and NDTLD). Only peer-reviewed papers and chapters were included, with patents excluded. Figure 1 summarises the process whereby we arrived at the 74 papers we included in our analysis.

Outcome
We analysed the papers to assess the range of methodologies used in analysing the children's books. 2 If the author referred to analysing the children's books in such a way that the text revealed themes (i.e., not having any pre-defined categories to guide analysis), this was classified as "open coding." If they used pre-existing code categories, this was categorised as a "directional coding" analysis. If they specifically mentioned a different analysis approach, we included it as a separate category. The final list of methodologies is listed in Table 1.

Using Insights
This review informed our choice of method to use in our content analysis of children's books in the password domain. The most popular analysis method is directional coding i.e., using a pre-existing list of codes to inform the analysis. Because our first aim was to judge how well the books taught password "best practice" principles, this seemed the best methodology for our analysis, too: using a list of "best practice" principles as the pre-existing coding sheet. This could help us to determine: (a) whether each principle was covered, and (b) whether the advice was correct.
Our second aim was to examine the gender balance in the books. For this purpose, we recorded the gender of all the portrayed humans in the pictures in the books and their roles within the story. We also categorised the names used in the narrative to reveal gender balance. We coded these using the strategy described by ).

Password Best Practice in Children's Books
To answer RQ1, we needed a baseline to compare grounded "best practice" principles to those presented in the books. To this end, we derived an ontology of password "best practice" from advice published by standards bodies such as NIST and the NCSC in the UK (Prior and Renaud 2020). This gave us a benchmark to support analysis of the advice presented in the children's books. Figure 2 depicts the final best practice ontology. These principles were used as codes to inform our directional coding.
To answer RQ2, we carried out a frequency analysis of the pictures and character names in the books to quantify gender representation in the books.

Searching for Books
A range of talented authors publish IT-related children's books. For example, the publisher DK publishes Computer  (Miles and Huberman 1984) 23 Critical content/discourse analysis (Johnson et al. 2017;Van Dijk 2009) 4 Critical theory (Giroux 1981) 1 Overt and covert (quantitative and qualitative analysis) (Nair and Talif 2010) 1 Qualitative media analysis (Altheide and Schneider 2013) 1 Post-structural perspectives on discourse (MacNaughton 2005) and critical multicultural analysis (Botelho and Rudman 2009) 1 Semiotic analysis (Manning and Cullum-Swan 1994) 1 Descriptive summary of books 1 2 A full bibliography is available from Appendix A

Coding for Kids: A Unique
Step-by-Step Visual Guide, from Binary Code to Building Games. A Google search on https ://www.amazo n.co.uk in December 2019 for cyber bullying returned 98 books. These are important topics, but these books do not specifically cover password principles. We thus searched for education and reference books using the search term "passwords" on https ://www.amazo n.co.uk in December 2019. The first page displayed 16 books, 15 of which were books for recording passwords (definitely not good practice). Only one was a book to teach children about passwords, published in 2018. There were 14 pages in total. The subsequent pages did not include any relevant books.
To find more books, we visited the UK's national bookseller (Waterstones). They offered a wide range of cyber bullying and cyber safety books, but none dealt with password-related principles. We then searched for books on https ://www.amazo n.com, https ://www.worde ry.co. uk, https ://www.abebo oks.co.uk, https ://www.ebay.co.uk, https ://www.ebay.com and also at second-hand bookshops and our city's local public library. We borrowed and purchased books and downloaded Kindle books. To be included in the data analysis, the book had to mention passwords, either as a prominent part of a story or in explicit advice.
We retrieved a total of 21 books, 6 of which were discarded because, despite seeming applicable, they did not include password best practice guidance. There was no mention of passwords within (Masters 1983;Palin 2017;Orr 2008;AlQasem 2015), and some books were for adults (Sherman 2003;Ribble 2009). A total of 15 books (fiction n = 4, non-fiction n = 11) remained to support analysis. We commenced searching in November 2018 and concluded in November 2019. Table 2 lists the books we analysed.

Method
Phase 1: Password Best Practice Coverage we carried out directional coding (Miles and Huberman 1984), as informed by Dimac's coding of IT books . Each book is a single unit of analysis. We examined the book to reveal which principles were covered. For each principle that appeared, we considered whether it was conveyed correctly.
Phase 2: Picture Coding We counted each character's name in the book as being (1) a masculine name or pronoun (m) (he/e.g. James), (2) a feminine name or pronoun (f) (she/e.g. Charlotte), (3) gender neutral (they), or (4) ambiguous (e.g. Jo or Terry). When in doubt, we used the Fig. 2 Ontology of best practice password principles (amended from Prior and Renaud (2020)) Gender Checker website, 3 or the picture accompanying the use of the name, to classify names as either male or female. We then applied the same schema to the pictures, tallying the gender of (a) children ( / ), (b) adults ( / /?) or (c) hackers ( / /?). ( = male; = female; ? = ambiguous) The gender classification was judged independently by the two authors, who then met to agree on categorisations. Where they could not agree, a third independent researcher was consulted to help the coders to agree on a final gender classification. In rare cases where we could not decide, we classified the character as ambiguous. Figure 3 shows the coverage and correctness of the "best practice" principles conveyed in the children's books. Figure 4 shows the "best practice"coverage by each book, in total, and incorrectly. The minimum number of principles covered by each book was 4, and the maximum was 17. The Internet safety by Sherman (2003) 2003 NF 10+ Internet safety-kids' guide by Roddel (2006) 2006 NF Pre-teens Keep your passwords secret by Miller (2014) 2014 NF 12-17 Passwords and security by Minton (2014) 2014 NF 8-12 Lizzy's Triumph over cyber-bullying by Du Thaler (2015) 2015 F 8-12 Understanding computer safety by Mason (2015) 2015 NF 8-11 Usbourne staying safe online by Stowell (2016) 2016 NF 11+ The Magic Zablet by Gosnold (2016) 2016 F 9+ Lucy's family launches into the cyber world by Du Thaler (2017) 2017 F 8-12 Dot.Common Sense by Hubbard (2018a) 2018 NF 6-8 A focus on… online safety by Cavell-Clarke and Welch (2018) 2018 NF 5-8 Passwords are secret by Ardely (2018) 2018 NF 6-9 Staying safe online by Cavell-Clarke and Welch (2018) 2018 NF 6-9 Safety and security by Hubbard (2018b) 2018 NF 7-11 Sharing passwords featuring peggy the parrot by Stanley and Stead (2019) (2020) 1 3 mean was 6.73 and the median 5. The standard deviation was 3.51. The one outlier was 17 principles covered by a single book. Table 3 presents the tallies related to gender appearances in the children's books.

RQ1: How Effectively Do Children's Books Teach Password "Best Practice" Principles?
Our investigation revealed that password best practice principle, as shown in Fig. 2, coverage is variable. Some books covered only 4 principles, while others covered 17. None covered all advice, which is understandable given that these are children's books. More concerningly, eleven mingled correct and incorrect advice. This is unsurprising. The sources (Prior and Renaud 2020) consulted to derive the best practice ontology (Grassi et al. 2017, Centre for the Protection of National Infrastructure 2015; UK Government 2020) were published in 2017, and most of the books were published before then. Yet even the books published after 2017 contained incorrect advice. Only one recommended passphrases (PC2), as advised by all the latest standards documents. The most common piece of incorrect advice recommended password complexity (PC3). Moreover, not a single book suggests matching the strength of the password to the value of what is being protected (PC1). It is unreasonable to expect anyone to use the strongest possible password for all their accounts. In the physical world, this principle is taken for granted. The bank's vault uses a far stronger lock than a padlock which is attached to a suitcase. Yet in the virtual world, the advice is to use strong passwords for all accounts, and a number of books also advise not writing down the passwords. We know enough from studies into adult behaviour (Adams and Sasse 1999) to conclude that children are unlikely to be able to follow both of these pieces of advice at the same time.

RQ2: Do the Books Perpetuate, or Alleviate, Existing Cyber-Related Gender Stereotypes?
The table reveals that gender representation is fairly even handed, with a slight preference for females. We also noticed that the illustrators were predominantly female, but we do not know whether this is why the representation of gender is so well-balanced. Hackers are predominantly male in the books, but this is actually representative of the actual population of cyber hackers (Newcomb 2016). With only six appearances across all books, this does not seem concerning or significant. We can thus conclude that the books alleviate existing gender stereotypes, in terms of children of both genders using and learning about computers.

Conflation of Safety and Security
The observant reader will have noticed that many of the books we analysed include the word "safety" in their title. Even so, they did include advice about password principles, so we included them in our analysis. It turns out that this was a portent of a tendency in many of the books to conflate the terms "safety" and "security" in the cyber domain. Some examples demonstrate conflation or interchangeable usage. The book titled Staying Safe Online (Cavell-Clarke and Welch 2018) concludes with a two page spread titled Top Tips for Online Safety. This includes (1) thinking before you post, (2) being careful who you chat to, and (3) being careful about what is shared online. These are all arguably safety related. Yet the final piece of advice is: Always remember to keep your passwords private and make them difficult for other people to guess [p. 23]. Mason (2015) includes the same advice, also under a safety umbrella. This is related to cyber security and cyber safety. Keeping a strong password private will not guarantee a child's safety, either online or offline. The password is essentially a mechanism designed to protect information, not children's safety.
The book titled Keep Your Passwords Secret (Miller 2014) includes the following advice: "It is not safe to share your password" [p. 10]. The book titled Passwords and Security (Minton 2014) says: "Your password keeps your online account safe" [p. 4]. Safety is the wrong word to use in both these examples as these are security principles.
Addressing cyber security under a cyber/online "safety" umbrella is suboptimal and could lead to confusion. Cyber security exists as a separate discipline and ought to be distinguished from cyber safety. The differences are nuanced and require an independent study, so this will be the topic of future research.

Best Practice
An understanding of password "best practice" and cultural usage represented in children's books is important. Our review suggests that the books, at least the ones we were able to find, are not doing a great job of conveying password best practice principles correctly.
Given the durability of paper-based books, and the dynamic nature of the cyber field, we can only conclude that such books could well do more harm than good to any child who stumbles upon them. Even so, the fact that we were able to find relatively few books in a whole year of searching suggests that they are probably not going to have a huge impact. If we can make sure that the right advice gets to schools and parents, it is possible to counteract incorrect advice appearing in books and elsewhere.
It might seem that online sources are in a better position to provide up-to-date education, but we found that online sources, too, were delivering incorrect advice because they, too, were not kept up to date (Prior and Renaud 2020).
In a fast-moving domain, such as the cyber domain, it would be better for subject experts to produce best practice guidelines on a regular basis, perhaps annually, as a resource for teachers and parents (Von Solms and Von Solms 2015). The cyber world changes all the time, and the advice needs to be kept up to date too. Similar to the "foreign travel advice" issued by the UK government, cyber advice should be a dynamic resource, being kept up to date as the landscape changes and new standards replace outdated ones. A mechanism for supplying such advice to parents and teachers is urgently required.
As a first step towards formulating an educational approach, we developed three age-appropriate password "best practice" ontologies: for 4-5, 6-7 and 8-9 year olds (Prior and Renaud 2020). As a next step, we will work on lesson plans that teachers and parents could use to convey these principles to their charges. These need to be taught based on the children's existing comprehension of the domain, as recommended by (Edwards et al. 2018). Edwards et al. cite (Vygotsky 1987) to highlight the fact that any such teaching should be based on concrete principles, merging everyday and scientific concepts. This will be the topic of future research.

Gender Stereotyping
The implications of the findings are that young girls will also be able to imagine themselves using and learning about computers. Moreover, young boys will see that girls, too, can be equally active in the computer domain. This is a very positive effect of the way these books have been written and illustrated.

Cyber Safety and Cyber Security Conflation
The terms "safety" and "security" are often used either interchangeably or as a word pair (Hou et al. 2015;Jansen et al. 2016). Choong et al. (2019) found evidence that children were conflating safety and security, so this issue is unlikely to be limited to usage within children's books.
Even so, it is important to realise that cyber safety and cyber security have different meanings. The DigitalGuardian 4 defines cyber security as the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. Cyber security may also be referred to as information technology security. The final phrase is important; cyber security is related to the confidentiality, integrity and availability of digitally stored information (Von Solms and Van Niekerk 2013).
It is much harder to find a good definition of cyber safety, as pointed out by (Thierer 2014). He argues that cyber safety can best be understood by relating the risks it covers: including "objectionable content," "predation," "cyberbullying" or "harassment." This makes it clear that cyber safety is not equivalent to cyber security, nor can a child's online safety be preserved solely by means of a password. Consider Jona, a child who has a social networking account. Jona knows how to use a strong password and does so. Jona proceeds to befriend other children online. One day a friend request arrives from a friend of one of Jona's friends. Jona is reassured by the fact that their best friend, Sam, is this person's friend and accepts the friend request. Jona has unwittingly been drawn into a grooming network. The new "friend" invites Jona to meet his other friends at a local park for a football game. Sam is also going, so Jona's parents permit Jona to accompany Sam. Having a strong password has not kept Jona safe. It might well prevent an online predator from impersonating Jona to groom other children. However, even without access to Jona's account, the groomer in this scenario is still able to pursue his criminal activities.
Having a strong password is thus necessary but not sufficient, a subtle distinction that might not necessarily be appreciated by care givers wanting to keep their charges safe, both on-and off-line. We did not find evidence that the books were helping their readers understand this distinction.
There is another concern, in addition to the fact that parents, educators and care givers could put misplaced faith in passwords to keep their children safe online. Children become aware of being kept safe at a young age as they are strapped into their car seats, or have their hands held when they cross the road. They are told that this is necessary to keep them from being hurt. Children believe that safety is the absence of harm or danger (Collins 2001). It is not impossible for the safety concept to become infused with the dread of being hurt or injured (Cantor and Omdahl 1999).
Children hearing the terms conflated could possibly start becoming worried about passwords and other cyber security principles instead of being reassured by the protection their deployment provides.
We should help adults, educators, and caregivers to understand the nuances of these concepts. If everyone is clear about the concept meanings, they will be able to communicate these to children more effectively.

Limitations
We spent a year gathering books to support analysis. The number we found was paltry, which suggests that this is not a popular topic. Yet our analysis of this small sample delivered insights into the kinds of advice being provided by children's password-related books, and highlighted the downsides of a paper-based resource in giving advice in such a fast-moving and dynamic field.

Ethics
No children participated in this research. This project did not require review by an Ethical Review Panel because no human subjects were involved. We reviewed published research literature and children's books that were publicly available.

Conclusion
We analysed a range of password-related children's books to determine what principles children were likely to learn from them, and what norms they communicated, in terms of gender balance. Our analysis also revealed a tendency for the books to conflate the key concepts of safety and security.
To return to the adjectives we used to describe children's books in the title: we will now argue that the books are efficacious, vexatious and incongruous: (1) When considering the way gender is being portrayed, we conclude that the books are efficacious, and have the ability to create desirable perceptions about gender balance in IT and cyber security.
(2) When considering the way safety and security are being conflated, we conclude that the books are vexatious. This highlights the urgent need to educate adults about the differences between safety and security, so that they can use these terms correctly when interacting with children.
(3) In terms of the best practice principles, we have shown that books are inefficacious. Paper-based books are an inappropriate mechanism to educate educators and parents about password best practice principles because they do not align with correct principles (i.e., they are incongruous).
In conclusion, this study highlights the fact that rather than relying on traditional sources to educate our children, the cyber field needs a more dynamic approach that can adapt to changing needs and emerging standards. Our children deserve correct and timely cyber security education, and we can meet this need, but we cannot do so using 20th century methods.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creat iveco mmons .org/licen ses/by/4.0/.