Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage

Jeffry Babb, Mark Keith, Paul Steinbart

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Often, security policies take an overly proscriptive approach designed to shape »secure» behavior in the specification of constraints, controls, and impediments to free action. In the case of very detailed policies, the user may not even understand the logic behind the behavior. This research poses a simple premise: if a desired state of system security can be achieved with a policy that affords the user a range of behavioral options, would the user be more likely to comply with the policy? We present findings from a field experiment in the context of password selection where secure behavior was enhanced by relaxing proscription (and prescription) by allowing universal cues in additional feedback tools to take precedence over explicit behavioral requirements. This is in keeping with aspects of Activity Theory which proposes that familiar tools influence actor-structure interactions that lead to desired outcomes.

Original languageEnglish (US)
Title of host publicationProceedings of the 49th Annual Hawaii International Conference on System Sciences, HICSS 2016
EditorsRalph H. Sprague, Tung X. Bui
PublisherIEEE Computer Society
Pages4803-4812
Number of pages10
ISBN (Electronic)9780769556703
DOIs
StatePublished - Mar 7 2016
Event49th Annual Hawaii International Conference on System Sciences, HICSS 2016 - Koloa, United States
Duration: Jan 5 2016Jan 8 2016

Publication series

NameProceedings of the Annual Hawaii International Conference on System Sciences
Volume2016-March
ISSN (Print)1530-1605

Other

Other49th Annual Hawaii International Conference on System Sciences, HICSS 2016
Country/TerritoryUnited States
CityKoloa
Period1/5/161/8/16

Keywords

  • Activity theory
  • Information security
  • Password strength
  • Security policy

ASJC Scopus subject areas

  • Engineering(all)

Fingerprint

Dive into the research topics of 'Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage'. Together they form a unique fingerprint.

Cite this