Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage

Jeffry Babb, Mark Keith, Paul Steinbart

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Often, security policies take an overly proscriptive approach designed to shape »secure» behavior in the specification of constraints, controls, and impediments to free action. In the case of very detailed policies, the user may not even understand the logic behind the behavior. This research poses a simple premise: if a desired state of system security can be achieved with a policy that affords the user a range of behavioral options, would the user be more likely to comply with the policy? We present findings from a field experiment in the context of password selection where secure behavior was enhanced by relaxing proscription (and prescription) by allowing universal cues in additional feedback tools to take precedence over explicit behavioral requirements. This is in keeping with aspects of Activity Theory which proposes that familiar tools influence actor-structure interactions that lead to desired outcomes.

Original languageEnglish (US)
Title of host publicationProceedings of the 49th Annual Hawaii International Conference on System Sciences, HICSS 2016
PublisherIEEE Computer Society
Pages4803-4812
Number of pages10
Volume2016-March
ISBN (Electronic)9780769556703
DOIs
StatePublished - Mar 7 2016
Event49th Annual Hawaii International Conference on System Sciences, HICSS 2016 - Koloa, United States
Duration: Jan 5 2016Jan 8 2016

Other

Other49th Annual Hawaii International Conference on System Sciences, HICSS 2016
CountryUnited States
CityKoloa
Period1/5/161/8/16

Fingerprint

Authentication
Security systems
Specifications
Feedback
Experiments

Keywords

  • Activity theory
  • Information security
  • Password strength
  • Security policy

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Babb, J., Keith, M., & Steinbart, P. (2016). Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage. In Proceedings of the 49th Annual Hawaii International Conference on System Sciences, HICSS 2016 (Vol. 2016-March, pp. 4803-4812). [7427783] IEEE Computer Society. https://doi.org/10.1109/HICSS.2016.596

Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage. / Babb, Jeffry; Keith, Mark; Steinbart, Paul.

Proceedings of the 49th Annual Hawaii International Conference on System Sciences, HICSS 2016. Vol. 2016-March IEEE Computer Society, 2016. p. 4803-4812 7427783.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Babb, J, Keith, M & Steinbart, P 2016, Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage. in Proceedings of the 49th Annual Hawaii International Conference on System Sciences, HICSS 2016. vol. 2016-March, 7427783, IEEE Computer Society, pp. 4803-4812, 49th Annual Hawaii International Conference on System Sciences, HICSS 2016, Koloa, United States, 1/5/16. https://doi.org/10.1109/HICSS.2016.596
Babb J, Keith M, Steinbart P. Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage. In Proceedings of the 49th Annual Hawaii International Conference on System Sciences, HICSS 2016. Vol. 2016-March. IEEE Computer Society. 2016. p. 4803-4812. 7427783 https://doi.org/10.1109/HICSS.2016.596
Babb, Jeffry ; Keith, Mark ; Steinbart, Paul. / Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage. Proceedings of the 49th Annual Hawaii International Conference on System Sciences, HICSS 2016. Vol. 2016-March IEEE Computer Society, 2016. pp. 4803-4812
@inproceedings{52601b21fe2248cea2e2b3901b74d3f8,
title = "Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage",
abstract = "Often, security policies take an overly proscriptive approach designed to shape »secure» behavior in the specification of constraints, controls, and impediments to free action. In the case of very detailed policies, the user may not even understand the logic behind the behavior. This research poses a simple premise: if a desired state of system security can be achieved with a policy that affords the user a range of behavioral options, would the user be more likely to comply with the policy? We present findings from a field experiment in the context of password selection where secure behavior was enhanced by relaxing proscription (and prescription) by allowing universal cues in additional feedback tools to take precedence over explicit behavioral requirements. This is in keeping with aspects of Activity Theory which proposes that familiar tools influence actor-structure interactions that lead to desired outcomes.",
keywords = "Activity theory, Information security, Password strength, Security policy",
author = "Jeffry Babb and Mark Keith and Paul Steinbart",
year = "2016",
month = "3",
day = "7",
doi = "10.1109/HICSS.2016.596",
language = "English (US)",
volume = "2016-March",
pages = "4803--4812",
booktitle = "Proceedings of the 49th Annual Hawaii International Conference on System Sciences, HICSS 2016",
publisher = "IEEE Computer Society",
address = "United States",

}

TY - GEN

T1 - Can relaxing security policy restrictiveness improve user behavior? A field study of authentication credential usage

AU - Babb, Jeffry

AU - Keith, Mark

AU - Steinbart, Paul

PY - 2016/3/7

Y1 - 2016/3/7

N2 - Often, security policies take an overly proscriptive approach designed to shape »secure» behavior in the specification of constraints, controls, and impediments to free action. In the case of very detailed policies, the user may not even understand the logic behind the behavior. This research poses a simple premise: if a desired state of system security can be achieved with a policy that affords the user a range of behavioral options, would the user be more likely to comply with the policy? We present findings from a field experiment in the context of password selection where secure behavior was enhanced by relaxing proscription (and prescription) by allowing universal cues in additional feedback tools to take precedence over explicit behavioral requirements. This is in keeping with aspects of Activity Theory which proposes that familiar tools influence actor-structure interactions that lead to desired outcomes.

AB - Often, security policies take an overly proscriptive approach designed to shape »secure» behavior in the specification of constraints, controls, and impediments to free action. In the case of very detailed policies, the user may not even understand the logic behind the behavior. This research poses a simple premise: if a desired state of system security can be achieved with a policy that affords the user a range of behavioral options, would the user be more likely to comply with the policy? We present findings from a field experiment in the context of password selection where secure behavior was enhanced by relaxing proscription (and prescription) by allowing universal cues in additional feedback tools to take precedence over explicit behavioral requirements. This is in keeping with aspects of Activity Theory which proposes that familiar tools influence actor-structure interactions that lead to desired outcomes.

KW - Activity theory

KW - Information security

KW - Password strength

KW - Security policy

UR - http://www.scopus.com/inward/record.url?scp=84975453046&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84975453046&partnerID=8YFLogxK

U2 - 10.1109/HICSS.2016.596

DO - 10.1109/HICSS.2016.596

M3 - Conference contribution

AN - SCOPUS:84975453046

VL - 2016-March

SP - 4803

EP - 4812

BT - Proceedings of the 49th Annual Hawaii International Conference on System Sciences, HICSS 2016

PB - IEEE Computer Society

ER -