Password Management: Empirical Results from a RSA and USA Study

IFIP Advances in Information and Communication Technology, 2013

Development and integration of technology give organisations the opportunity to be globally competitive. However, the potential misuse of Information Technology (IT) is a reality that has to be dealt with by management, individuals and information security professionals. Numerous threats have emerged over time in the networked world, but so have the ways of alleviating these risks. However, security problems are still imminentas highlighted by the plethora of media articles and research efforts. The insider risk is stated as being around 80% of security threats [1] in a company. With this statistic in mind, management has to plan how to allocate resources to counteract the risks. Very often, simple measures such as good password behaviour are overlooked or not rated high enough to include in all security awareness programmes. This paper will focus on a study that assesses password management of future IT professionals. It will be demonstrated how management and educators can use these results to focus their efforts in order to improve users' password practices and thereby enhancing overall IT security.

Journal of Information Privacy and Security, 2008

Since passwords are one of the main mechanisms used to protect data and information, it is important to ensure that passwords are managed correctly and that those factors which will have a significant impact on password management are identified and prioritized. Therefore, in order for an information and communication technology (ICT) overall security program to be successful it must include a security awareness program or component. The aim of this paper is to perform an exploratory study with the objective of introducing certain fundamental causes that may impact password management. Empirical results, followed by a survey as well as the application of several management science techniques are presented.

Employees within the health care industry play an important role in the protection of patients and their own private and personal information. In most cases passwords provide the first line of defense which means that the use of insecure passwords can be costly. This paper reports on the results of an empirical study that was carried out among students at two universities, one in the USA and the other in South Africa, to assess their password choices. Results indicate that most students either do not know how to select a secure password or that they simply choose to ignore basic password security principles.

Information Management & Computer Security, 2010

Purpose -The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and responsibilities towards information security. The purpose of this paper is to examine the feasibility of an information security vocabulary test as an aid to assess awareness levels and to assist with the identification of suitable areas or topics to be included in an information security awareness program. Design/methodology/approach -A questionnaire has been designed to test and illustrate the feasibility of a vocabulary test. The questionnaire consists of two sections -a first section to perform a vocabulary test and a second one to evaluate respondents' behavior. Two different class groups of students at a university were used as a sample. Findings -The research findings confirmed that the use of a vocabulary test to assess security awareness levels will be beneficial. A significant relationship between knowledge of concepts (vocabulary) and behavior was observed. Originality/value -The paper introduces a new approach to evaluate people's information security awareness levels by employing an information security vocabulary test. This new approach can assist management to plan and evaluate interventions and to facilitate best practice in information security. Aspects of cognitive psychology and language were taken into account in this research project, indicating the interaction and influence between apparently different disciplines.

Information Management & Computer Security, 2010

Purpose -The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and responsibilities towards information security. The purpose of this paper is to examine the feasibility of an information security vocabulary test as an aid to assess awareness levels and to assist with the identification of suitable areas or topics to be included in an information security awareness program. Design/methodology/approach -A questionnaire has been designed to test and illustrate the feasibility of a vocabulary test. The questionnaire consists of two sections -a first section to perform a vocabulary test and a second one to evaluate respondents' behavior. Two different class groups of students at a university were used as a sample. Findings -The research findings confirmed that the use of a vocabulary test to assess security awareness levels will be beneficial. A significant relationship between knowledge of concepts (vocabulary) and behavior was observed. Originality/value -The paper introduces a new approach to evaluate people's information security awareness levels by employing an information security vocabulary test. This new approach can assist management to plan and evaluate interventions and to facilitate best practice in information security. Aspects of cognitive psychology and language were taken into account in this research project, indicating the interaction and influence between apparently different disciplines.

2011 Information Security for South Africa, 2011

An information security awareness program is regarded as an important instrument in the protection of information assets. In this study, the traditional approach to an information security awareness program is extended to include possible cultural factors relating to people from diverse backgrounds. The human factor, consisting of two closely related dimensions, namely knowledge and behaviour, play a significant role in

2007

Abstract The study that is reported here investigated password security and related issues at a South African tertiary institution. The main reason was to investigate why password security is such a problem for students. This was because students fell victim to people using their Internet identification to send nasty e-Mail, to visit pornographic websites, etc. The study used a questionnaire and IS&T students at the University of KwaZulu-Natal as respondents.

Managing organizational security risks requires understanding how people behave when working in the context of organizational security policies and systems. Experience has shown that systems and policies developed without this understanding are at best ineffective, and at worst can increase the risks to the confidentiality, availability, and integrity of an organization's information. Developing this understanding requires the theories and methods of social science to construct an evidence base that can inform the construction of behaviorally-aware security policies and practically effective security systems.

The aim of this study was to investigate security awareness and social media usage in high learning institutions in Tanzania. a case study of Mzumbe university, the study aimed at investigating three objectives which are (i) to investigate the social media users level of awareness and preventive practice in relation to information security (ii) to determine ways of improving security awareness of social media users (iii) to investigate the highest reported security attacks on social media being addressed by high learning institutions in the form of formulating policy and practices, Fidnings from the study revealed that majority of users (73%) do not feel vulnerable to security attacks. In addition to looking at responses to perceived vulnerability questions, it is important to explore whether vulnerability is influenced by the type of data stored in computers, general security consciousness of users, and users’ past experience with security attacks. Although some users admitted to handling confidential data, occasionally users assume that attackers are always after only technical and business information. When respondents were asked to rate their opinions if they had experienced any security breache almost 41.7% (35 out of 84) of those who frequently lock their computers have never experienced a security breach before. This could be attributed to the fact that users work in different environments. The results of users awareness of and protection against security breaches sub-questions indicated that the users have adequate skill to protect themselves against the security attacks that they are aware of. Some system administrators said that they often prefer to use technical tools to secure information systems. This study recommend that the high learning institutions must formulate clear system security policies as it has been observed by researcher during the tudy that most of the high learning institutions in Tanzania have poor security policy.

The use of Information and Communication Technology to collect and process large volumes of data into information has made it possible for organisations to find ways and means of making informed decisions within a short space of time. There is so much dependent on information systems to such an extent that system failure can adversely compromise the organisation's operations. The education sector has not been left out but has instead become an information super house. The development of information systems has however not been spared by malicious activities, whether internal or external that tend to corrupt the much treasured information. (Alghananeem, Altaee and Jida, 2014)The way employees handle information flow in the organisation can either put the organisation at risk or can instead help protect the information and related information processing assets. This study was therefore aimed at assessing Information Security Awareness (ISA) among employees in higher education sector in Zambia and how such levels contribute to information security efforts in higher learning institutions. The research was conducted by use of questionnaires grouped into five sections. The questionnaire was delivered to a total number of 150 employees from University of Zambia, Copperbelt University and Mulungushi University. The participants' years of service and level of education ranged from 1 year to over 10 years, and from Certificate to PhD holders respectively. According to the findings of this research, it can be concluded that when employee self-awareness of information security, information security awareness training, Management's role in Information security awareness and information security awareness compliance monitoring improve, this is going to translate into improved Information Security (IS) in higher institutions of learning in Zambia as well. The results, in addition, also show that the higher learning institutions in Zambia do not attach the much needed support to information security awareness among its employees and there is also minimal support from top management.