The security of computer systems that store our data is a major issue facing the world. This research project investigated the roles of ease of use, facilitating conditions, intention to use passwords securely, experience and age on usage of passwords, using a model based on the Unified Theory of Acceptance and Use of Technology. Data was collected via an online survey of computer users, and analyzed using PLS. The results show there is a significant relationship between ease of use of passwords, intention to use them securely and the secure usage of passwords. Despite expectations, facilitating conditions only had a weak impact on intention to use passwords securely and did not influence actual secure usage. Computing experience was found to have an effect on intention to use passwords securely, but age did not. The results of this research lend themselves to assisting in policy design and better understanding user behavior.
TopBackground
Computer security has traditionally focused on securing technology. This encompasses securing it from physical theft, from intrusion (both internal and external threats), compromised integrity and the system’s level of availability. This is covered by the basic “Confidentiality, Integrity and Availability” (CIA) security model (Stanton, Stam, Mastrangelo, & Jolton, 2005). This model works well when the sole focus is on securing technology with minimal consideration for the users.
The users of a system are often neglected from consideration when planning the security schema of a network of systems (Adams & Sasse, 1999; Braz & Robert, 2006; Singh, Cabraal, & Hermansson, 2006; Zurko & Simon, 1996). In many instances, the failings of the security plan are seen as a failing of the users (Adams & Sasse, 1999; Zurko & Simon, 1996), rather than the failing of the technology. Since systems are provided for users to use, this shift of responsibility is crucial and the reason for many computer security failings.
A commonly held belief is that there is an inherent trade off between the usability and the security of any given system. However, “if people are unable to use secure computers, they will use computers that are not secure. At the end of the day, computers that are theoretically secure but not usable do little to improve the security of their users…the converse is also true: systems that are usable but not secure are, in the end, not very usable either” (Cranor & Garfinkel, 2005, p. x) .
A commonly used security model is the AAA model. This refers to three parts of computer security: Authentication, Authorization and Accounting (Langsford, Naemura, & Speth, 1983). Authentication can be summarized with the phrase “who you are”. Authentication aims to validate who a user claims to be. Once authenticated, a user’s credentials may allow them to perform certain actions in certain areas of the system. An example of authorization is the difference between the level of access a regular user has on a system and the level of access an administrator has. Accounting can be summarized with “what you did”. Once a user has been authenticated and authorized to do certain tasks, the accounting part records what that person did. Commonly, this is in the form of log files. Whilst all three components (among others) are important to effective computer and network security, authorization and accounting are beyond the scope of this research project. Most problems relating to the usability of security devices and techniques from the user perspective are concerned with the authentication phase (Adams & Sasse, 1999; Braz & Robert, 2006; Patrick, Long, & Flinn, 2003).