In this paper, user perceptions of information systems security are explored through a study of university students. Server authentication, which is often ignored by users, clouded by system administrators, and exploited by hackers, is explored in detail, as it significantly affects usability and requires user knowledge and participation. The study also investigates the respondents’ consistency, gender differences, and assessment of their own knowledge. Although users appear knowledgeable about security technologies, they rely more on peer opinion and reputation of web sites when making security decisions.
TopMotivation
Successful security mechanisms depend on user participation. At best, users are seen as the weakest link in the chain of events that must occur for secure communications (Gross & Rosson, 2007). At worst, users are seen as “the enemy” of system administrators, actively working against security mechanisms (Adams & Sasse, 1999). Understanding users’ perception of security mechanisms can help us use technical mechanisms better, and improve the overall security of systems. System security is only as strong as the weakest link (Scheier, 2000).
The security mechanisms used on the internet are made up of a number of technologies that encrypt/decrypt and authenticate. Encryption/decryption involves scrambling/unscrambling data that is transmitted to prevent understanding of intercepted data. Authentication involves verification of the identity of the participants in the communication. Authentication is ideally 2-way: the user is authenticated by the system, and the system is authenticated by the user. User authentication is typically accomplished with a username and password, while system authentication is typically accomplished through a digital certificate. (Many other technologies exist, but these are the de facto standard mechanisms.)
The technologies involved are:
- •
HTTPS (Hypertext Transfer Protocol, Secure): The protocol that web browsers use to communicate securely with a web server.
- •
SSL (Secure Sockets Layer): The network protocol that accomplishes encryption on the media, which enables a web browser to communicate securely.
- •
Digital Certificates: Digital keys that are used to verify the identity of a participant.
- •
Certifying Authority: An organization (such as Thawte, Verisign, Geotrust) that certifies the identity of a web site by issuing a digital certificate.
The above technologies interact to accomplish secure communication between two participants (typically a user and a system.) In order for the communication to be secure, these conditions must be satisfied:
- 1.
The user has been authenticated by the system.
- 2.
The system has been authenticated by the user.
- 3.
The communication is encrypted.
Condition 1 above, is the concern of the system and system administrators, and is standard policy and practice in most secure environments. Condition 2 above is the sole responsibility of the user, and requires that the user confirm the identity of the server they are communicating with, i.e., is it the server they intend to exchange data with? Users can authenticate servers by inspection of the connection details: the URL, the digital certificate, etc. Condition 3 above is a cooperative effort between the server and the user’s client program, e.g., web browser. In some cases, the server can force a secure connection, but this is only effective if Condition 2 is satisfied. In cases where the server does not enforce a secure connection, the user needs to verify that the protocol in use is encrypted, and change if necessary, e.g., switch from an http connection to https. This study is mainly concerned with conditions 2 and 3, since these are conditions that require user participation. Consider the following combinations in Table 1.
Table 1. Matrix representing all possible combinations of false and real systems
| | System |
| Real | False |
| User | Real | Encrypted (1)
Unencrypted (5) | Encrypted (2)
Unencrypted (6) |
| False | Encrypted (3)
Unencrypted (7) | Encrypted (4)
Unencrypted (8) |