Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Trade-offs among attributes of authentication
(USC Thesis Other)
Trade-offs among attributes of authentication
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
By
Sarah A Kusumastuti
Second Year Project
Submitted in partial fulfillment of the requirements
For the degree of Masters of Arts
Department of Psychology
University of Southern California
August 6, 2016
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
2
Abstract
Authentication is a major component in protecting the security of online user services as it
protects information from unauthorized users by requiring means of identification before
granting access. One of the most common forms of authentication is passwords. Among service
providers there is a range of restrictions imposed in creating passwords, for instance requiring a
minimum length or inclusion of certain characters, which decrease the likelihood of unauthorized
access yet creates an inconvenience for the user. These requirements are related to the amount of
resources service providers may choose to allocate for securing their information and the more
sophisticated the secure system is, the more costly it is to maintain. Because of this, users have
multiple conflicting objectives in choosing services according to their authentication
requirements. We analyze responses from 265 online service users to examine their attitude
towards balancing security, convenience, and cost by evaluating the extent to which they are
willing to compromise an advantage in one objective for another. Results show that the majority
of users are willing to pay more and sacrifice convenience for better security yet there is more
variation in how much users are willing to pay compared to the extent users are willing to
sacrifice convenience. The distribution of trade-off values are identical across different contexts
such as online banking, cloud service, and institutional account. We also identified measures
(self efficacy, response efficacy, response cost, and perceived severity) as user characteristics
that influence trade-off values.
Keywords: authentication, behavioral information security, passwords, user behavior, computer security
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
3
Table of Contents
Abstract ............................................................................................................................................2
Introduction ......................................................................................................................................4
Background ......................................................................................................................................5
Password security .........................................................................................................................5
Multiple conflicting objectives in password selection .................................................................6
Generalizability of context ...........................................................................................................8
Individual differences ...................................................................................................................9
Methods..........................................................................................................................................10
Participants .................................................................................................................................10
Procedure ....................................................................................................................................10
Context .......................................................................................................................................11
Trade-off paradigm ....................................................................................................................12
Psychometric measures ..............................................................................................................15
Results ............................................................................................................................................17
Trade-off values .........................................................................................................................17
Individual differences .................................................................................................................20
Discussion ......................................................................................................................................22
References ......................................................................................................................................25
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
4
Introduction
Authentication is an essential component of any secure information system. The
capability to distinguish privileged users and block unwanted access are both measures used to
evaluate authentication systems. However, a system is only as secure as its users are competent
in securing their authentication credentials. Unfortunately, humans are generally considered the
‘weakest link’ in cybersecurity (Sasse, Brostoff, & Wierich, 2001; Notoatmodjo 2007; Creese et
al., 2013)
One of the most widely used authentication measures involves passwords. Passwords are
the most widely used authentication form used by secure systems (Bonneau, et al. 2015).
Because of the popularity of passwords, users often have to remember a considerable number of
passwords for different services and the average user can manage up to 15 passwords for
different services (Florencio & Herley, 2007).
While keeping authentication credentials secure remains one of the main responsibilities
of the user in avoiding breach of access from malicious parties, system administrators also have
the task of implementing safeguards in the event of a breach. The effectiveness of authentication
security depends on the resources allocated to secure the system, including both system
capabilities and the quantity of manpower allocated to monitor the system and detect potential
intrusions. Generally, the more sophisticated the system, the more it costs; it is up to the system
administrator to determine the quantity of resources to allocate towards system security.
Variation in security standards among providers creates an extra dimension for users
determining their choice of services. How much users are willing to pay for an enhanced security
system depends on their own valuation of security. Different users may have different views
about the severity of the consequences resulting from information theft, as well as their belief
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
5
that their own password practices would be able to withstand an attempt for an attacker to
compromise the authentication process and gain entry.
This study explores how users balance their perception of security in relation to how
much it affects their convenience in generating passwords as well as how much they are willing
to pay for enhanced security. This study also examines individual differences that may
potentially affect user trade-offs and how that may affect their password habits and behavior
related to cyber security.
Background
Password security
As more services allow their users to remotely access data with password access, users
are more exposed to password policies and recommended password practices. A string of studies
on password security over time suggests that users are becoming more aware of password
security (Adams & Sasse, 1999; Notoatmodjo, 2007; Mwagwabi et al., 2014), yet in reality users
still practice unsafe password behaviors like using common guessable passwords (e.g. “123456”
or “password”), using one password for multiple accounts, or writing down passwords on a piece
of paper.
Some papers have explored reasons for these risky behaviors (Zviran & Haga, 1999;
Herley, 2009; Helkala, 2011). Cognitive limits on memory are generally believed to drive most
of these risky behaviors. Generating safe (i.e. complex) passwords for multiple accounts, as well
as memorizing them, takes some effort, therefore users may try to reduce their cognitive load by
reusing passwords or writing them down at the expense of increasing their vulnerability to
password hacking.
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
6
Previous research indicates that while users may be aware of the negative consequences
of password theft, they often minimize the risk to their own security. Users either underestimate
the likelihood of such attack happening to them or the extent of the damage that could happen.
Creese et al. (2013), investigated using the password to an account to access other more sensitive
accounts (e.g., using a password from someone’s online game account to access their e-mail
account.) The accumulation of various personal data could also lead to identity theft (Jakobsson
& Myers, 2006).
Lack of password compliance is costly both for users and system administrators
(Beautement, Sasse & Wonham, 2009). It leads to higher individual and system vulnerability
(particularly for accounts of system administrators), which wastes security resources. Yet
compliance creates a cost for users because of increased time and effort required to manage
passwords (Adams & Sasse, 1999; Sasse, Borstoff & Weirich, 2001). Requirements may
decrease productivity due to events such as access denial following inability to recall a password
or having to reset a password.
Multiple conflicting objectives in password selection
In order to understand user behavior towards password selection and how it relates to
security, it is beneficial to map user objectives onto relevant password selection policies. These
objectives are naturally conflicting, so one would expect some necessary trade-offs, requiring
gains related to one objective to be obtainable only at the expense of a loss or performance
reduction on another objective. The objectives we formulated are as follows:
1. Maximizing convenience
Convenience in passwords can be either convenience in generating passwords or
convenience in remembering them. The former is particularly important when the secure
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
7
system requires a periodic password change. This restriction is in place to counter
password reuse as users are required to generate passwords according to prescribed rules.
The inconvenience aspect of this could be the fact that users have to add another
password to their memory and the possibility of being denied access due to being able to
recall only previous or most used passwords. The difficulty of recalling passwords
increases when there are many restrictions put in place in generating passwords, such as
the requirement for a minimum number of characters, restriction on upper and lower
case, or the obligation to include special characters. For users, it’s often difficult enough
to generate a password that fulfils all the requirements, but they are also required to
remember the password. With different systems having different requirements, users are
faced with creating and remembering a variety of different passwords, each selected to
conform to particular system requirements. Florencio & Herley (2007) discovered that
the average user manages passwords for 15 different accounts at any given time. This
could be very confusing and could result in the use of the same password for multiple
accounts.
2. Maximizing security
The general motivation for creating complex passwords is to decrease the likelihood of
unauthorized access due to password guessing (Campbell, Kleeman & Ma, 2007). While
it is easier and more convenient to remember simple passwords and reuse them for
different accounts, it is much more vulnerable to brute force password attacks where an
unauthorized user gains access to the account by using common passwords or other
related information people often use for passwords (e.g. date of important days such as
birthdays). Increasing, the complexity of a password could make a dramatic difference in
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
8
how much effort is needed to gain access. For instance, a password such as “usctrojans”
would take 9 hours to crack, while “USCTroj4ns#1” takes 344 thousand years to
manually crack (Howsecureismypassword.net, 2016)
3. Minimizing cost
Unauthorized access through password hacking may create large damages for both users
and system administrators (Herley, 2009). Naturally more secure, sophisticated systems
require more resources to run and maintain. The cost of implementing such systems may
also affect users’ contributions toward maintaining the system, often in the form of higher
fees for users. Additionally, system administrators may decide that they need more
security experts to monitor and maintain the security of the servers, which would also add
to the cost of using the system.
Some studies have explored trade-offs between objectives such as convenience and
security (Tam, Glassman & Vandenwauver, 2010) and security and cost (Jakobsson, Yang &
Wetzel, 2008). Here we examine trade-offs by evaluating the prioritization of each objective in
contributing to the decision making process. This approach of mapping users’ value system by
comparing their “weights” is developed within the framework of Multi-Attribute Utility Theory
(MAUT) (Keeney & Raiffa, 1976). Our method determines the weight of each objective by
requiring respondents to make binary choices between password security policies that vary on
exactly 2 attributes. Multiple binary choices are generally required to reach an indifference point
that defines (or bounds) the trade-off between the two selected attributes.
Generalizability of context
Some studies (Florencio & Herley, 2007; Inglesant & Sasse, 2010) have observed that
password habits and attitude may differ depending on context and type of information that is
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
9
protected in the account. Florencio, Herley & van Oorschot (2014) identified 5 types of accounts
according to their levels of risk and postulate that users will display different password behaviors
depending on the consequence of each account being breached. There has also been a finding
that suggests otherwise (Ur et al., 2015). In this experiment, participants generated passwords on
a fictional news website, online bank, or e-mail account. Researchers found that the vast majority
of participants did not consider the different levels of risk associated with different accounts and
instead produced passwords with similar complexity across all accounts.
Individual differences
The role of individual differences in attitudes towards security has been studied by
several researchers (Woon et al, 2005; Workman et al., 2008; Herath & Rao, 2009; Johnston &
Warkentin, 2010; Mwagwabi, 2015) . One of the most commonly used frameworks to model
these attitudes is Protection Motivation Theory (PMT) introduced by Maddux & Rogers in 1983.
Many of these studies take a correlational approach and use self reported measures, but more
recent studies have taken a more experimental approach by manipulating the framing of
questions to influence participants’ risk perception, such as using fear appeals. Workman,
Bommer & Straub (2008) constructed a variation of PMT as a threat control model to understand
the “knowing-doing gap” and how it can be used to guide better security policies. The “knowing-
doing gap” relates to how users fail to adhere to good security practices even when they
understand their benefits. Mwagwabi (2015) used the model to explore attitudes towards security
risks and how they influence password behavior. Their study concluded that policy training
should focus on training awareness towards the prevalence and likelihood of cyberattacks and
convincing users that the recommended actions could make a difference.
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
10
Methods
Participants
The experiment was conducted on the Qualtrics survey platform. Respondents were
recruited from Amazon Mechanical Turk (AMT), allowing us to reach a more diverse and
representative subject pool (Buhrmester, Kwang, & Gosling 2011; Paolacci, Chandler, &
Ipeirotis 2010). We analyzed the responses of 265 respondents, randomly assigned to one of
three system context conditions: online banking (100), cloud service (81), and institutional
account (84). Respondents’ age ranged from 18 to 65 years with a median of 30 years. The
sample was about evenly split between females (N=126, 47%) and males.
Procedure
We defined four password features that correspond to our three designated objectives.
The description and ranges of each feature are included in Table 1. As a measure of security, we
used rate of stolen passwords, defined as how many people annually have their accounts
accessed without permission. This is expressed as the number of users out of 1000 victimized
annually and ranges from 10 in 1000 users (1%) to 400 in 1000 users (40%).
We used monthly account subscription price as a measure of cost. The monthly cost is
also accompanied by its yearly equivalent in the display, e.g. $7/month ($84/year). For this
experiment, the possible costs ranges from $1/month ($12/year) to $21/month ($252/year).
Two features, password expiration time and password complexity, were developed as a
representation of convenience. Password expiration time is defined (in months) as “how long
your password is valid before it expires. When it expires, you will not be given access to your
account until you generate a new password”. An example would be an expiration time of 6
months which is equivalent to a requirement of changing the account password twice a year.
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
11
Password expiration time in this experiment ranges from 1 to 12 months. Password complexity is
defined as “the level of complexity of the rules you must follow to create a password for your
account.” This feature is a dichotomous attribute which is either “high” or “low”. High
complexity corresponds to more stringent password requirements such as requiring lower and
upper case letters, requiring special characters, and imposing a minimum length, for instance
“x_+hEll0+=_x” (12 characters) or “mO4GV9ey” (8 characters). Low complexity passwords
correspond to a more relaxed requirement for generating passwords which does not require
complex rules, for instance “pass” (4 characters) or “12345” (5 characters).
Table 1: Description and Value Ranges of Password Features
Attribute Definition Range Objective
Rate of stolen
passwords
how many people
annually have their
accounts accessed
without permission
50 in 1000 users to
400 in 1000 users
Maximize Security
Cost Monthly fee of the
service plan
$1/month ($12/year)
to $21/month
($252/year).
Minimize Cost
Password expiration
time
How long your
password is valid
before it expires.
When it expires, you
will not be given
access to your
account until you
generate a new
password.
1 to 12 months Maximize
Convenience
Password complexity The level of
complexity of the
rules you must follow
to create a password
for your account.
Low vs High Maximize
Convenience
Context
To test the generalizability of the valuations across different contexts, we develop three
decision contexts which contextualize the settings in which respondents use passwords. One
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
12
context involves choosing between 2 different plans offered by a bank to access online banking
features, such as deposits, withdrawals, transfers, etc. Another involves choosing between 2
online file storage accounts (also known as “cloud” services) which contain a backup of one’s
private files such as pictures, videos, and other personal documents. A third context involves an
organizational/institutional account that’s tied to a company or institution (e.g. university) with
which the respondent is employed or affiliated. This account allows access to work related files
such as e-mail and payroll information.
The experiment was conducted online and respondents are randomly assigned to one of
the three contexts: (1) online banking, (2) cloud service, or (3) institutional/organizational
account. Respondents were shown a brief video explaining the concepts involved in the
experiment, particularly the definition of the 4 features and a description of the particular
assigned account type. Respondents were presented with a series of binary choices, including all
six possible attribute pairs, with a maximum of three choices for each attribute pair, for a total of
18 (3 x 6) possible binary choices. At the end of the experiment, we collected demographic
information, including age, sex, and political views. In addition, we also ask respondents to
answer a set of self-report measures regarding their perception of security, including self-
efficacy, perceived severity, response efficacy, and response cost. These scales are adapted from
a study (Workman, Bommer & Straub, 2008) of user perceptions of cybersecurity based on
Protection Motivation Theory (Rogers, 1975).
Trade-off paradigm
In their 1988 paper “Contingent weighting in judgment and choice.” Tversky, Sattah and
Slovic describe a method that we adapted to elicit the trade-offs between attributes in each pair.
This method consists of presenting two hypothetical options, say A and B, constructed such that
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
13
option A is more desirable on Attribute 1 but is lacking in Attribute 2, while B is advantageous
on Attribute 2 but less satisfactory on Attribute 1. The respondent is then forced to consider the
relative improvement (i.e., differences) for each attribute in choosing between the two
hypothetical options. If the respondent determines the differences are equivalent, she would find
the two options equally attractive and the trade-off between the two attributes is established
implicitly in terms of the attribute units. This trade-off is the variable of interest, as it allows
calculation of an exchange rate between the units of each attribute (Keeney and Raiffa, 1976).
For this experiment, we implemented the following protocol: respondents are given the
choice of two hypothetical plans for online services that they are interested in joining. As
described above, plans are defined along four separate attributes. We vary two of the attributes in
each binary choice, leaving performance on the other two attributes equivalent. Consider, for
example, varying the rate of stolen passwords and cost, while leaving the two convenience
attributes equal for the two options. A graphical representation of all the possible trials is shown
in Figure 1.
Consider two plans: Plan A which costs $24/year with an annual rate of stolen passwords
of 50 in 1000 users (5%), and Plan B which costs $12/year with an annual rate of stolen
password of 150 in 1000 users (15%). Plan A has a higher cost but lower rate of stolen password,
while Plan B is cheaper, yet not as secure due to having a higher rate of stolen passwords. If a
respondent chooses A, then it indicates that she values the increased security (indicated by lower
rate of stolen passwords) worth more than the cost difference of $12/year. In contrast, if the
respondent chooses Plan B, she believes the increased security is worth less than the cost
difference of $12/year. If the respondent indicates that she is indifferent between the two options,
then the value of reducing the rate of stolen passwords from 150 to 50 per 1000 is just worth
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
14
exactly $12 per year. An exact value of the exchange rate is determined when the respondent
indicates indifference between the two options. If the respondent does not indicate indifference
after 3 binary choices, the exchange rate for that particular pair of attributes is bounded by the
three previous choices, and the respondent proceeds to the next pair of attributes.
Figure 1: Graphical representation of trade-off value elicitation trials
Note that the sequence of binary choices (rounds 2 and 3) are selected based on prior
choices (rounds 1 and 2) in such a manner to bound the trade-offs consistency. In general, the
selected option is either made less attractive by decreasing its performance on one of the two
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
15
selected attributes, or the non-selected option is made more attractive by increasing its
performance on one of the two selected attributes. From the example above, if the respondent
chooses Plan A in round 1, the cost of Plan A would be increased to $48/year (with the same rate
of stolen passwords), and the respondent would again compare the costlier Plan A to the original
Plan B. If the respondent continues to choose Plan A, then they believe that the 10% reduction in
stolen passwords is worth more than the difference in cost ($36/year); if they choose Plan B,
their valuation of the 10% reduction in stolen passwords is between $12/year and $36/year, and
if they are indifferent, then the difference in cost, $36/year, is considered a fair price for the
increased security.
In all of the trials, we set the remaining two attributes (in the previous case would be
password complexity and password expiration time) at the same exact levels so that they should
be irrelevant under an assumption of independence. There are at most 3 binary choices that each
respondent considers for each pair of attributes. The method gives us an interval of trade-off
values, but in our analytical and display purposes, we use the midpoint of the intervals.
Psychometric Measures
After completing the experiment, respondents completed a battery of self-report measures
related to their attitudes towards privacy and cybersecurity. The items are based on the constructs
introduced in Protection Motivation Theory (PMT) and its subsequent revision (Rogers, 1975;
Rogers, 1983) and adapted by Workman, Bommer & Straub (2008) to match the cybersecurity
context. Items are partitioned into four subscales: self-efficacy, response efficacy, perceived
severity, and response cost. Analysis of internal consistency demonstrated that each subset of
questions have high reliability, indicated by Cronbach’s Alpha (α) between 0.78 and 0.93 for
each construct. We then conducted factor analysis to verify the hypothesized 4-facter structure.
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
16
Self-efficacy is defined as is the belief in one's ability to execute the recommend courses
of action successfully. There are 5 items that correspond to self-efficacy measured on a 5-point
Likert scale (α=0.81). Response-efficacy refers to an individual’s belief as to whether the
recommended course of action will actually avoid the threat. Cronbach’s alpha for the 5 items
measuring response-efficacy (also on a 5-point Likert scale) is 0.93. The higher an individual
scores on perceived severity, the more concerned they are about the effect of a harmful event.
Perceived severity is measured with 4 items on a 5-point Likert scale (α=0.90). Response cost, is
related to the individual’s perception of how much inconvenience or sacrifice they need to
consider before deciding to follow a recommended action (Herath & Rao, 2009). Cost in this
context refers to any resource which could otherwise be allocated to improve productivity, such
as time and effort. Unlike the other three attitude constructs used, response cost is measured on a
3 point scale indicating whether the cost of implementing extra security measures exceeds its
benefits, outweighed by its benefits, or neither exceeded nor outweighed by its benefits. A high
score for this measure indicates a direction towards cost being outweighed by benefit. There are
3 items in the questionnaire which correspond to response cost (α=0.78).
Table 2 shows the correlations among the four measures which are generally low with the
exception of that between self-efficacy and response efficacy. A confirmatory factor analysis
was conducted, comparing two models for which (1) self-efficacy and response-efficacy are
treated as two distinct constructs and (2) both are combined into one construct called efficacy. A
model with four distinct factors performs significantly better than a 3-factor model according to
fit parameters. The 4-factor model has a better value on Comparative Fit Index (CFI) of 0.937
compared to 0.832 for the 3-factor model. A CFI value over 0.9 is considered to be an indicator
of good model fit (Hu & Bentler, 1999). The Root Mean Square Error of Approximation
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
17
(RMSEA) values also show that the 4-factor model has less approximation error than the 3-factor
model, with RMSEA values of 0.053 compared to 0.133 respectively. Models with RMSEA
below 0.06 are generally considered to demonstrate acceptable fit (Hu & Bentler, 1999). We
conclude that it would be reasonable to treat these constructs as distinct yet related concepts
Table 2: Correlation between factors
Self Efficacy Response
Efficacy
Perceived
Severity
Response Cost
Self Efficacy
Response Efficacy
0.62
Perceived Severity
0.13 0.07
Response Cost
0.27 0.27 0.23
Results
Trade-off Values
We obtain data for the trade-off values for all 6 pairs among the 4 attributes
1
, but we will
focus on the 3 trade-offs related to the security measure, rate of stolen passwords. The
cumulative distribution of values across all contexts for the three pairs of trade-off combinations
is included in Figure 2. The trend of the overall distribution of trade-off values persists across all
three contexts (online banking, cloud service, and institutional account). Nonparametric tests
2
1
For trade-off between cost and password complexity, the median trade-offdifference of cost per year to switch from an account
with high complexity password to an account with low complexity password is $6/year. For trade-off between cost and password
expiration time, the median trade-offdifference of cost per year to switch from an account that has 6 more months of expiration
time is $18/year. For trade-off between password complexity and expiration time, the median trade-offdifference of password
expiration time to switch from an account with high complexity to an account with low complexity is 0.5 months
2
We also conducted Mann-Whitney-Wilcoxon and Kruskall-Wallis tests to test differences between medians and also found no
statistically significant relationships
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
18
(Kolmogorov-Smirnov) indicate that there are no statistically significant differences between the
three contexts for all trade-off combinations.
Figure 2: Cumulative distribution of trade-off values
The rate of exchange for convenience (password complexity and expiration time) are
relatively low, meaning that respondents are less willing to trade off security for convenience.
First we take a look on the evaluations concerning password complexity. On the trade-off
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
19
between rate of stolen passwords and password complexity (2a), majority of the respondents
(67.65%) are not willing at all to accept a higher rate of stolen password to switch to an account
with low password complexity from an account with high password complexity and rate of
stolen password of 10 in 1000 users (1%). A high value in this trade-off indicates a high
willingness to trade off security for convenience.
When we compare password expiration time with rate of stolen passwords (2b), 75% of
the respondents always switch to the account with the shorter password expiration time (our
lower bound is 2.5 months) with lower rate of stolen password (50 in 1000 users or 5%) when
compared to an account with a rate of stolen passwords of 150 in 1000 users (15%) and
password expiration time of 12 months. The lower the trade-off value for this exchange pair, the
more respondents are willing to trade-off their expiration time for a lower rate of stolen
passwords, which means a higher valuation of security.
On the trade-off between cost and rate of stolen passwords (2c), we see more variety
within the responses. Only 10.65% of respondents are not willing to pay any more to decrease
rate of stolen passwords, while 20.32% will always choose the plan with the lower rate of stolen
passwords regardless of the price difference between the plans. These respondents would rather
choose the plan with a lower rate of stolen passwords (10 in 1000 users, 1%) and pay $252/year
than the plan which costs $12/year but has a higher rate of stolen passwords (100 in 1000 users,
10%). The median price of a plan where the respondents are willing to switch to the plan with
the lower rate of stolen passwords (10 in 1000 users) is around $96 per year, again compared
with a plan with the higher rate of stolen passwords (100 in 1000 users) which costs $12/year.
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
20
Individual differences
We calculated the correlation between the respondents’ trade-off values for each pair and
their individual characteristics by obtaining the spearman rho value between the two variables.
Note that in the trade-off between cost and rate of stolen passwords, a higher trade-off value
indicates a higher valuation towards security because it represents how much money is willing to
be traded off for better security, while in the two other trade-offs (password expiration time and
rate of stolen passwords; rate of stolen passwords and password complexity) a higher trade-off
value indicates a lower valuation of security because it represents the extent of how much
security is willing to be traded off for better password expiration time or lower password
complexity.
Trade-off values concerning increased password security (reduction in stolen passwords)
and financial costs were not related to sex, age, or political orientation, but some statistically
significant relationships are discovered between the trade-off values and scores in the behavioral
measures.
Scores for self-efficacy correlate with trade-off involving password complexity and rate
of stolen passwords; those who score high on self-efficacy are less willing to accept an increased
rate of stolen passwords in order to reduce their password complexity from high to low.
The responses for two of the three trade-off combinations show statistically significant
correlations with the scores for response efficacy. Those with high scores for response-efficacy
are more willing to pay more to reduce the rate of stolen passwords from 100 in 1000 users to 10
in 1000 users and are less willing to accept an increased rate of stolen passwords to reduce
password complexity from high to low.
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
21
A statistically significant correlation with the response for perceived severity is found in
all three trade-offs, where respondents who score higher on perceived severity are more willing
to pay more to reduce rate of stolen password from 100 in 1000 users to 10 in 1000 users, more
willing to sacrifice expiration time to decrease rate of stolen passwords, and less willing to
accept an increased their rate of stolen password to switch from an account with high complexity
password requirement to an account with low complexity password requirement.
On response cost we detected statistically significant correlation in the trade-off between
password expiration time and rate of stolen passwords and between rate of stolen passwords and
password complexity. Those who score higher on response cost are less willing to lower rate of
stolen password and sacrifice password expiration time to lower password complexity from high
to low. This suggests that respondents are more willing to forgo the convenience of having a low
complexity password for better security (lower rate of stolen password).
Table 3: Spearman ρ values for relationships between trade-off values and measure scores
Attribute Pairs Unit
Self
Efficacy
Response
Efficacy
Response
Cost
Perceived
Severity
Cost vs. Rate of Stolen
Passwords
$ to switch from 100 in
1000 users to 10 in
1000 users
-0.001 0.197 0.126 0.155
Password Expiration Time
vs. Rate of Stolen
Passwords
months of password
expiration time to
switch from 150 in
1000 users to 50 in
1000 users
0.007 -0.083 -0.120 -0.208
Rate of Stolen Passwords
vs. Password Complexity
Rate of stolen password
in 1000 users to switch
from high to low
complexity password
-0.128 -0.130 -0.177 -0.184
Reliability (Cronbach's α) 0.871 0.921 0.781 0.89
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
22
Discussion
The results reveal a general pattern of valuation between cost, security, and convenience
that helps regulate users’ password choices and behaviors. We did not find any statistically
significant differences across the 3 authentication security contexts (online banking, cloud
service, and institutional account) for any of the three trade-offs, which indicates that users’
valuation towards password attributes generalize across various cyber contexts. This is contrary
to the prevailing conventional wisdom that users have different password behaviors according to
the perceived value of their accounts (Florencio, Herley & van Oorschot, 2014; Nithyanand &
Johnson, 2013)
Minimizing cost is a very relevant objective in selecting a system varying in
authentication security. In the trade-off between maximizing security and cost, there is more
variation in how much extra respondents are willing to pay, as reflected on the interquartile range
of $42/year to $216/year. In general, users indicate willingness to pay the financial costs for
more secure systems. Maximizing convenience is also a relevant objective in respondents’
decision making, particularly password expiration time, where 12.5% of respondents are not
willing to endure a shorter password expiration time in exchange for a lower rate of stolen
passwords (better security).
Willingness to sacrifice security for convenience is a pattern that has been shown in other
studies (Vu et al., 2007; Barra et al., 2010; Tam, Glassman & Vandenwauver, 2010). The general
consensus among these studies focuses on the phenomenon of shortsightedness, where users are
highly sensitive to the possibility of not being able to remember their password relative to the
likelihood of having their password compromised. This phenomenon is a form of temporal
discounting in a loss frame, where the consequences of an event that occurs later is valued to be
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
23
less than an event that happens sooner, even when the later event is significantly more severe.
This is often observed in choices related to health (Chapman, 1996), such as smoking or eating
unhealthy food.
The results of our psychometric measures are consistent with those of Mwagwabi (2015),
in which users’ confidence in the effectiveness of their actions (as represented by response
efficacy) is related to users’ trade-offs. Respondents who score higher on this measures show
more willingness to sacrifice their convenience in favor of security. Perceived severity also
shows the same trend where respondents with higher scores are more willing to sacrifice
convenience over security.
In relation to this result, a recommendation for system administrators in forming
password policies is to consider users’ risk perception and confidence in the system to be able to
protect their information. Users who value their information more highly will be more willing to
sacrifice their convenience in order to have more secure systems, as reflected in the correlations
between all the trade-off values with perceived severity. Password behaviors are also affected by
users’ confidence, both in their own abilities to keep themselves secure and also in how the
recommended policies will give them their expected result as reflected by the correlation of the
trade-off values with self-efficacy and response-efficacy. Recognizing the extent to which users
are willing to trade-off their security will help develop security policies that are more aligned
with user priorities, thus encouraging compliance and a reasonable compromise for providing
security in a convenient and cost effective manner.
Our research has demonstrated that by using the trade-off method and mapping user
objectives, we can quantify trade-offs among relevant authentication policy features. The results
of our study also demonstrate substantial individual differences in the exchange rates between
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
24
password attributes, which affects user password behavior. This result should be considered by
system administrators responsible for setting authentication policies; one size does not fit all.
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
25
References
Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM,
42(12), 40-46.
Barra, R.A., McLeod, A., Savage, A., & Simkin, M. G. (2010). Passwords: Do user preferences
and website protocols differ from theory? Journal of Information Privacy and Security, 6(4), 50-
69.
Beautement, A., Sasse, M., & Wonham, M. (2009). The compliance budget: Managing security
behaviour in organisations. Proceedings of the 2008 Workshop on New Security Paradigms, 47–
58. doi:10.1145/1595676.1595684
Bonneau, J., Herley, C., van Oorschot, P. C., & Stajano, F. (2015). Passwords and the evolution
of imperfect authentication. Communications of the ACM, 58(7), 78-87.
Buhrmester, M., Kwang, T., & Gosling, S. D. (2011). Amazon's Mechanical Turk a new source
of inexpensive, yet high-quality, data? Perspectives on Psychological Science, 6(1), 3-5.
Campbell, J., Kleeman, D., & Ma, W. (2007). The good and not so good of enforcing password
composition rules. Information Systems Security, 16(1), 2–8. doi:10.1080/10658980601051375
Chapman, G. B. (1996). Temporal discounting and utility for health and money. Journal of
Experimental Psychology: Learning, Memory, and Cognition, 22(3), 771.
Creese, S., Hodges, D., Jamison-Powell, S., & Whitty, M. (2013). Relationships between
password choices, perceptions of risk and security expertise. In Human aspects of information
security, privacy, and trust (pp. 80-89). Berlin Heidelberg: Springer. doi:10.1007/978-3-642-
39345-7-9
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
26
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013).
Future directions for behavioral information security research. Computers & Security, 32, 90–
101. doi:10.1016/j.cose.2012.09.010
Florencio, D., & Herley, C. (2007, May). A large-scale study of web password habits. In
Proceedings of the 16th International Conference on World Wide Web (pp. 657-666). ACM.
doi:10.1145/1242572.1242661
Florêncio, D., Herley, C., & Van Oorschot, P. C. (2014). An administrator’s guide to internet
password research. In 28th Large Installation System Administration Conference (LISA14) (pp.
44-61).
Helkala, K. (2011). Password education based on guidelines tailored to different password
categories. Journal of Computers, 6(5), 969–975. doi:10.4304/jcp.6.5.969-975
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for security
policy compliance in organisations. European Journal of Information Systems, 18(2), 106-125.
Herley, C. (2009, September). So long, and no thanks for the externalities: the rational rejection
of security advice by users. In Proceedings of the 2009 Workshop on New Security Paradigms
(pp. 133-144). ACM.
Hu, L. T., & Bentler, P. M. (1999). Cutoff criteria for fit indexes in covariance structure analysis:
Conventional criteria versus new alternatives. Structural Equation Modeling: A multidisciplinary
Journal, 6(1), 1-55.
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
27
Inglesant, P. G., & Sasse, M. A. (2010, April). The true cost of unusable password policies:
Password use in the wild. In Proceedings of the SIGCHI Conference on Human Factors in
Computing Systems (pp. 383-392). ACM.
Jakobsson, M., & Myers, S. (Eds.). (2006). Phishing and countermeasures: Understanding the
increasing problem of electronic identity theft. Hoboken, New Jersey: John Wiley & Sons.
Jakobsson, M., Yang, L., & Wetzel, S. (2008, October). Quantifying the security of preference-
based authentication. In Proceedings of the 4th ACM Workshop on Digital Identity Management
(pp. 61-70). ACM.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an
empirical study. MIS quarterly, 34(3) 549-566.
Keeney, R. L., & Raiffa, H. (1976). Decisions with multiple objectives: Preferences and value
trade-offs. Cambridge, United Kingdom: Cambridge University Press.
Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised
theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5),
469-479.
Mwagwabi, F., McGill, T., & Dixon, M. (2014, January). Improving compliance with password
guidelines: How user perceptions of passwords and security threats affect compliance with
guidelines. In 2014 47th Hawaii International Conference on System Sciences (HICSS) (pp.
3188-3197). IEEE. doi:10.1109/HICSS.2014.396
Mwagwabi, F. M. (2015). A Protection Motivation Theory approach to improving compliance
with password guidelines (Unpublished doctoral dissertation). Murdoch University, Australia.
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
28
Nithyanand, R., & Johnson, R. (2013, November). The password allocation problem: Strategies
for reusing passwords effectively. In Proceedings of the 12th ACM Workshop on Privacy in the
Electronic Society (pp. 255-260). ACM.
Notoatmodjo, G. (2007). Exploring the ‘Weakest link’: A study of personal password security
(Masters thesis). The University of Auckland, New Zealand.
Paolacci, G., Chandler, J., & Ipeirotis, P. G. (2010). Running experiments on Amazon
Mechanical Turk. Judgment and Decision making, 5(5), 411-419.
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change1. The
Journal of Psychology, 91(1), 93-114.
Sasse, M. A., Brostoff, S., & Weirich, D. (2001). Transforming the ‘weakest link’—a
human/computer interaction approach to usable and effective security. BT technology journal,
19(3), 122-131.
Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security
behaviors. Computers and Security, 24(2), 124–133. doi:10.1016/j.cose.2004.07.001
Tam, L., Glassman, M., & Vandenwauver, M. (2010). The psychology of password
management: A tradeoff between security and convenience. Behaviour & Information
Technology, 29(3), 233-244.
Ur, B., Noma, F., Bees, J., Segreti, S. M., Shay, R., Bauer, L., Christin, N., & Cranor, L. F.
(2015). "I added'!' at the end to make It secure": Observing password creation in the lab. In
Eleventh Symposium On Usable Privacy and Security (SOUPS 2015) (pp. 123-140).
TRADE-OFFS AMONG ATTRIBUTES OF AUTHENTICATION
29
Vu, K. P. L., Proctor, R. W., Bhargav-Spantzel, A., Tai, B. L. B., Cook, J., & Schultz, E. E.
(2007). Improving password security and memorability to protect personal and organizational
information. International Journal of Human-Computer Studies, 65(8), 744-757.
doi:10.1016/j.ijhcs.2007.03.007
Woon, I., Tan, G. W., & Low, R. (2005). A protection motivation theory approach to home
wireless security. International Conference on Information Systems 2005 Proceedings, 31.
Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of
information security measures: A threat control model and empirical test. Computers in Human
Behavior, 24(6), 2799-2816. doi:10.1016/j.chb.2008.04.005
Zviran, M., & Haga, W. J. (1999). Password security: an empirical study. Journal of
Management Information Systems, 15(4), 161–185. Retrieved from
http://dl.acm.org/citation.cfm?id=1189470
Abstract (if available)
Abstract
Authentication is a major component in protecting the security of online user services as it protects information from unauthorized users by requiring means of identification before granting access. One of the most common forms of authentication is passwords. Among service providers there is a range of restrictions imposed in creating passwords, for instance requiring a minimum length or inclusion of certain characters, which decrease the likelihood of unauthorized access yet creates an inconvenience for the user. These requirements are related to the amount of resources service providers may choose to allocate for securing their information and the more sophisticated the secure system is, the more costly it is to maintain. Because of this, users have multiple conflicting objectives in choosing services according to their authentication requirements. We analyze responses from 265 online service users to examine their attitude towards balancing security, convenience, and cost by evaluating the extent to which they are willing to compromise an advantage in one objective for another. Results show that the majority of users are willing to pay more and sacrifice convenience for better security yet there is more variation in how much users are willing to pay compared to the extent users are willing to sacrifice convenience. The distribution of trade-off values are identical across different contexts such as online banking, cloud service, and institutional account. We also identified measures (self efficacy, response efficacy, response cost, and perceived severity) as user characteristics that influence trade-off values.
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Memorable, secure, and usable authentication secrets
PDF
The cost of missing objectives in multiattribute decision modeling
PDF
Disaster near-miss appraisal: effects of attribution, individual differences, psychological distance, and cumulative sequences
PDF
Regularized structural equation modeling
PDF
Sacrificing cost, performance and usability for privacy: understanding the value of privacy in a multi‐criteria decision problem
PDF
How perceived moral congruence shapes propensities to engage in pro-group behaviors
PDF
Predicting and modeling human behavioral changes using digital traces
PDF
Using classification and regression trees (CART) and random forests to address missing data
PDF
Cumulative risk as a moderator of multisystemic therapy effects for juvenile offenders
PDF
Evaluating aleatory uncertainty assessment
PDF
Sequential decisions on time preference: evidence for non-independence
PDF
When AI helps wildlife conservation: learning adversary behavior in green security games
PDF
Choice biases in making decisions for oneself vs. others
PDF
Offline social functioning and online communication: how social competence translates to an online context
PDF
Homeostatic imbalance and monetary delay discounting: effects of feeding on RT, choice, and brain response
PDF
Modeling human bounded rationality in opportunistic security games
PDF
A roadmap for changing student roadmaps: designing interventions that use future “me” to change academic outcomes
PDF
It's not just nice, it's necessary: authentic leadership in the new economy
PDF
Identity, perceived discrimination, and attenuated positive psychotic symptoms among college students
PDF
Modeling social and cognitive aspects of user behavior in social media
Asset Metadata
Creator
Kusumastuti, Sarah A.
(author)
Core Title
Trade-offs among attributes of authentication
School
College of Letters, Arts and Sciences
Degree
Master of Arts
Degree Program
Psychology
Publication Date
07/22/2016
Defense Date
07/20/2016
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
authentication,behavioral information security,computer security,OAI-PMH Harvest,passwords,user behavior
Format
application/pdf
(imt)
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
John, Richard S. (
committee chair
), Dehghani, Morteza (
committee member
), Monterosso, John (
committee member
)
Creator Email
kusumast@usc.edu,sa.kusumastuti@gmail.com
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-c40-273661
Unique identifier
UC11280465
Identifier
etd-Kusumastut-4579.pdf (filename),usctheses-c40-273661 (legacy record id)
Legacy Identifier
etd-Kusumastut-4579-0.pdf
Dmrecord
273661
Document Type
Thesis
Format
application/pdf (imt)
Rights
Kusumastuti, Sarah A.
Type
texts
Source
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the a...
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Tags
authentication
behavioral information security
computer security
user behavior