Search results

The purpose of this paper is to focus on a potential tradeoff between security and usability in people’s use of online passwords – in general, complex passwords are secure and desirable but difficult to use (i.e. difficult to memorize) whereas simple passwords are easy to use, but are insecure and undesirable. Construal level theory (CLT) explains how high vs low construal level causes people to focus on “desirability” vs “feasibility” of an action, which in the research context can translate into the “security” vs “usability” of using passwords.

The authors conducted a series of three laboratory experiments manipulating people’s construal level and investigating its impact on password use.

The authors found that people who were induced to think at a high construal level created or showed intention to choose stronger passwords relative to people who were induced to think at a low construal level. Furthermore, this effect was also significantly different from the control group who did not receive any experimental treatment. In addition, the authors found that perspective taking targeted at the desirability of creating a strong password further strengthened the effect of a high construal level on intended password choice.

This research makes several contributions to existing literature on password security. First, this research offers CLT as a theoretical lens to explain an individual’s thinking and behavior concerning online password use. Second, this research offers empirical evidence that a high construal level improves users’ password use, a desirable feature for improved security. Third, this research contributes to the literature on how to apply nudging to influence human behavior toward more desirable, stronger, password use. Finally, our research identifies PT as a factor enhancing the positive effect of a high construal level on online users’ password use.

Passwords have been designed to protect individual privacy and security and widely used in almost every area of our life. The strength of passwords is therefore critical to the security of our systems. However, due to the explosion of user accounts and increasing complexity of password rules, users are struggling to find ways to make up sufficiently secure yet easy-to-remember passwords. This paper aims to investigate whether there are repetitive patterns when users choose passwords and how such behaviors may affect us to rethink password security policy.

The authors develop a model to formalize the password repetitive problem and design efficient algorithms to analyze the repeat patterns. To help security practitioners to analyze patterns, the authors design and implement a lightweight, Web-based visualization tool for interactive exploration of password data.

Through case studies on a real-world leaked password data set, the authors demonstrate how the tool can be used to identify various interesting patterns, e.g. shorter substrings of the same type used to make up longer strings, which are then repeated to make up the final passwords, suggesting that the length requirement of password policy does not necessarily increase security.

The contributions of this study are two-fold. First, the authors formalize the problem of password repetitive patterns by considering both short and long substrings and in both directions, which have not yet been considered in past. Efficient algorithms are developed and implemented that can analyze various repeat patterns quickly even in large data set. Second, the authors design and implement four novel visualization views that are particularly useful for exploration of password repeat patterns, i.e. the character frequency charts view, the short repeat heatmap view, the long repeat parallel coordinates view and the repeat word cloud view.

The increased use of Information Systems (IS) as a working tool for employees increases the number of accounts and passwords required. Despite being more aware of password entropy, users still often participate in deviant password behaviors, known as “password workarounds” or “shadow security.” These deviant password behaviors can put individuals and organizations at risk, resulting in a data breach. This paper aims to engage IS users and Subject Matter Experts (SMEs), focused on designing, developing and empirically validating the Password Workaround Cybersecurity Risk Taxonomy (PaWoCyRiT) – a 2x2 taxonomy constructed by aggregated scores of perceived cybersecurity risks from Password Workarounds (PWWAs) techniques and their usage frequency.

This research study was a developmental design conducted in three phases using qualitative and quantitative methods: (1) A set of 10 PWWAs that were identified from the literature were validated by SMEs along with their perspectives on the PWWAs usage and risk for data breach; (2) A pilot study was conducted to ensure reliability and validity and identify if any measurement issues would have hindered the results and (3) The main study data collection was conducted with a large group of IS users, where also they reported on coworkers' engagement frequencies related to the PWWAs.

The results indicate that statistically significant differences were found between SMEs and IS users in their aggregated perceptions of risks of the PWWAs in causing a data breach, with IS users perceiving higher risks. Engagement patterns varied between the two groups, as well as factors like years of IS experience, gender and job level had statistically significant differences among groups.

The PaWoCyRiT taxonomy that the we have developed and empirically validated is a handy tool for organizational cyber risk officers. The taxonomy provides organizations with a quantifiable means to assess and ultimately mitigate cybersecurity risks.

Passwords have been used for a long time to grant controlled access to classified spaces, electronics, networks and more. However, the dramatic increase in user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure a high level of IS security; this leaves the end-users holding a critical role in protecting their organization and personal information. Thus, the taxonomy that the authors have developed and empirically validated provides broader implications for society, as it assists organizations in all industries with the ability to mitigate the risks of data breaches that can result from PWWAs.

The taxonomy the we have developed and validated, the PaWoCyRiT, provides organizations with insights into password-related risks and behaviors that may lead to data breaches.

Sellers view facial recognition mobile payment services (FRMPS) as a convenient and cost-saving way to receive immediate payments from customers. For consumers, however, these biometric identification technologies raise issues of usability as well as privacy, so FRMPS are not always preferable. This study uses the stressor–strain–outcome (S–S–O) framework to illuminate the underlying mechanism of FRMPS resistance, thereby addressing the paucity of research on users' negative attitudes toward FRMPS.

Drawing from the stressor–strain–outcome (S–S–O) framework, the purpose of this study is to illuminate the underlying mechanism of FRMPS resistance. To this end, they invited 566 password authentication users who had refused to use FRMPS to complete online survey questionnaires.

The findings enrich the understanding of FRMPS resistance and show that stressors (i.e. system feature overload, information overload, technological uncertainty, privacy concern and perceived risk) aggravate the strain (i.e. technostress), which then leads to users’ resistance behaviors and negative word of mouth.

Advances in payment methods have profoundly changed consumers’ consumption and payment habits. Understanding FRMPS resistance can provide marketers with strategies for dealing with this negative impact. This study theoretically confirms the S–S–O paradigm in the FRMPS setting and advances it by proposing thorough explanations of the major stressors that consumers face. Building on their findings, the authors suggest ways service providers can eliminate the stressors, thereby reducing consumers’ fear and preventing resistance or negative word-of-mouth behaviors. This study has valuable implications for both scholars and practitioners.

Online flight booking websites compare airfares, convenience and other consumer relevant attributes. Environmental concerns are typically not addressed, even though aviation is the most emission-intensive mode of transportation. This article demonstrates the potential for digital nudges to facilitate more environmentally friendly decision-making on online flight booking websites.

The authors used the digital nudging design process to implement two nudging interventions in an experimental setting on a fictitious flight booking website. The two nudging interventions are (1) an informational nudge, presented as an emission label, and (2) an understanding mapping nudge, presented as an emission converter.

This article finds that both digital nudges are useful interventions in online choice environments; however, emission labels more effectively encourage sustainable booking behavior.

The contributions of this article are twofold. In contribution to research, this article builds on existing research in sustainability contexts and successfully evaluates the effectiveness of anchoring and understanding mapping heuristics to influence sustainable decision-making in virtual environments. Furthermore, in contribution to practice, this article contributes knowledge to nudge design and provides hands on examples for designers or website operators on how to put nudge designs to practice in virtual choice environments. Additionally, this article contributes relevant considerations in a high-impact research field with growing importance given the global climate crisis.

Users’ mistakes due to poor cybersecurity skills result in up to 95 per cent of cyber threats to organizations. Threats to organizational information systems continue to result in substantial financial and intellectual property losses. This paper aims to design, develop and empirically test a set of scenarios-based hands-on tasks to measure the cybersecurity skills of non-information technology (IT) professionals.

This study was classified as developmental in nature and used a sequential qualitative and quantitative method to validate the reliability of the Cybersecurity Skills Index (CSI) as a prototype-benchmarking tool. Next, the prototype was used to empirically test the demonstrated observable hands-on skills level of 173 non-IT professionals.

The importance of skills and hands-on assessment appears applicable to cybersecurity skills of non-IT professionals. Therefore, by using an expert-validated set of cybersecurity skills and scenario-driven tasks, this study established and validated a set of hands-on tasks that measure observable cybersecurity skills of non-IT professionals without bias or the high-stakes risk to IT.

Data collection was limited to the southeastern USA and while the sample size of 173 non-IT professionals is valid, further studies are required to increase validation of the results and generalizability.

The validated and reliable CSI operationalized as a tool that measures the cybersecurity skills of non-IT professionals. This benchmarking tool could assist organizations with mitigating threats due to vulnerabilities and breaches caused by employees due to poor cybersecurity skills.

This paper aims to develop a theoretical framework to predict susceptibility to cyber-fraud victimhood.

A survey was constructed to examine whether personality, socio-demographic characteristics and online routine activities predicted one-off and repeat victimhood of cyber-fraud. Overall, 11,780 participants completed a survey (one-off victims, N = 728; repeat victims = 329).

The final saturated model revealed that psychological and socio-demographic characteristics and online routine activities should be considered when predicting victimhood. Consistent with the hypotheses, victims of cyber-frauds were more likely to be older, score high on impulsivity measures of urgency and sensation seeking, score high on addictive measures and engage in more frequent routine activities that place them at great risk of becoming scammed. There was little distinction between one-off and repeat victims of cyber-frauds.

This work uniquely combines psychological, socio-demographic and online behaviours to develop a comprehensive theoretical framework to predict susceptibility to cyber-frauds. Importantly, the work here challenges the current utility of government websites to protect users from becoming scammed and provides insights into methods that might be used to protect users from becoming scammed.

Coronavirus disease 2019-related fake news consistently appears on social media. This study uses appraisal theory to analyze the impact of such rumors on individuals' emotions, motivations, and intentions to share fake news. Furthermore, the concept of psychological distance and construal level theory are used in combination with appraisal theory to compare toilet paper shortages and celebrity scandal rumors.

Data collected from 299 Taiwanese respondents to 150 toilet paper shortage-related and 149 celebrity gossip-related questionnaires were processed using partial least squares regression and multigroup analysis.

In both cases, surprise is felt most intensely. However, unlike in the celebrity fake news scenario, worry plays a prominent role in driving the altruistic sharing motivation related to the toilet paper shortage rumor. Furthermore, while emotional attributes (basic or self-conscious, concrete, or abstract) serve as a guide for how emotions change with psychological distance, the degree to which an emotion is relevant to the fake news context is key to its manifestation.

This study examines the impact of individuals' emotions on their motivations and intention to share fake news, applying the appraisal theory and the psychological distance concept in a single study to fake news sharing intention. It evaluates the relationship between psychological distance and emotions, revealing that it is not absolute and need not necessarily shift according to psychological distance change; rather, the relationship is context-sensitive.

This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security.

This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view.

Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts.

This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement.

The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security.

Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.

Online privacy research has seen a focus on user behavior over the last decade, partly to understand and explain user decision-making and seeming inconsistencies regarding users' stated preferences. This article investigates the level of modeling that contemporary approaches rely on to explain said inconsistencies and whether drawn conclusions are justified by the applied modeling methodology. Additionally, it provides resources for researchers interested in using computational modeling.

The article uses data from a pre-existing literature review on the privacy paradox (N = 179 articles) to identify three characteristics of prior research: (1) the frequency of references to computational-level theories of human decision-making and perception in the literature, (2) the frequency of interpretations of human decision-making based on computational-level theories, and (3) the frequency of actual computational-level modeling implementations.

After excluding unrelated articles, 44.1 percent of investigated articles reference at least one theory that has been traditionally interpreted on a computational level. 33.1 percent of all relevant articles make statements regarding computational properties of human cognition in online privacy scenarios. Meanwhile, 5.1 percent of all relevant articles apply formalized computational-level modeling to substantiate their claims.

The findings highlight the importance of formal, computational-level modeling in online privacy research, which has so far drawn computational-level conclusions without utilizing appropriate modeling techniques. Furthermore, this article provides an overview of said modeling techniques and their benefits to researchers, as well as references for model theories and resources for practical implementation.