You are on page 1of 5

Allied Academies International Internet Conference 88

_____________________________________________________________________________________________

USER ATTITUDES TOWARD PASSWORD POLICIES:


PRELIMINARY ANALYSIS
Norman Pendegraft, University of Idaho
ABSTRACT

Preliminary analysis of a survey of user attitudes toward password lengths and durations
is reported. In particular, users were asked to rank their preferred lengths and lifetimes for
passwords in several situations. The data reveal that users preferences are non homogeneous,
but that there are clusters of users who have homogeneous preferences. The most common
shapes of the preference function are concave. Users seem to prefer to increase security with
longer passwords of longer duration.

INTRODUCTION and BACKGROUND

In earlier work (Pendegraft & Rounds, 2007; Pendegraft, 2008) we simulated the value
evolution of an information system under attack. That work assumed that users of the system
viewed security as a pure cost. In the 2008 paper, some users (i.e. consumers) were assumed to
prefer some security. This paper reports on an empirical study investigating these assumptions.
Others have studied user attitudes toward security, but they tend to address behaviors such as
selecting passwords. For example, Stanton et.al (2005) found that among nave benevolent
users, password hygiene was generally poor.
We examine here two commonly used policy variables: password length and password
lifetime. For the purposes of this research, we indentify three scenarios in which we hypothesize
that users will have different preferences over these policy variables. These scenarios are as
follows.
1. Job: in this scenario, users access data which is not about themselves.
2. ATM: users directly accesses data about themselves.
3. Teller: users do not directly access data about themselves, but someone else does.
Thus we have six cases, each of these three scenarios evaluated for password length and for
password duration.

HYPOTHESES

For purposes of this analysis, we hypothesize that users within each case will be non-
homogeneous. We further hypothesize that users will have dissimilar attitudes toward security
among all six cases. This formulation of the null hypotheses facilitates the statistical analysis of
the data.

H0.1 User preferences will not be concordant across all scenarios.


H0.2 User preferences will not be concordant within each scenario.

_____________________________________________________________________________________________

Proceedings of the Allied Academies Internet Conference, Volume 12 2010


Allied Academies International Internet Conference 89
_____________________________________________________________________________________________

METHODOLOGY

A survey instrument was developed and then administered via the web. Students in four
large Business College principles courses were asked to respond (approximately 200 people). 84
answered yielding 77 usable responses for a response rate of about 38%.
The data reported here include respondents preferences for password length and
password duration in each of the 6 cases discussed above. The data were subject to two
statistical tests. First Kendalls W was calculated for the entire data set and then for each case.
Second, each of the cases was subjected to a cluster analysis using k-means, and Kendalls W
was calculated for each cluster.

RESULTS

Data from the first analysis are summarized in Table 1

Table 1
GROUP COMPARISONS
SCENARIO W
Entire data set / Length 0.306
JOB / Length 0.367
ATM / Length 0.301
TEL / Length 0.293
JOB / Duration 0.252
ATM / Duration 0.263
TEL / Duration 0.136

In all cases, W>0 with a p value on the order of 10-10 or less was obtained. While these are
clearly sufficient to reject H01 and H02, the values of W are nonetheless small, suggesting a low
degree of concordance. This might occur if there were more than one group. We conducted a
cluster analysis to address this possibility. Data for the cluster analysis is summarized in Table
2. For each cluster, we show:

N: the number of observations in the cluster


W: Kendalls W for the cluster
P: the calculated p-value for W
Shape: the overall shape of a second order regression curve coded as follows
B: bell shaped
I: increasing
D: decreasing
F: flat or U shaped

The clusters display generally large values of W and very low values of p, suggesting that
the clusters are reliably representative of user preferences.

_____________________________________________________________________________________________

Proceedings of the Allied Academies Internet Conference, Volume 12 2010


Allied Academies International Internet Conference 90
_____________________________________________________________________________________________

DISCUSSION

The data in bold are clearly significant. Further, in many cases the value of W is high.
They suggest that there are groups of users who display concordant preferences within the group,
but who differ from the other groups. In particular, a bell shaped preference is very common.
This makes sense from the basic economics of security: it suggests a recognition that some
security is desirable, but that too much creates a cost. The second largest cluster for length in all
cases displays a preference for longer (more secure) passwords. For password lifetime the two
top clusters are bell shaped and preference for longer (less secure) lifetimes.

TABLE 2
KENDALLs W for CLUSTERS
PWD Length
(longer is more secure)
Cluster 1 Cluster 2 Cluster 3
CASE N W P shape N W P shape N W P shape
job 31 .757 0 B 28 .678 0 I 18 .059 .386 F
atm 40 .822 0 B 22 .573 0 I 15 .087 .236 F/D
teller 31 .75 0 B 28 .743 0 I 18 .067 .291 F
PWD Duration
(longer is less secure)
Cluster 1 Cluster 2 Cluster 3
CASE N W P shape N W P shape N W P shape
job 42 .813 0 I 22 .484 0 B 13 .205 .021 F
atm 37 .64 0 B 26 .809 0 I 14 .165 .042 F
teller 34 .517 0 B 27 .64 0 I 16 .467 0 D

P=0 indicates that the P value was of the order 10-9 or less.

It is clear that users are not uniform in their preferences for these aspects of password
security. In particular, while a bell shaped function is found in all 6 cases, users express a
preference for longer (i.e. more secure) and for longer duration (i.e. less secure) passwords. This
suggests that policy makers should be more considerate of user preferences in designing policy.
There are, of course, limitations to the study. First is that the data set is small. We hope
to collect further data in the coming year and to expand the audience beyond the business
college. Second, the respondents are all college students. It is not clear to what extent they
constitute a good model for society at large. Third, further analysis of the data is warranted. In
particular, it remains to study the correlations between user attitudes toward password length and
lifetime and to estimate the proportion of users with each sort of preference function.
The purpose of this work is to shed light on user preferences toward password security
policies. Initial analysis reveals that users are not homogeneous, but that there are meaningful
patterns of preferences. Thus, we conclude that policy makers should make a better effort to
understand user preferences.

_____________________________________________________________________________________________

Proceedings of the Allied Academies Internet Conference, Volume 12 2010


Allied Academies International Internet Conference 91
_____________________________________________________________________________________________

REFERENCES

Pendegraft, N. & M. Rounds (2007). A simulation model of IS security, International Journal of Information
Security and Privacy, 1

Pendegraft, N. (2008). A simulation of IS security with two user types. Mountain Plains Management Conference,
Pocatello.

Stanton, J.M., K.R. Stam, P. Mastrangelo, J. Jolton (2005). Analysis of end user security behaviors. Computers and
Security 24, 124-133. Retrieved 17 June 2010 from
http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-4D98XGR-
3&_user=854313&_coverDate=03%2F01%2F2005&_alid=1373164181&_rdoc=1&_fmt=high&_orig=sea
rch&_cdi=5870&_sort=r&_docanchor=&view=c&_ct=1&_acct=C000046079&_version=1&_urlVersion=
0&_userid=854313&md5=69049e4b5ea3adb0c72e43244b6d0403.

_____________________________________________________________________________________________

Proceedings of the Allied Academies Internet Conference, Volume 12 2010


Copyright of Summer Internet Proceedings is the property of Dreamcatchers Group, LLC and its content may
not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written
permission. However, users may print, download, or email articles for individual use.

You might also like