Password or pA55w0rd?
Geoffrey Duggan, from Computer Science, is working on a three year project looking at company security policies and how people use passwords. Called 'Trust Economics', it is a collaborative project between the universities of Bath, Newcastle, Aberdeen, University College London and Hewlett Packard laboratories. Its aim is to understand and model the security and economic factors that should be accounted for within effective decision making by security managers.
Research at Bath includes formal modelling of human behaviour within Task Knowledge Structures (TKS). This approach potentially breaks down activities within an information security setting and tries to understand how employees and secure mechanisms interact. Resulting security processes can be based on this evidence.
Often, senior managers with responsibility for information and systems security face two problems:
- poor economic understanding of how to formulate, resource and value security policies
- poor organisational understanding of users' attitudes to systems security and of their responses to imposed security policies
Consequently, the effectiveness and value of policies which users are expected to comply with are difficult to assess. "Our aim is to design a policy or system which people can work with," says Dr Duggan. "At Bath, we incorporate the user's perspective."
A user study conducted with students, administrative staff and security researchers recorded every instance where a password was used. A key finding was that people tended to match their perceived security of the password to the sensitivity of the task. For example, at work, passwords were constructed using upper and lower case letters, numbers and symbol characters. A leisure task such as internet shopping produced passwords which were easier to remember and less secure.
"Some high-security work situations require people to remember several passwords per day," says Dr Duggan. "Often people resort to using the same one on each occasion. This diminishes security. We are investigating why users sometimes construct secure passwords and then on other occasions use weak ones. That will give us a better understanding of how to tailor security policies that will suit an organisation and individuals working within it. "
To understand security processes and how people use passwords
News and related information
- Trust Economics
- Newcastle University School of Computing Science
- University College London - Human Centred Systems Group
- University of Aberdeen Business School
- Hewlett Packard Laboratories
- Humans, not tech, are the greatest security risk - The Register
- Hewlett-Packard to evaluate value of IT security with mathematical model - Computer Weekly