Cited By
View all- Jones KLodinger NWidlus BSiami Namin AMaw EArmstrong M(2022)How do non experts think about cyber attack consequences?Information & Computer Security10.1108/ICS-11-2020-018430:4(473-489)Online publication date: 14-Apr-2022
Scaring People is Not Enough: An Examination of Fear Appeals within the Context of Promoting Good Password Hygiene
Pages 35 - 40
Abstract
Fear appeals have been used for thousands of years to scare people into engaging in a specific behavior or omitting an existing one. From religion, public health campaigns, political ads, and most recently, cybersecurity, fear appeals are believed to be effective tools. However, this assumption is often grounded in intuition rather than evidence. We know little about the specific contexts within which fear appeals may or may not work. In this study, we begin to examine various components of a fear appeal within the context of password hygiene. A large-scale randomized controlled experiment was conducted with one control and three treatment groups: (1) fear only; (2) measures needed and the efficacy of such measures, and (3) fear combined with measures needed and the efficacy of such measures. The results suggest that the most effective way to employ a fear appeal within the cybersecurity domain is by ensuring that fear is not used on its own. Instead, it is important that information on the measures needed to address the threat and the efficacy of such measures is used in combination with information about the nature of the threat. Since many individuals that enter the information technology profession become the de facto security person, it is important for information technology education programs to distill in students the inadequacy of fear, on its own, in motivating secure actions.
References
[1]
Mashael AlSabah, Gabriele Oligeri, and Ryan Riley. 2018. Your culture is in your password: An analysis of a demographically-diverse password dataset. Elsevier, Vol. 77, Computers & Security (Aug 2018), 427--441.
[2]
Albert Bandura. 1977. Self-efficacy: Toward a unifying theory of behavioral change. Psychological Review, Vol. 84, 2 (1977), 191--215.
[3]
Albert Bandura. 2001. Social cognitive theory: An agentic perspective. Annual review of psychology, Vol. 52, 1 (2001), 1--26.
[4]
Joseph Bonneau and Stuart Schechter. 2014. Towards Reliable Storage of 56-bit Secrets in Human Memory. In Proceedings of the 23rd USENIX Conference on Security Symposium (SEC'14). USENIX Association, 607--623. http://dl.acm.org/citation.cfm?id=2671225.2671264
[5]
Mark Burnett. 2006. Perfect Passwords .Syngress.
[6]
James Price Dillard. 1994. Rethinking the study of fear appeals: An emotional perspective . Communication Theory, Vol. 4, 4 (1994), 295--323.
[7]
Marc Dupuis. 2017. Cyber Security for Everyone: An Introductory Course for Non-Technical Majors. Journal of Cybersecurity Education, Research, and Practice, Vol. 2017, 1, Article 3 (2017), 17.
[8]
Marc Dupuis, Barbara Endicott-Popovsky, and Robert Crossler. 2013. An Analysis of the Use of Amazon's Mechanical Turk for Survey Research in the Cloud. In International Conference on Cloud Security Management .
[9]
Marc Dupuis, Tamara Geiger, Marshelle Slayton, and Frances Dewing. 2019. The Use and Non-Use of Cybersecurity Tools Among Consumers: Do TheyWant Help?. In Proceedings of The 20th Annual Conference on Information Technology Education (SIGITE '19). ACM, 81--86. https://doi.org/10.1145/3349266.3351419
[10]
Marc Dupuis and Faisal Khan. 2018. Effects of peer feedback on password strength. In 2018 APWG Symposium on Electronic Crime Research (eCrime). IEEE, 1--9. https://doi.org/10.1109/ECRIME.2018.8376210
[11]
Marc Dupuis and Karen Renaud. 2020. Scoping the ethical principles of cybersecurity fear appeals. Ethics and Information Technology (2020), 1--20.
[12]
Marc J. Dupuis, Jaynie Shorb, James Walker, Fred B. Holt, and Michael McIntosh. 2020. Do You See What I See? The Use of Visual Passwords for Authentication. In Proceedings of the 21st Annual Conference on Information Technology Education . ACM, 58--61.
[13]
Michael Fagan, Yusuf Albayram, Mohammad Maifi Hasan Khan, and Ross Buck. 2017. An investigation into users' considerations towards using password managers. Human-centric Computing and Information Sciences, Vol. 7, 1 (Mar 2017), 1--20.
[14]
Donna L. Floyd, Steven Prentice-Dunn, and Ronald W. Rogers. 2000. A Meta-Analysis of Research on Protection Motivation Theory. Journal of Applied Social Psychology, Vol. 30, 2 (2000), 407.
[15]
Nico H Frijda, Peter Kuipers, and Elisabeth Ter Schure. 1989. Relations among emotion, appraisal, and emotional action readiness. Journal of Personality and Social Psychology, Vol. 57, 2 (1989), 212--228.
[16]
Jeffrey L Jenkins, Mark Grimes, Jeffrey Gainer Proudfoot, and Paul Benjamin Lowry. 2014. Improving password cybersecurity through inexpensive and minimally invasive means: Detecting and deterring password reuse through keystroke-dynamics monitoring and just-in-time fear appeals. Information Technology for Development, Vol. 20, 2 (2014), 196--213.
[17]
Allen C. Johnston, Merrill Warkentin, and Mikko Siponen. 2015. An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric . MIS Quarterly, Vol. 39, 1 (Mar 2015), 113--134.
[18]
Kim. 2016. Fundamentals of Information Systems Security 3rd ed.). Jones & Bartlett Learning.
[19]
Scott B. MacKenzie and Philip M. Podsakoff. 2012. Common method bias in marketing: Causes, mechanisms, and procedural remedies. Journal of retailing, Vol. 88, 4 (2012), 542--555.
[20]
James E. Maddux and Ronald W. Rogers. 1983. Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, Vol. 19, 5 (1983), 469--479.
[21]
Florence Mwagwabi, Tanya McGill, and Michael Dixon. 2014. Improving Compliance with Password Guidelines: How User Perceptions of Passwords and Security Threats Affect Compliance with Guidelines. In 47th Hawaii International Conference on System Sciences. IEEE, 3188--3197. https://doi.org/10.1109/HICSS.2014.396
[22]
Florence Mwagwabi, Tanya J. McGill, and Mike Dixon. 2018. Short-term and Long-term Effects of Fear Appeals in Improving Compliance with Password Guidelines. Communications of the Association for Information Systems, Vol. 42, 7 (Feb 2018), 147--182. https://doi.org/10.17705/1CAIS.04207
[23]
Jessica Nguyen and Marc Dupuis. 2019. Closing the Feedback Loop Between UX Design, Software Development, Security Engineering, and Operations. In Proceedings of The 20th Annual Conference on Information Technology Education (SIGITE '19). ACM, 93--98. https://doi.org/10.1145/3349266.3351420
[24]
Philip M. Podsakoff, Scott B. MacKenzie, Jeong-Yeon Lee, and Nathan P. Podsakoff. 2003. Common method biases in behavioral research: a critical review of the literature and recommended remedies. Journal of Applied Psychology, Vol. 88, 5 (2003), 879--903.
[25]
Suzanne Prior and Karen Renaud. 2020. Age-appropriate password "best practice" ontologies for early educators and parents. International Journal of Child-Computer Interaction, Vol. 23 (2020), 100169.
[26]
Karen Renaud and Marc Dupuis. 2019. Cyber security fear appeals: Unexpectedly complicated. In Proceedings of the New Security Paradigms Workshop. 42--56.
[27]
Chao Shen, Tianwen Yu, Haodi Xu, Gengshan Yang, and Xiaohong Guan. 2016. User practice in password security: An empirical study of real-life passwords in the wild. Computers and Security, Vol. 61 (Aug 2016), 130--141.
[28]
Zachary R. Steelman, Bryan I. Hammer, and Moez Limayem. 2014. Data Collection in the Digital Age: Innovative Alternatives to Student Samples. MIS Quarterly, Vol. 38, 2 (2014), 355--378.
[29]
Jiming Wu and Hongwei Du. 2012. Toward a better understanding of behavioral intention and system usage constructs. European Journal of Information Systems, Vol. 21, 6 (Nov 2012), 680--698. https://doi.org/10.1057/ejis.2012.15
[30]
J. Yan, A. Blackwell, R. Anderson, and A. Grant. 2004. Password memorability and security: empirical results. IEEE Security & Privacy Magazine, Vol. 2, 5 (2004), 25--31.
[31]
Verena Zimmermann and Nina Gerber. 2020. The password is dead, long live the password--A laboratory study on user perceptions of authentication schemes. International Journal of Human-Computer Studies, Vol. 133 (2020), 26--44.
[32]
Verena Zimmermann and Karen Renaud. 2021. The nudge puzzle: matching nudge interventions to cybersecurity decisions. ACM Transactions on Computer-Human Interaction (TOCHI), Vol. 28, 1 (2021), 1--45.
Index Terms
- Scaring People is Not Enough: An Examination of Fear Appeals within the Context of Promoting Good Password Hygiene
Recommendations
Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment
HICSS '13: Proceedings of the 2013 46th Hawaii International Conference on System SciencesPasswords remain the dominant authentication mechanism for information security. Unfortunately, research has shown that most passwords are highly insecure. Given the risks of using weak passwords, there is a need to effectively motivate users to select ...
Scoping the ethical principles of cybersecurity fear appeals
AbstractFear appeals are used in many domains. Cybersecurity researchers are also starting to experiment with fear appeals, many reporting positive outcomes. Yet there are ethical concerns related to the use of fear to motivate action. In this paper, we ...
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and SecurityTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
Comments
Information & Contributors
Information
Published In
October 2021
165 pages
ISBN:9781450383554
DOI:10.1145/3450329
- General Chairs:
- Barry Lunt,
- Derek Hansen,
- Program Chair:
- Paul Morrey
Copyright © 2021 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 06 October 2021
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
SIGITE '21
Sponsor:
SIGITE '21: The 22nd Annual Conference on Information Technology Education
October 6 - 9, 2021
UT, SnowBird, USA
Acceptance Rates
Overall Acceptance Rate 176 of 429 submissions, 41%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 181Total Downloads
- Downloads (Last 12 months)37
- Downloads (Last 6 weeks)1
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View all- Jones KLodinger NWidlus BSiami Namin AMaw EArmstrong M(2022)How do non experts think about cyber attack consequences?Information & Computer Security10.1108/ICS-11-2020-018430:4(473-489)Online publication date: 14-Apr-2022
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in