Toward a Cognitive Analysis of Insider Threats
An Examination of User Password Choice
Managing organizational security risks requires understanding how people behave when working in the context of organizational security policies and systems. Experience has shown that systems and policies developed without this understanding are at best ineffective, and at worst can increase the risks to the confidentiality, availability, and integrity of an organization's information. Developing this understanding requires the theories and methods of social science to construct an evidence base that can inform the construction of behaviorally-aware security policies and practically effective security systems. This paper represents an early step toward developing such an evidence base. It applies behavioral decision theory to develop hypotheses about how users choose passwords, and uses those hypotheses to suggest novel ways to help users choose passwords that are both memorable and secure. Behavioral experiments are proposed that could test the hypotheses and evaluate the new approaches. This paper examines a specific choice — user password choice — to highlight the more general importance of an explicitly cognitive perspective on human behavior in security contexts.
- Copyright: RAND Corporation
- Availability: Web-Only
- Pages: 42
- Document Number: WR-688
- Year: 2009
- Series: Working Papers
A choice model for password selection
How do users choose, and what can organizations do about it?
The research in this report was conducted by RAND Infrastructure, Safety, and Environment.
This report is part of the RAND Corporation working paper series. RAND working papers are intended to share researchers' latest findings and to solicit informal peer review. They have been approved for circulation by RAND but may not have been formally edited or peer reviewed.
Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.