Managing organizational security risks requires understanding how people behave when working in the context of organizational security policies and systems. Experience has shown that systems and policies developed without this understanding are at best ineffective, and at worst can increase the risks to the confidentiality, availability, and integrity of an organization's information. Developing this understanding requires the theories and methods of social science to construct an evidence base that can inform the construction of behaviorally-aware security policies and practically effective security systems. This paper represents an early step toward developing such an evidence base. It applies behavioral decision theory to develop hypotheses about how users choose passwords, and uses those hypotheses to suggest novel ways to help users choose passwords that are both memorable and secure. Behavioral experiments are proposed that could test the hypotheses and evaluate the new approaches. This paper examines a specific choice — user password choice — to highlight the more general importance of an explicitly cognitive perspective on human behavior in security contexts.
Table of Contents
A choice model for password selection
How do users choose, and what can organizations do about it?