Toward a Cognitive Analysis of Insider Threats

An Examination of User Password Choice

by Joel B. Predd, Andrew M. Parker

Download eBook for Free

FormatFile SizeNotes
PDF file 0.7 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Managing organizational security risks requires understanding how people behave when working in the context of organizational security policies and systems. Experience has shown that systems and policies developed without this understanding are at best ineffective, and at worst can increase the risks to the confidentiality, availability, and integrity of an organization's information. Developing this understanding requires the theories and methods of social science to construct an evidence base that can inform the construction of behaviorally-aware security policies and practically effective security systems. This paper represents an early step toward developing such an evidence base. It applies behavioral decision theory to develop hypotheses about how users choose passwords, and uses those hypotheses to suggest novel ways to help users choose passwords that are both memorable and secure. Behavioral experiments are proposed that could test the hypotheses and evaluate the new approaches. This paper examines a specific choice — user password choice — to highlight the more general importance of an explicitly cognitive perspective on human behavior in security contexts.

Table of Contents

  • Chapter One


  • Chapter Two

    A choice model for password selection

  • Chapter Three

    How do users choose, and what can organizations do about it?

  • Chapter Four


The research in this report was conducted by RAND Infrastructure, Safety, and Environment.

This report is part of the RAND Corporation Working paper series. RAND working papers are intended to share researchers' latest findings and to solicit informal peer review. They have been approved for circulation by RAND but may not have been formally edited or peer reviewed.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.