Högskolan i Skövde

his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Constructing secure and memorable passwords
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. (Informationssystem (IS), Information Systems)ORCID iD: 0000-0003-2084-9119
University of Skövde, School of Informatics.
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. (Informationssystem (IS), Information Systems)ORCID iD: 0000-0001-5692-4008
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. (Informationssystem (IS), Information Systems)ORCID iD: 0000-0001-5962-9995
2020 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 28, no 5, p. 701-717Article in journal (Refereed) Published
Abstract [en]

Purpose Using authentication to secure data and accounts has grown to be a natural part of computing. Even if several authentication methods are in existence, using passwords remain the most common type of authentication. As long and complex passwords are encouraged by research studies and practitioners alike, computer users design passwords using strategies that enable them to remember their passwords. This paper aims to find strategies that allow for the generation of passwords that are both memorable and computationally secure. Design/methodology/approach The study began with a literature review that was used to identify cognitive password creation strategies that facilitate the creation of passwords that are easy to remember. Using an action-based approach, attack models were created for the resulting creation strategies. The attack models were then used to calculate the entropy for passwords created with different strategies and related to a theoretical cracking time. Findings The result of this study suggests that using phrases with four or more words as passwords will generate passwords that are easy to remember and hard to attack. Originality/value This paper considers passwords from a socio-technical approach and provides insight into how passwords that are easy to remember and hard to crack can be generated. The results can be directly used to create password guidelines and training material that enables users to create usable and secure passwords.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2020. Vol. 28, no 5, p. 701-717
Keywords [en]
Passwords, Security, Usability, Computer users, Memorability, Strategies, Computer security
National Category
Computer Sciences
Research subject
Information Systems
Identifiers
URN: urn:nbn:se:his:diva-18852DOI: 10.1108/ICS-07-2019-0077ISI: 000544364100001Scopus ID: 2-s2.0-85086738920OAI: oai:DiVA.org:his-18852DiVA, id: diva2:1454752
Available from: 2020-07-20 Created: 2020-07-20 Last updated: 2022-12-28Bibliographically approved
In thesis
1. Context-Based Micro-Training: Enhancing cybersecurity training for end-users
Open this publication in new window or tab >>Context-Based Micro-Training: Enhancing cybersecurity training for end-users
2022 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

This research addresses the human aspect of cybersecurity by developing a method for cybersecurity training of end-users. The reason for addressing that area is that human behaviour is widely regarded as one of the most used attack vectors. Exploiting human behaviour through various social engineering techniques, password guessing, and more is a common practice for attackers. Reports even suggest that human behaviour is exploited in 95% of all cybersecurity attacks. 

Human behaviour with regard to cybersecurity has been long discussed in the research. It is commonly suggested that users need support to behave securely. Training is often suggested as the way to improve user behaviour, and there are several different training methods available. The available training methods include instructor-led training, game-based training, eLearning, etc. However, even with the diversity of existing training methods, the effectiveness of such training has been questioned by recent research. Research suggests that existing training does not facilitate knowledge retention and user participation to a high enough degree.    

This research aims to address the problems with current training practices by developing a new method for cybersecurity training of end-users. The research used a design science (DS) approach to develop the new method in three increasingly complex design cycles. Principles for cybersecurity training were developed based on previous research and the Technology Acceptance Model and made the theoretical foundation of the reserach. The result is a theoretically grounded method for cybersecurity training that outlines goals and guidelines for how such training should be implemented. It has been evaluated in several steps with more than 1800 survey participants and 300 participants in various experiments. The evaluations have shown that it can both support users towards secure behaviour and be appreciated by its users.  

The main contribution of this research is the method for cybersecurity training, Context-Based Micro-Training (CBMT). CBMT is a theoretical contribution that describes good practices for cybersecurity training for end-users. Practitioners can adopt it as a guide on how to implement such training or to support procurement decisions. The research also shows the importance of integrating usability into the development of security practices. Users must positively receive both training and the guidelines imposed by training since positive user perception increases user adoption. Finally, the research shows that following security guidelines is difficult. While training is essential, this research suggests that training alone is not enough, and future research should consider the interplay between training and other support mechanisms.

Abstract [sv]

Denna forskning adresserar mänskliga aspekter på cybersäkerhet genom att utveckla en metod för cybersäkerhetsträning av användare. Forskningen motiveras med att användarbeteende anses vara en av de attackvektorer som angripare oftast använder. Att använda social manipulation, gissa lösenord och liknande för att utnyttja mänskligt beteende är vanligt. Vissa rapporter hävdar till och med att mänskligt beteende utnyttjas i 95% av alla cyberattacker.

Användarbeteende relaterat till cybersäkerhet har diskuterats i forskningen under lång tid. Det beskrivs ofta att användare behöver stöd för att agera säkert och träning föreslås ofta som sättet för att förbättra användarbeteenden. Det finns flera olika träningsmetoder att tillgå, bland annat lärarledd träning, spelbaserad träning och eLearning. Trots att det finns en mångfald av träningsmetoder har effektiviteten hos dessa metoder blivit ifrågasatt i samtida forskning. Forskning visar att existerande träningsmetoder inte ger tillräckligt bestående kunskap eller har tillräckligt hög användningsgrad.

Målet med denna forskning är att adressera problemen med existerande metoder för cybersäkerhetsträning genom att utveckla en ny metod för cybersäkerhetsträning av användare. Designbaserad forskning tillämpades för att utveckla den nya metoden i tre allt mer komplexa designcykler. Principer för cybersäkerhetsträning utvecklades baserat på tidigare forskning och teorin Technology Acceptance Model. Dessa principer utgjorde startpunkten för denna forskning. Resultatet är en teoretisk grundad metod för cybersäkerhetsträning vilken beskriver mål och riktlinjer för hur träning kan implementeras. Metoden har utvärderats i flera steg med fler än 1800 enkätdeltagare och 300 deltagare i olika experiment. Utvärderingarna visar att metoden kan stödja användare att agera säkert och att metoden uppskattas av användare.

Det huvudsakliga bidraget från denna forskning är metoden för säkerhetsträning, KontextBaserad MikroTräning (CBMT). CBMT är ett teoretiskt bidrag som beskriver mål och riktlinjer för säkerhetsträning av användare. Yrkesverksamma kan använda metoden som en guide för implementation av säkerhetsträning eller som ett stöd vid upphandling av säkerhetsträning. Forskningen visar också att det är viktigt att integrera användbarhet i utvecklingen av säkerhetsrutiner. När användare är positiva till träning, och de rutiner träningen förmedlar, ökar sannolikheten att användarna tillämpar rutinerna. Avslutningsvis påvisar forskningen att det är svårt för användare att följa säkerhetsråd. Även om träning är avgörande föreslår denna forskning att träning i sig inte är tillräckligt. Framtida forskning behöver studera samspelet mellan träning och andra stödfunktioner för användare.

Place, publisher, year, edition, pages
Skövde: University of Skövde, 2022. p. 139
Series
Dissertation Series ; 45
Keywords
cybersecurity, training, usable, security, user, education, awareness
National Category
Computer Systems Information Systems
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-21819 (URN)978-91-984919-9-9 (ISBN)
Public defence
2022-10-17, Assar Industrial Innovation Arena, Kavelbrovägen 2B, Skövde, 13:15 (English)
Opponent
Supervisors
Available from: 2022-09-20 Created: 2022-09-15 Last updated: 2022-09-20Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Kävrestad, JoakimBirath, MarcusNohlberg, Marcus

Search in DiVA

By author/editor
Kävrestad, JoakimBirath, MarcusNohlberg, Marcus
By organisation
School of InformaticsInformatics Research Environment
In the same journal
Information and Computer Security
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 899 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf