Security Pros Must Better Understand the Human Factor Behind Passwords

Written by

Passwords are now an everyday part of life, but they are also a pain in the neck for employees. Workers are typically asked to change their passwords every month or so, with each one becoming more complicated than the last. As shown by data gathered from over 300,000 employees, the strongest determinant of whether they will behave securely is the burden they feel it requires.

The problem is that, regardless of how easy information security teams can make it, they still need employees to use unique, complex passwords. Data breaches in the last year have demonstrated how easily passwords can be acquired. Attackers often target an employee in a ‘phishing’ attack, getting access to a company’s network and data.

With simple multi-factor authentication yet to really take off, passwords will continue to appear in security scenarios for a while yet.

Lessons for Information Security Teams

The New York Times recently ran a fascinating article, ‘The Secret Life of Passwords’, that described how people choose intimate and often poignant subjects for their passwords.

In one way, it is good news that these people are not using their date of birth or ’12345678’ as their password, and it suggests that many have learned how to manage the use of complex passwords.

But with passwords so personal and so meaningful, employees are likely re-using them across sites, which today is likely the biggest behavior-related risk with passwords.

On top of this, if passwords are so meaningful to their creators, it becomes difficult for infosec teams to persuade employees to change them, and use multiple different passwords on different sites. 

To name one example, information theory legend Douglas R. Hofstadter has revealed that he’s used the same password since 1975.

This might be an opportunity for information security teams to reconsider the use of password vaults. Employees can keep their emotionally laden passwords as their master password for their vault, and use the features of the vaults to reduce burden and avoid password re-use.

The Need for Good Judgment

But what’s clear is that, as employees’ comfort with technology increases, good employee behavior is now the primary defense in protecting a company’s information.

Data shows that in 48% of information security incidents employee error plays a role, and is the single biggest cause. In past years, all that information security teams required of employees was to comply with policy; they now need employees to exercise good judgment.

Employees rarely have policies or training that can help them improve their judgment in new areas of concern, whether it is BYOD, phishing, or a service in the cloud. The tired annual 20-minute computer-based training and scattershot efforts such as ‘security fairs’ aren’t working to change employee behavior. To actually change behavior, IT needs to target the psychological drivers. This is something that some of the best companies are now doing – how about you?

About the Author

Jeremy Bergsman is a practice manager at CEB serving heads of information security and heads of enterprise architecture. Since he started working at CEB in 2006, Jeremy has overseen dozens of original quantitative and qualitative research studies that CEB members have used to improve their effectiveness. Topics of these research initiatives include measuring and changing end-user behaviour, risk assessment, roadmapping and planning, business capability modeling, and aligning IT functions with business needs

What’s hot on Infosecurity Magazine?