A protection motivation theory approach to improving compliance with password guidelines

Abstract

Usernames and passwords form the most widely used method of user authentication on the Internet. Yet, users still find compliance with password guidelines difficult. The primary objective of this research was to investigate how compliance with password guidelines and password quality can be improved. This study investigated how user perceptions of passwords and security threats affect compliance with password guidelines and explored if altering these perceptions would improve compliance. This research also examined if compliance with password guidelines can be sustained over time. This study focuses on personal security, particularly factors that influence compliance when using personal online accounts. The proposed research model is based on the Protection Motivation Theory (PMT) (Rogers, 1975, 1983), a model widely used in information systems security research. As studies have failed to consistently confirm the association between perceived vulnerability and information security practices, the model was extended to include exposure to hacking as a predictor of perceived vulnerability. Experimental research was used to test the model from two groups of Internet users, one of which received PMT based fear appeals in the form of a password security information and training exercise. To examine if password strength was improved by the fear appeals, passwords were collected. A password strength analysis tool was developed using Shannon’s (2001) formula for calculating entropy and coded in Visual Basic. Structural equation modeling was used to test the model. The proposed model explains compliance intentions moderately well, with 54% of the variance explained by the treatment model and 43% explained by the control group model. Overall, the results indicate that efficacy perceptions are a stronger predictor of compliance intentions than threat perceptions. This study identifies three variables that predict user intentions to comply with password guidelines as particularly important. These are perceived threat, perceived password effectiveness and password self-efficacy. The results show no association between perceived vulnerability to a security attack and a user’s decision to comply. The results also showed that those who are provided with password information and training are significantly more likely to comply, and create significantly stronger passwords. However, the fear appeals used in this study had no long-term effects on compliance intentions. The results on the long-term effects of password training on the participants’ ability to remember passwords were however promising. The group that received password training with a mnemonic training component was twice as likely to remember their passwords over time. The results of this research have practical implications for organizations. They highlight the need to raise the levels of concern for information systems security threats through training in order to improve compliance with security guidelines. Communicating to users what security responses are available is important; however, whether they implement them is dependent on how effective they feel the security responses are in preventing an attack. Regarding passwords, the single most important consideration by a user is whether they have the ability to create strong, memorable passwords. At the very least, users should be trained on how to create strong passwords, with emphasis on memorization strategies. This research found mnemonic password training to have some long-term effects on users’ ability to remember passwords, which is arguably one of the most vexing challenges associated with passwords. Future research should explore the extent to which the effects of PMT based information systems security communication can be maintained over time