Utilizing persuasion approach to improve compliance behaviour with password guidelines

Password based authentication remains the most commonly used authentication mechanism, in spite of the rapid introduction of several other authentication mechanisms such as smart cards, graphical passwords and biometrics.Users mainly rely on password guidelines to construct their password; nevertheless existing password guidelines seem inadequate especially from the perspective of influencing the users’ security compliance behavior.Thus, this study intended to investigate ways to improve the content of password guidelines through persuasion approach to increase the likelihood of compliance behavior. A control laboratory experiment was carried out and the results were critically discussed.The outcomes indicate promising findings that users can be persuaded to improve their security compliance behavior by including more persuasive elements in the password guidelines

Information security awareness: Preliminary studies amongst academicians at Universiti Utara Malaysia

Information security is vital to any organization.It holds the reputation as well as the image carried by the organization.Information security does not come in a package.It takes a culmination of people, process and technology.However, people are often overlooked as part of security components.Focus is more given towards implementing the latest technologies and products, such as firewalls, intrusion detection systems and the toughest encryption techniques.Having in mind that all these are able to provide strong protection, leaving people (employees of the organization) behind is not a good idea. There are many researchers who recognized the significance of information security awareness area.However, only few scientific studies have considered this area in depth.It is due to the fact that it falls outside the scope of traditional “hard” computer science.Taking this as a point of departure, this research focused on the human factor as one of the important security component.Current works related to information security awareness are presented together with selected models and frameworks.Survey and interviews was chosen as a method to obtain data and analysis was done from the compilation of the data gathered.Findings of the study revealed an interesting scenario of the perceptions and common practices of respondents in the case study.Conclusions are derived at the end of the research suggests the level of respondents’ awareness towards information security issues

Social engineering awareness game (SEAG): an empirical evaluation of using game towards improving information security awareness

The sharp rise of social engineering attacks in recent years poses serious threats to technology consumers.This is due to the degree of damage that can be done through social engineering. This paper seeks to elaborate on the use of a Social Engineering Awareness Game (SEAG) to improve the rate of awareness of social engineering.This game was tailored towards the needs of technology consumers that are intended to make use of it by ensuring that not only it is knowledgeable but also attractive and fun. In this paper we highlighted the objectives of this study and how it was done.A control laboratory experiment involving participants randomly assigned to either the experimental group or control group (using paper-based) to evaluate the outcome. The impact that the game had on the participants was recorded with an average of 71% improvement in their knowledge and awareness of social engineering, this made them to find the game beneficial and informative.The major drawback of the game is it needs to be more user-friendly and centered.We conclude by showing the need for more research to be put in place pertaining to the aspect of using games in the educational field especially in the network security field that has more threats growing rapidly

Exploring human factors issues & possible countermeasures in password authentication

PhD ThesisThis thesis is concerned with usable security. It describes a series of experiments to understand users’ behaviour in the domain of password authentication. The thesis is comprised of two parts. Part 1 reports on experiments into how different persuasion strategies can be used to increase the strength of users’ password. Existing research indicates that the lack of persuasive elements in password guidelines may lead to a lack of motivation to produce strong passwords. Thus, an experimental study involving seventy-five participants was conducted to evaluate the effectiveness of a range of persuasion strategies on password strength. In addition this experiment explores how personality variables affect the susceptibility of users to persuasion. The results showed that passwords created by users who received password guidelines that include a persuasion strategy produce stronger passwords than a control group. In terms of the personality variables, the result shows that there are certain personality types that tend to produce slightly better passwords than others; but it is difficult to draw a firm conclusion about how personality affects susceptibility to persuasion. The second part of this thesis presents an innovative alternative to text-based passwords, namely, graphical password schemes. Graphical passwords take advantage of the superior ability of humans to remember graphics and pictures over text and numbers. Research shows that graphical password schemes are a promising alternative, but that they are susceptible to shoulder surfing attacks, resulting in scepticism about adoption. Thus in part 2 of the thesis, three innovative shoulder surfing defence techniques are proposed and implemented in a small-scale prototype with a specific focus given to one type of graphical password; The Draw-A-Secret (DAS) scheme. The results of two separate experimental studies involving sixty-five and thirty participants respectively to evaluate the proposed defence techniques from the perspectives of security and usability are presented. The results show that the technique which, on theoretical grounds, was expected to be quite effective, provides little protection. A second technique which did provide the best overall shoulder surfing defence; created usability problems. But a third technique provided a reasonable shoulder surfing defence and good usability simultaneously; a good balance which the other two techniques did not achieve. The proposed defence techniques and experimental results are directly relevant to other graphical password schemes of the same category with slight modification to suit the requirements of the scheme intended. In summary, the thesis contributes to the discussion of some key usability problems which exist around password authentication domains. All the proposed countermeasures are evaluated through a series of experimental studies which present several intriguing discussions and promising findings

Exploring the role of social media credentials in mobile learning: The engagement perspective

This paper presents a study on social media credentials as an authentication mechanism for accessing a mobile learning application.The aim of the study is to investigate whether the use of social network credentials would have effect on mobile learning activities particularly learners’ engagement.An experimental study was conducted on forty students from a higher learning institution in Malaysia using a mobile learning application named LANGKAWI APPS and a learning engagement questionnaire.The mobile application was developed in two versions, one with the social network login facility and the other one with traditional authentication method.The results of the statistical tests demonstrate that social network credentials was rated higher by the learners in terms of attention in mobile learning compared to the traditional method.The results are discussed in terms of applicability of social network credential as an authentication mechanism for mobile learning

Towards designing effective security messages: Persuasive password guidelines

The current state of information security compliance in workplaces is deteriorating. In many cases human factors were attributed as the cause of the problem.Humans are well known as the weakest link in the security chain.Commonly, end-users will depend on security messages when confronted with security-related decision making. Most of the time, end-users will try their best to make sense of unclear instructions in order to cope with situations.This indicates the way security messages are presented is of utmost importance. However, research focusing on designing effective security messages is quite limited.This paper presents research in progress, towards designing effective security messages focusing on passwords guidelines.Our initial review indicated the lack of persuasive elements in the current password guidelines may lead to unmotivated behaviour of producing good (strong) passwords.This paper also includes initial results obtained from pilot study which reveal promising results supporting the usage of persuasion strategies to improve the current state information security compliance

Linear and non-linear navigations of learning content

This paper reports a study concerning linear and non-linear navigations in WBI.The effects of the two navigations on students’ engagement aspects namely; control, focus, curiosity, and intrinsic interests were investigated. The study aimed to identify whether the linear and the non-linear navigations could be the factors that influence students’ engagement while learning in WBI environment.An exploratory experimental study was conducted on seventy-two students from a university in Malaysia using a web-based system for learning Basic Computer Networks.The study suggested that the types of navigations had affected the control aspect, but not the focus, curiosity, and intrinsic interests.Students’ engagement from the context of focus, intrinsic interests and curiosity was similar in both linear and non-linear.These findings are further discussed from cultural perspectives of Malaysian students

Enhancing the security of RCIA ultra-lightweight authentication protocol by using Random Number Generator (RNG) technique

This study is an attempt to enhance the security of Robust Confidentiality, Integrity, and Authentication (RCIA) ultra-lightweight authentication protocols.In the RCIA protocol, IDs value is sent between reader and tag as a constant value.This makes RCIA susceptible to traceability attack which lead to the privacy issue. In order to overcome this problem, Random Number Generator (RNG) technique based on Bitwise operations has been used in the tag side.The idea of this technique is to change the IDs of a tag on every query session so that it will not stay as a constant value.The implementation of Enhanced RCIA has been conducted by using a simulation.The simulation provided the ability to show that the operations of RCIA protocol as to compare with the enhanced RCIA.The outcome shows that the enhanced RCIA outperforms existing one in terms of privacy