Some password users are more equal than others : Towards customisation of online security initiatives

The growth in the use of computers and the Internet have increased the number of threats computer users are exposed to. Although the South African Cyber Security Policy Framework (South Africa 2015) aims to foster a cyber-security culture, it does not include provision for security education, training and awareness (SETA), which are regarded as critical components to foster such a culture (Kortjan & Von Solms 2014:30).


Introduction
The growth in the use of computers and the Internet have increased the number of threats computer users are exposed to.Although the South African Cyber Security Policy Framework (South Africa 2015) aims to foster a cyber-security culture, it does not include provision for security education, training and awareness (SETA), which are regarded as critical components to foster such a culture (Kortjan & Von Solms 2014:30).
Varying levels of digital literacy among computer users and different behaviour by users in the online environment make it difficult to apply a uniform set of interventions to improve security behaviour.Researchers (Chandarman & Van Niekerk 2017;McCormac et al. 2017) have emphasised the importance of appropriate interventions to address the weaknesses of particular target audience groups.This is supported by Kruck and Teer (2008:80), who recommend that those responsible for computer SETA gain 'a better understanding' of areas where deficiencies in computer security are present.
For decades, user identification and authentication have been regarded as the foundation of computer security (Conklin, Dietrich & Walz 2004:1), playing an important role in securing information.Despite the evolution of other methods of identification and authentication of computer users, such as biometrics, single sign-on and one-time pin, the use of passwords remains the most common way to control access and authenticate computer users (Das et al. 2014;Tam, Glassman & Vandenwauver 2010).However, passwords are increasingly subject to various forms of attack (Shen et al. 2016:131), making proper computer password security essential.
Ensuring proper computer password security involves both technological and human aspects (Brostoff & Sasse 2002:41).While technology can provide a certain level of protection against Background: Online security is a growing concern and user authentication through passwords remains an important mechanism to protect online assets.Research to date has highlighted the need to address human behaviour but without an indication of where the emphasis of security education, training and awareness (SETA) initiatives should be, beyond improved password practices.certain threats, human behaviour remains a potential weak link.The 'burden' of choosing a strong password that is kept secure and confidential remains on the computer user (Garrison 2008:70) and even the most sophisticated systems become inadequate if computer users do not apply proper password practices (Tam et al. 2010:233).Butler and Butler (2014:159) recommend that initiatives to educate, train and raise awareness take cognisance of the particular aspects that influence password behaviour.Studies by McCrohan, Engel and Harvey (2010) have demonstrated that specific training on relevant password-related matters improved users' password behaviour significantly.The objective of this research is to determine if there are varying levels of proficiency regarding password practices between different demographical groups that could direct the tailoring of such initiatives.
Important elements to be considered in the design of any SETA initiatives include the target audience, the relevant topics, the content and the method of communication (Kortjan & Von Solms 2014:33).To present the appropriate audience with applicable SETA content, it is necessary to examine user password practices and identify deficiencies in performance among the various groupings of users.These factors can then be emphasised in tailored SETA programmes (Kruger et al. 2008:56) to ensure that audiences targeted with these initiatives are presented with relevant content, delivered by appropriate mechanisms.The importance of relevance in education to bring about behavioural change is well documented, including in the field of information security (Soomro, Shah & Ahmed 2016:216).

Online security
The password practices that users apply have a direct effect on the level of security of computer systems.While certain password users are proficient in their password practices, proper security measures and guidelines are often 'unknown, neglected, or avoided' by other computer users (Notoatmodjo & Thomborson 2009:71).Garrison (2008:70) determined that many computer users are ignorant and uninformed about how to select usable and secure passwords.In addition, many computer users are unaware of their vulnerability and the possible consequences associated with improper password use and control.Chandarman and Van Niekerk (2017:134) regard the untrained user as one of the weakest links in a security system.
Security should be a foremost concern when creating new passwords (Huth, Orlando & Pesante 2012;Zhang-Kennedy, Chiasson & Van Oorschot 2016).Ominously, human memory limitations place a strain on computer users' memory and they experience difficulties in remembering numerous passwords (Furnell & Esmael 2017:5;Shen et al. 2016:131).Notoatmodjo and Thomborson (2009:71) refer to this as 'password overload', a term widely used in the literature, which often results in weak password behaviour.Yan et al. (2004:25) found that many users rarely choose passwords that are both hard to guess and easy to remember.A conflict between two opposing principles, convenience (memorability and usability) and security, therefore, exists.Kothari et al. (2015:15) reasoned that password practices encompass the measures that computer users apply when choosing or creating passwords (which involves aspects such as the origin of the password and the characters used in its composition), as well as managing passwords (measures that relate to the safekeeping of passwords).Groupings of common proper and improper password practices that were the topic of various studies are presented in Table 1.

Poor password practices
Although authors propose that interventions should focus on the educational requirements of particular target audience groups, they do not explain how to design custom-made SETA interventions.As 'very few' studies focussing on computer security awareness in South Africa have been conducted (Chandarman & Van Niekerk 2017:136), the extent to which SETA programmes should focus on the proper password practices in Table 1 remains somewhat elusive in academic literature.

Demographics and password practices
Research into computer security often focusses on 'particular user communities' and does not necessarily report on the effects of demographics, despite the fact that basic demographic information is often obtained, and commented upon, in these studies (Howe et al. 2012:210).Some studies commented on notable differences between different demographical groupings for security in general, not passwords in particular.
While McCormac et al. (2017:152) noted small differences in individuals' information security awareness and their age and gender, Pattinson et al. (2015) found that gender has no significant influence on information security behaviour but that age seems to improve secure behaviour.Sheng et al. (2010) found minor variances between males and females and different age groups regarding susceptibility to computer security threats such as phishing.Chaudhary et al. (2015) found female respondents more susceptible to poor online behaviour, in this instance phishing attacks, than male respondents.It was found that age reduces the risk perception associated with a loss of data confidentiality (Milne, Labrecque & Cromer 2009) and increases vulnerability to threats such as spyware (Fox 2006), while males seem to have a tendency to engage in more risky online behaviour (Byrne et al. 2012).Chen, Paik and McCabe (2014:135) reported on different levels of defensive measures taken by online consumers based on education levels.Redmiles, Kross and Mazurek (2016:666) found that users with higher education levels are significantly more likely to learn from negative experiences.These groups also have access to more credible sources of security-related information, potentially leading to more secure behaviour online.
The literature for demographics impacting passwords in particular is scarce.Gender as a distinguishing factor did feature in research by Bryant and Campbell (2006), determining that females are more likely to use meaningful information in the composition of their passwords, while males are more likely to use similar passwords for more than one purpose (Bryant & Campbell 2006:90).Shay et al. (2010) noted a decrease in password sharing as respondents grew older.Bryant and Campbell noted a slight decrease in respondents who did not use a proper combination of characters in the composition of passwords as age increased.The literature indicates that age does not negatively impact upon all practices; Bryant and Campbell also established that older participants were not more, or less, likely to change their passwords more often than younger users.
According to Karlsson, Åström and Karlsson (2015:246) existing research into online security has focussed on a broad set of research topics but with limited depth.More importantly, an extensive part of the research is descriptive, philosophical or theoretical, lacking a structured use of empirical data, making it quite immature.

Behavioural change
The goal of SETA interventions is to change and improve user behaviour.Although many organisations show compliance in running security awareness programmes, this does not necessarily result in a behavioural change.Merely complying, and not dealing with the actual deficiencies, can result in people being more averse to change than before, according to Skinner et al. (2018).
According to Michie and Johnston (2012), basic psychological research over the last century has demonstrated that behaviour and behavioural change follow predictable patterns and that it is, therefore, vital that interventions be guided by accumulated science.This is supported by work from Curry et al. (2018:49) indicating that the motivational antecedents of intent are separate from the volitional drivers of behaviour.They suggest that 'appropriately differentiated treatments' to support behavioural change should 'inform practical security behaviour improvement initiatives'.
User behaviour concerning passwords has a direct effect on computer security (Gehringer 2002:369).Using the determinants of human behaviour, based on the model of McCloy, Campbell and Cudeck (1994), Butler and Butler Convenience is regarded as more important than security.
• Butler and Butler (2015) • Shen et al. (2016) Use complex passwords in terms of composition characters used and length.Use of unsafe password storing practices.
(2014) defined three determinants for individual password performance, namely relevant knowledge of password practices, the capability to successfully combine passwordrelated knowledge with knowing how and being able to apply proper password practices, and the motivation to behave securely.Their password performance model is used as theoretical construct for this research.

Objective of study
The primary objective of this study was to determine the individual SETA needs in South Africa by analysing the following: • The prevalence of poor password practices, to define common SETA focus areas.• The variance between different demographic groups to define focus areas for tailored SETA initiatives.
The results of this study are presented as relative focus areas per poor password practice (Figure 1), as well as a demographical variance heat map to indicate deficiencies in password practices displayed for different demographic groups.These results should be useful to practitioners defining appropriate SETA programmes.Future research in this space could be focussed on the complex interrelatedness of the different demographic factors that sometimes display an interesting cyclic nature, especially with years of Internet experience and number of sites visited that require authentication.
Recommendations made from the observed differences and literature on appropriate interventions make a contribution for practitioners designing SETA interventions.

Research design and measuring instrument
A survey design that targets a large sample of responses, to potentially cover different demographics across five dimensions, was deemed appropriate.Ethical clearance for the research project was obtained from the Departmental Ethical Screening Committee at the academic institution of the authors.
The following steps were followed in the research process: • A literature study was performed to determine best practices for passwords (Table 1) and compile a list of potential deficiencies.• A survey was designed and pilot tested to ensure accuracy and no forced answers from respondents.Because the intent was not inferential statistics and multiple questions per deficiency that would allow for statistical reliability and validity, a minimum of two rounds of pilot testing was deemed necessary to ensure question validity.• The survey was distributed online using a commercial survey site and it was decided not to include an offline survey because the participants could be less likely to fall within the target population of password users.
• The overall password performance was analysed to determine the incidence of improper practices among the entire data set (Figure 1).For purposes of this study, the common improper practices indicated in Table 1 served as the basis to classify 'weak' password behaviour.• Password behaviour displayed was analysed for different demographic groups (Figures 2-7).• An analysis of the variation, for different demographics, was performed to identify areas of focus for tailored SETA programmes based on demographics (Figure 8).

Data collection and analysis
The survey instrument was pilot tested on a sample population of both technology literate and less literate users to ensure construct validity and meaning options for each question or statement.After two rounds of pilot testing and confirmation that all questions were valid, the survey was administered using an online survey tool and distributed via social media (Twitter) and institutional email.Given a desire for a large sample, yet no inferential statistics that would impose strict sampling decisions, a snowball distribution method was used.
A total of 737 useful responses were obtained for analysis.
As the survey questions asked for the prevalence of the different antecedents of poor password practices as indicated in Table 1 via a single question each, statistical validity for multiple statements per construct can thus not be determined.
The analysis was conducted using descriptive statistics (Figures 2-7) and no inferential statistics to any confidence level were performed.Figure 8 represents the performance heat map, indicating the reported difference in behaviour for the different demographic groupings for three defined levels of performance.

Demographics and bias
The demographic composition of the population is presented in Table 2. Comparison of the demographic data with that of South African Internet users shows a potential bias in terms of education levels.This is to be expected given the method of distribution from within the database of an academic institution.Gender and age distribution was deemed representative, and no comparative data sets are available to determine potential bias in terms of the numbers of sites visited nor years of Internet experience.

Research context value contribution
Research about passwords is often conducted within a particular context, such as an organisation that the author has access to.This is often an academic institution (Kruck & Teer 2008;Yan et al. 2004) or particular industry that imposes additional regulatory challenges, like health care (Ghazvini & Shukur 2017), or where the assets protected are particularly attractive, such as financial services.
This research did not aim for, nor was it limited to, a particular context.Practitioners from a broad sphere of applications may be interested in the results.However, the intent is not to use the results to design differentiated SETA programmes but rather to acknowledge the potential difference that may exist in every context and incorporate that into a learning process design.Academics may wish to test for these differences within specific contexts.

Overall password behaviour
Analysis revealed that respondents vary significantly in their password practice proficiency levels.Furthermore, a discrepancy between users' perceptions of their password practices and the reality (practices measured) was evident.A total of 39 respondents (5.3%) perceived that they possessed absolute knowledge of proper password practices.However, only a single respondent (0.1%) was able to demonstrate flawless ability to apply proper password practices and only 21 respondents (2.8%) displayed a perfect 'security first' aptitude when selecting and managing passwords.
The password creation and management practices of respondents were analysed to distinguish between secure and weak password behaviour.Numerous instances of weak password creation and management practices were evident (Figure 1).
The most prevalent poor practices were the simultaneous use of the same passwords (90.1%) and password reuse (77.3%).This was not unexpected because studies by Das et al. (2014) and Wash et al. (2016) highlighted that users have fewer passwords than the number of websites they visit, indicating password reuse.Shay et al. (2010) found that more than 80.0% of their respondents reused or slightly altered passwords for multiple purposes.Wash et al. concluded that 85.0% of respondents reused passwords.The reuse and simultaneous use of passwords is thus an extremely important focus area for SETA, especially where the same passwords are used to protect valuable assets (like online banking) and less valuable, and often less well-protected, Internet sites of a general nature.

Analysis of weak password behaviour per demographic group
The analysis for the customisation of SETA programmes followed a dual approach.Firstly, it was determined which of the weak password practices were more prevalent across the entire population to ensure that these aspects were highlighted across the board for all demographics (Figure 1).Secondly, the prevalence of weak password behaviour within different demographic groups was analysed.The results are presented in Figures 2-7.

Age group
Figure 2 indicates the weak password practices per age group.
The occurrence of weak behaviour decreased for the majority of practices as respondents grew older.A possible reason for this could be that older respondents do not visit as many Internet sites that require authentication with passwords as younger age groups, meaning that they do not have as many passwords to manage, resulting in less password reuse and simultaneous use.A decrease in the extent of password sharing as respondents grew older was noted, supporting the findings of Shay et al. (2010).
A comparison between the age groups and the number of sites accessed that require authentication is shown in Figure 3.It confirms that there is indeed a decreasing trend in the percentage of older respondents who access 15 or more sites requiring authentication, which could explain the decrease in the password deficiencies identified among the older demographics.This limitation of the research does not impact the recommendations to the extent that it would, had the objective been a regression study to define the extent of each individual demographic on the performance.It merely indicates that cross-loading is evident within the selected demographics and should be investigated by future research.
While the majority of poor practices decreased with respondents' age, the practices of using personally meaningful words and numbers, not changing passwords regularly and using unsafe storing practices increased, the older the respondents were.This could indicate that although they visit fewer sites requiring authentication (Figure 3), the age group above 50 years are possibly unaware of the dangers associated with the use of personally meaningful information when creating passwords.This is supported by the increased lack of risk awareness as respondents grew older, not unexpected because older participants are not digital natives who have benefited from a lifelong digital experience, including best practice.

Gender
The results regarding the weak practices that respondents applied, analysed by gender, are contained in Figure 4.Although both genders displayed improper password practices, the areas of deficiency for male and female respondents differed.
There was no notable difference in simultaneous use and unsafe storage practices across gender.A slight variance in the prevalence of the improper practices of regarding ease more important than security when creating passwords, risk not regarded as an important consideration when creating passwords, not using a proper combination of characters to create passwords and password reuse were found.
Although the variance was only slight, females seem to apply these improper practices less often than males.
Although female respondents tended to reuse their passwords less than the male respondents, they were guiltier of using personally meaningful information, shared passwords more often and did not change their passwords as often as the male respondents.
When analysing the number of sites visited requiring authentication, per gender, it was found that almost a similar percentage of each gender accessed 10-14 sites and 15-19 sites.However, significantly more male respondents accessed 20 or more sites, while more females visited 1-9 different sites.Notoatmodjo and Thomborson (2009) found that the more passwords users need to acquire access to sites, the more they tend to reuse passwords.The fact that the male respondents in this study visited more sites requiring authentication could explain why they tended to reuse their passwords more, supporting the study by Bryant and Campbell (2006) but again showing some cross-loading of demographic factors on password performance for future research and analysis.
Despite Figure 4 showing that in general female respondents apply weak password practices to a greater extent than males, interestingly, more than 90% of the top 11 overall password performances indicated in this study, originated from female respondents.

Number of Internet sites accessed
Figure 5 shows the analysis of poor practices based on the number of sites that respondents visit requiring authentication using passwords.
This study showed that the more passwords users have, the more they tend to reuse and simultaneously use their passwords.This confirms the observations from the literature about human memory limitations (Sasse, Brostoff & Weirich 2001:124), resulting in users suffering from 'password overload' when they have more passwords to remember (Notoatmodjo & Thomborson 2009).
The results of this South African study corresponds with the results of a number of international studies that found a correlation between the number of passwords that users have and the following insecure practices that users often apply: • password reuse (Adams & Sasse 1999:42;Carstens et al. 2004;Florencio & Herley 2007:660;Gaw & Felten 2006:48) • the simultaneous use of a password for more than one purpose (Adams & Sasse 1999:42;Carstens et al. 2004;Florencio & Herley 2007:660;Furnell 2005:10).
The number of sites requiring authentication seems to have no significant influence on the following password creation practices: considering ease versus security, considering the risk of the password's use in its creation and the characters used in the composition of passwords.In contrast to research by Furnell (2005:10), this study did not find a distinctive increase in the use of personally meaningful information, not changing passwords regularly or password sharing as the number of passwords increases.

Education
The weak practices analysed per highest level of education appear in Figure 6.While using meaningful words was found to be the highest for graduates, using meaningful numbers increased with levels of education.Although the weak practice of regarding convenience as more important than security increased with education, the lack of risk awareness (i.e.not considering the risk associated with a password's use) when creating passwords seems to have decreased as levels of education increased.It is noticeable that password sharing was the highest among respondents with no formal afterschool qualifications.Very interesting is the increase in unsafe storage with increased education levels.
Some of the variances could again only be properly explained once the cross-loading of factors, such as the higher age associated with higher levels of education or more sites accessed with higher levels of education, was investigated.

Internet experience
The weak practices analysed by years of Internet experience appear in Figure 7.
Years of Internet experience shows significant variance within the categories.Sharing of passwords, for example, peaks for the middle category (10-14 years Internet experience) and is significantly lower for both fewer and more years of Internet experience.It is possible that this trend could again be related to an increase in the numbers of sites accessed.Related poor practices of non-complex composition and meaningful numbers decrease with experience but, surprisingly, both unsafe storage and simultaneous use increased with the years of Internet experience.

Within-sample variation for different demographics
The variation within each demographic group was used to determine if a particular demographic group displayed a higher, or lower, prevalence for the particular measure.
A confidence interval of 10% was selected for a medium focus.Where any demographic group displayed a prevalence of 5% higher than the mean, it is indicated as high and conversely a measure of 5% below the norm indicate a low focus.Figure 8 indicates the extent of the focus for the different improper password practices per demographic group.
From Figure 8 it is evident that areas of higher and lower focus exist within all the demographic groups, meaning that all demographic groups are in need of SETA.Furthermore it shows that the various demographic groups require tailored SETA programmes with different focus areas.
The results confirm that a one-size-fits-all approach for SETA programmes is not ideal.Although it could be argued that 'covering all bases' would be appropriate, relevance is a cornerstone for education and care should be taken to hide the specific knowledge required by an individual user, within a sea of non-relevant information that already shapes a user's behaviour.
However, there is also opportunity within this variance: the construct of social influence is well appreciated in the behavioural change and technology literature and allowing a natural transfer of good practices within diverse groups, although challenging, could have significant impact.

Conclusion
Although this study showed that there is a substantial incidence of poor password practices among South African computer users, research by Furnell and Esmael (2017)   http://www.sajim.co.zaOpen Access online security, even more so because the risks that users are exposed to are continuously changing.Furnell (2008:9) warns that designers of SETA programmes must be wary of the 'build it and they will come' approach.It is essential that the relevant users, who need to hear the message, should be 'attracted' to the education message.This can only be achieved by using the most appropriate method of communication, which could be tailored for different demographic groups.Although the design of the message falls outside the scope of this research, it is important that appropriate messages for different demographic groups form part of SETA initiatives.
This article makes a contribution by showing the differences in overall poor password practices for South African online consumers (Figure 1), as well as per demographic group (Figure 8).The findings will allow for the design of targeted SETA initiatives to help create the security culture alluded to in the South African Cyber Security Policy Framework.A second contribution of this research is that it confirms that there are indeed differences between the different demographic groups, for certain password practices, and that one-size-fits-all SETA initiatives will not be appropriate.
However, it is not recommended that the differences displayed in this research be used as the basis for such design.Given the variations for different demographic groups, as well as the cross-loading effect between the groups, an appropriate SETA design should commence with individualised assessments of the recipient's current password practices.This research contributes by providing the set of practices that should be assessed to design individualised SETA for the individuals, or if required groups, who display particular poor password behaviour.

FIGURE 1 :
FIGURE 1: Improper password practices for total data set.

FIGURE 3 :
FIGURE 2: Weak password practices per age group.

FIGURE 6 :FIGURE 7 :
FIGURE 6: Weak password practices per highest level of education.

TABLE 1 :
Studies on common password practices.

TABLE 2 :
Demographic composition of population.
has shown that security-related information, guidance and feedback can positively influence secure behaviour.It has been argued that appropriate interventions can contribute to