Transparent password policies: A case study of investigating end-user situational awareness

Bullo, Alberto, Stavrou, Eliana orcid iconORCID: 0000-0003-4040-4942 and Stavrou, Stavros (2017) Transparent password policies: A case study of investigating end-user situational awareness. International Journal on Cyber Situational Awareness (IJCSA), 2 (1). pp. 85-89. ISSN 2057-2182

[thumbnail of Version of Record]
Preview
PDF (Version of Record) - Published Version
Available under License Creative Commons Attribution.

277kB

Official URL: https://doi.org/10.22619/IJCSA.2017.100116

Abstract

Transparent password policies are utilized by organizations in an effort to ease the user from the burden of configuring authentication settings while maintaining a high level of security. However, authentication transparency can challenge security and usability and can impact the awareness of the end-users with regards to the protection level that is realistically achieved. For authentication transparency to be effective, the triptych security – usability – situational awareness should be considered when designing relevant security solutions. Although various efforts have been made in the literature, the usability aspects of the password selection process are not well understood or addressed in the context of end-user situational awareness. This research work specifies three security and usability-related strategies that represent the organizations’, the end users’ and the attackers’ objectives with regards to password construction. Understanding each actor’s perspective can greatly assist in increasing situational awareness with regards to the authentication controls usage and effectiveness. Furthermore, a case study is presented to evaluate if, and in what way, transparent password policies, that isolate users’ involvement can affect the perspective of the end-user with regards to the security situation. Results showed that the transparent approached utilized has created a negative situation, users were not aware and never dealt with changing or trying to alter default security settings, leaving their home network vulnerable to external attacks. Finally, initial recommendations are made to organizations that would like to implement and evaluate transparent authentication controls.


Repository Staff Only: item control page