Abstract
In spite of the number of public advice campaigns, researchers have found that individuals still engage in risky password practices. There is a dearth of research available on individual differences in cyber security behaviors. This study focused on the risky practice of sharing passwords. As predicted, we found that individuals who scored high on a lack of perseverance were more likely to share passwords. Contrary to our hypotheses, we found older people and individuals who score high on self-monitoring were more likely to share passwords. We speculate on the reasons behind these findings, and examine how they might be considered in future cyber security educational campaigns.
Introduction
Despite the number of government education campaigns to change problematic online behaviors, many individuals still engage in risky password practices, such as sharing passwords, using the same password over multiple platforms, and using passwords that can be easily cracked.1–5 Given that such actions can potentially lead to undesirable outcomes for the individual (e.g., identity theft, theft from bank accounts, fraud, etc.), it is important to find new ways to prevent risky security practices. This is especially important given that passwords are the default authentication mechanism on all “secure” systems on the Internet. Research that identifies the type of person who is more likely to engage in risky cyber security practices could assist in reducing the likelihood of these insecure practices. Such knowledge could help develop more appropriate campaigns, as well as target the individuals who are more likely to engage in poor security practices. As Wiederhold6(p131) has pointed out, “psychology, through its insight into human nature, has a crucial role to play in mitigating” risky cyber security practices. This paper helps add to the literature on poor security practices by focusing on the risky practice of sharing passwords. This behavior is of interest, as it is inherently risky—not only is the person effectively surrendering their digital identity to another user (who could misuse the data it is protecting), he/she is also increasing the risk to that particular security “token.” The person with whom the password has been shared might engage in risky security practices, hence dramatically increasing the risk associated to the token.
Researchers have found that individuals are typically aware of what good password management entails.7,8 Nonetheless, it has been found that despite understanding security risks, individuals are still inclined to take risks because they are unrealistically optimistic and believe that negative events are less likely to happen to them,9 they are unable to perceive any immediate negative consequences,7 or they make a convenience–security trade-off.7
In addition to these specific motivations, there might be individual factors that distinguish users who engage in risky cyber security behaviors. To date, individual differences in problematic security practices have received little attention in the psychological literature. Identifying the type of person who is more likely to make poor security decisions could assist in improving public awareness campaigns.
This paper specifically examined the type of person who is more likely to share passwords. We focused here on personality theory and work on the digital divide. Given the dearth of literature available on the topic, the hypotheses are based on the scant available literature available on individual differences and online security, as well as the research on how individuals with certain personality characteristics typically behave in their everyday lives. The results reported in this paper are part of a much larger study that examined password decision making. The hypotheses are outlined below.
Age
Older adults tend to be less knowledgeable about Internet security compared with younger users.10 Given the “digital divide”11 between younger and older Internet users, our first hypothesis is:
H1: Older people are more likely to share passwords compared with younger people.
Impulsivity
Individuals who score high on impulsivity questionnaires are individuals who tend to act on a whim, displaying behaviors characterized by little forethought or consideration of the consequences of their actions.12 Although impulsivity, to our knowledge, has not previously been considered with regards to online security, it would be reasonable to presume that these types of people are less secure online, as they are likely to focus on the short-term goal (getting an account) rather than the long-term security implications. The second hypothesis is:
H2: Individuals who score high on measures of impulsivity are more likely to share passwords compared with those who score low on impulsivity.
Self-monitoring
Individuals who are high self-monitors are more likely to observe and regulate their expressive behaviors. These individuals are typically sensitive to social and situational cues and alter their behavior accordingly.13 Given that individuals who score high on self-monitoring tend to consider their social surroundings prior to acting out, we might expect them to be more considerate of how others would view them should they undertake risky practices. The third hypothesis is:
H3: Individuals who score high on measures of self-monitoring are more likely to share passwords compared with those who score low on self-monitoring.
Locus of control
Locus of control refers to an individual's belief about control over his/her environment. People who have an internal locus of control have the conviction that events are contingent upon one's behavior. Those with an external locus of control believe that events do not depend upon their actions, but rather upon luck, chance, or fate.14 Those with an external locus of control have been found to engage in more risky activities.15 If individuals believe that they have little control over whether someone compromises their data, it is reasonable to presume they will be less likely to behave securely online. The fourth hypothesis is:
H4: Individuals who score high on measures of internal locus of control are more likely to share passwords compared with those who score high on external locus of control.
Knowledge of cyber security
Although the research has found that the general population are typically aware of online security,7 there are still clear distinctions between experts and nonexperts regarding basic security behaviors, such as patching and updating software.16 Having a greater knowledge about online security could impact on cyber security practices. Therefore, our fifth and final hypothesis is:
H5: Individuals who believe they are more knowledgeable about cyber security issues are more likely to share passwords compared with those who believe they are less knowledgeable.
Methods
Participants
Participants were invited to take part in the study via professional association mailing lists. Moderators of the lists were contacted and asked to place a message on their list inviting their users to partake in our study. The lists appeared to have hundreds of users. One list focused on cyber security issues, and five lists focused on the arts or social sciences. We focused on these lists to ensure we included both cyber security experts and nonexperts in our sample. Overall, the sample represented a broad range of knowledge about cyber security issues.
In the period from June 5, 2013, to September 7, 2013, 910 participants accessed the survey. Of these, 630 completed the survey in full and indicated that their data could be used for analysis. In order to avoid cultural bias, we only included those residing in the UK in our final sample. Additionally, one individual was excluded for being too young to give consent to complete the survey (16 years), and two individuals were excluded for providing an unlikely age (103 and 107 years). After excluding participants, 497 participants (295 male) remained, with a mean age of 41.86 years (SD=13.38; range 18–72 years).
Materials
Data were collected using a questionnaire hosted on the Qualtrics online survey platform. The questionnaire comprised a number of scales, represented online using individual or matrix-style layouts with responses entered via radio buttons, drop-down menus, or free text entry as appropriate. Password sharing was assessed using a single yes/no question: “Have you ever shared any of your passwords with anyone?”
Impulsivity was measured using the UPPS-R Impulsivity Scale.12 The 45-item scale measures a person's tendency to act on whim, displaying behaviors characterized by little forethought or consideration of the consequences of their actions. The scale comprises four subscales: lack of premeditation (11 items), urgency (12 items), sensation seeking (12 items), and lack of perseverance (10 items). Possible scores range from 11 to 44 for the lack of premeditation subscale, from 12 to 48 for both the urgency and sensation seeking subscales, and from 10 to 40 for the lack of perseverance subscale. A lower score indicates low impulsivity for that dimension. In the current study, each of the subscales demonstrated good internal consistency (Cronbach's α=0.85, 0.89, 0.87, and 0.82 for lack of premeditation, urgency, sensation seeking, and lack of perseverance respectively).
Self-monitoring was measured using the original version of the Self-Monitoring Scale.12 The 25-item scale measures a person's tendency to monitor (regulate, control, and observe) their behavior and image in interpersonal relationships and social situations. For each item on the scale, participants indicate whether a statement is true or false description of how they act or react in social situations. Possible scores range from 0 to 25, with a lower score indicating low self-monitoring. In the current study, the scale demonstrated good internal consistency (Cronbach's α=0.74).
Locus of control was measured using the Internal–External Control scale.13 The 29-item scale measures a person's general tendency for an internal or external locus of control. For each item on the scale, participants indicate which of two statements they agree with most. Possible scores range from 0 to 23, with a lower score indicating a more internal locus of control insofar as a participant believes that everyday events are contingent on his or her own behavior. In the current study, the scale demonstrated good internal consistency (Cronbach's α=0.75).
Knowledge of cyber security was measured using a single question. Participants were asked to rate their knowledge about cyber security issues on a 5-point Likert scale. Overall, 24% rated themselves as “very knowledgeable,” 41% as “somewhat knowledgeable,” 26% as “about average,” 6% as “somewhat unknowledgeable,” and 2% as “very unknowledgeable.” Cyber security experts were significantly more knowledgeable about cyber security than nonexperts, Mann–Whitney U=15,803.500, W=37,958.500, Z=−9.563, p<0.001.
Procedure
Participants were asked to complete a number of demographic items, followed by the password sharing and knowledge of cyber security question, and finally the personality questionnaires. They were debriefed at the end of the questionnaire, and given a summary of their personality scores. They were also given the opportunity to leave contact details to be entered in a draw for a £500 Amazon voucher (the opportunity to enter the draw was explained in the initial participant information). Finally, they were given details of where they could access a summary of the findings once the study had been completed.
Results
All five hypotheses were tested simultaneously using standard forced entry binary logistic regression, with password sharing as the outcome variable—either participants had shared passwords in the past or they had not. As summarized below, one of our hypotheses was supported.
Overall, 51.1% had shared their passwords in the past. Table 1 summarizes the descriptive statistics for means broken down by those who had shared and not shared passwords.
Table 1.
Descriptive Statistics for Possible Predictors of Password Sharing
| Shared passwords | Had not shared password | All participants | ||||
|---|---|---|---|---|---|---|
| M | SD | M | SD | M | SD | |
| Cyber security knowledge | 3.70 | 0.95 | 3.90 | 0.94 | 3.79 | 0.95 |
| Age | 39.94 | 13.70 | 43.87 | 12.76 | 41.86 | 13.38 |
| Locus of control (I–E) | 11.39 | 4.07 | 10.95 | 4.33 | 11.18 | 4.20 |
| Self-monitoring | 12.54 | 4.32 | 10.85 | 4.46 | 11.71 | 4.47 |
| Lack of premeditation | 21.76 | 5.13 | 20.43 | 4.45 | 21.11 | 4.85 |
| Urgency | 28.08 | 6.66 | 25.39 | 5.99 | 26.77 | 6.48 |
| Sensation seeking | 31.72 | 7.61 | 32.21 | 7.24 | 31.96 | 7.43 |
| Lack of perseverance | 19.98 | 4.83 | 18.28 | 4.04 | 19.15 | 4.53 |
I-E, Internal-External Control scale.
Impulsivity was considered using the four subscales. The overall model was statistically significant in predicting whether an individual had shared passwords, χ2(8)=49.69, p<0.001, though the amount of variance explained was low (Cox and Snell R2=0.10) The model correctly predicted whether participants had shared passwords for a good proportion (62.6%) of cases.
Table 2 demonstrates that only one of our hypotheses was supported (and only in part), with those who scored high on lack of perseverance more likely to share their passwords, B=0.05, Wald=4.29, p=0.04. We obtained two further significant results, albeit in the opposite direction to what was predicted. Younger people were more likely to share passwords compared with older people, B=−0.02, Wald=5.06, p=0.02, and those who scored high on self-monitoring were more likely to share passwords compared with those who scored low, B=0.07, Wald=9.65, p<.001.
Table 2.
Binary Logistic Regression: Predictors of Password Sharing
| B | SE | Wald | df | p | Exp(B) | |
|---|---|---|---|---|---|---|
| Cyber security knowledge | 0.18 | 0.10 | 3.10 | 1 | 0.08 | 1.20 |
| Age | −0.02 | 0.01 | 5.06 | 1 | 0.02* | 0.98 |
| Locus of control (I–E) | −0.03 | 0.03 | 1.38 | 1 | 0.24 | 0.97 |
| Self-monitoring | 0.07 | 0.02 | 9.64 | 1 | 0.00*** | 1.07 |
| Lack of premeditation | 0.02 | 0.02 | 0.39 | 1 | 0.53 | 1.02 |
| Urgency | 0.03 | 0.02 | 3.74 | 1 | 0.05 | 1.04 |
| Sensation seeking | −0.02 | 0.01 | 2.31 | 1 | 0.13 | 0.98 |
| Lack of perseverance | 0.05 | 0.03 | 4.29 | 1 | 0.04* | 1.05 |
Note. For the password sharing variable: 0=participant had not shared passwords in the past; 1=participant had shared passwords in the past.
p<0.05 (two-tailed); **p<0.01 (two-tailed); ***p<0.001 (two-tailed).
Discussion
There is a dearth of research on the psychological characteristics of those who engage in risky cyber security practice. This study highlighted the importance of understanding the types of people who are more likely to engage in the risky behavior of sharing passwords. Importantly, we identified a number of significant variables, suggesting that personality, in part, plays a role in predicting the type of person who is more likely to share passwords. However, we did find that only one of our hypotheses was supported.
Demographic characteristics
Age was a significant predictor of sharing passwords. However, the direction of the result was the opposite of what we hypothesized. Younger people were more likely to share passwords compared with older people. It would be interesting to learn more about with whom younger people are sharing passwords and why younger people are more likely to share passwords. It might be that younger people have more opportunities to share passwords, given they potentially have more family and friends who are active online compared with older people. Moreover, they may have a range of data (some of which is more important to protect, such as bank account details, and some less so, such as photo sharing services). Although this result is the opposite of what we predicted, it is nonetheless an important finding. It suggests that educational campaigns need to ensure they are including young people as their target audience.
Personality variables
For our hypothesis on impulsivity, we found that only one of the subscales was significant: perseverance. Perseverance measures the ability to remain with a task until completion and avoid becoming bored. It might be that one of the motives for sharing passwords is to delegate an online task to others to complete in order to minimize boredom and personal effort on the task. This might explain why those who score high on a lack of perseverance were more likely to share passwords. The nonsignificant results for lack of premeditation, urgency, and sensation seeking also suggest that those who are more rash, more likely to make spur of the moment decisions, and seek out risky activities are not more likely to share passwords.
Self-monitoring was a significant predictor of sharing passwords. However, the direction of the result was the opposite of what we hypothesized. Instead, we found that those who score high on self-monitoring were significantly more likely to share passwords compared with those who score low on this measure. Although the result is opposite to what we expected, it is an important finding. Perhaps those who score high on self-monitoring are more likely to feel pressured by others to share their passwords, thereby compromising security to appease other people. Further research is needed to test out this explanation.
Knowledge about cyber security
It is especially interesting that knowledge about cyber security did not distinguish between those who share passwords and those who do not share passwords. Researchers have found that individuals are generally aware of what constitutes good cyber security practices,7 and, as with previous research, our study demonstrates that knowledge is not enough to change problematic cyber security behaviors when it comes to sharing passwords. Our research cannot speak for the motivations behind individuals' decisions to share passwords. However, we have learned that personality, at least, plays a minor role. The results of our study provide evidence that campaigns need to go beyond providing information about cyber security if poor practices are to be changed.
Conclusions
As Wiederhold6 has empathically argued, psychology plays an important role in providing answers to why individuals engage in risky cyber security practices. This research reinforces this view. We found a number of variables that predict the risky practice of sharing passwords: age, perseverance, and self-monitoring. Although not all our significant results were in the direction we hypothesized, they nonetheless provide us with an important picture of who is sharing passwords. We have speculated on the reasons why these types of people are more likely to engage in such risky practices. Further research is needed to test out our speculations. Those creating public awareness campaigns could benefit from our study to help them refocus on the messages they tell individuals, as well as the types of individuals they choose to target.
Acknowledgments
The work reported in this paper was supported by award EP/J004995/1: An Exploration of Superidentity, from the UK Engineering and Physical Sciences Research Council. Colleagues on this grant are thanked for helpful contributions to the current work.
Author Disclosure Statement
No competing financial interests exist.
References
- 1.Carstens DS. (2009) Human and social aspects of password authentication. In Gupta M, Sharman R, eds. Social and human elements of information security: emerging trends and countermeasures. Hershey, PA: Information Science Reference Global, pp. 1–14 [Google Scholar]
- 2.Hoonakker P, Bornoe N, Carayon P. (2009) Password authentication from a human factors perspective: results of a survey among end-users. In Proceedings of the Human Factors and Ergonomics Society 53rd Annual Meeting San Antonio, TX: SAGE, pp. 459–463 [Google Scholar]
- 3.Lorenz B, Kikkas K, Klooster A. (2013) “The four most-used passwords are love, sex, secret, and god”: password security and training in different user groups. In Human aspects of information security, privacy, and trust (Lecture Notes in Computer Science 8030), Las Vegas, NV. Berlin: Springer-Verlag, pp. 276–283 [Google Scholar]
- 4.Stanton JM, Stam KR, Mastrangelo P, et al. Analysis of end user security behaviors. Computers & Security 2005; 24:124–133 [Google Scholar]
- 5.Zviran M, Haga WJ. Password security: an empirical study. Journal of Management Information Systems 1999; 15:161–186 [Google Scholar]
- 6.Wiederhold BK. The role of psychology in enhancing cybersecurity. Cyberpsychology, Behavior, & Social Networking 2014; 17:131–132 [DOI] [PubMed] [Google Scholar]
- 7.Tam L, Glassman M, Vandenwauver M. The psychology of password management: a tradeoff between security and convenience. Behaviour & Information Technology 2010; 29:233–244 [Google Scholar]
- 8.Von Zezschwitz E, De Luca A, Hussmann H. (2013) Survival of the shortest: a retrospective analysis of influencing factors on password composition. In Human-Computer Interaction—INTERACT 2013, Cape Town, South Africa. Berlin: Springer-Verlag, pp. 460–467 [Google Scholar]
- 9.Campbell J, Greenauer N, Macaluso K, et al. Unrealistic optimism in Internet events. Computers in Human Behavior 2007; 23:1273–1284 [Google Scholar]
- 10.Grimes GA, Hough MG, Mazur E, Signorella ML. Older adults' knowledge of Internet hazards. Educational Gerontology 2010; 36:173–192 [Google Scholar]
- 11.Van Deursen AJ, Van Dijk JA. The digital divide shifts to differences in usage. New Media & Society 2014; 16:507–526 [Google Scholar]
- 12.Whiteside SP, Lynam DR. The five factor model and impulsivity: using a structural model of personality to understand impulsivity. Personality & Individual Differences 2001; 30:669–689 [Google Scholar]
- 13.Snyder M. Self-monitoring of expressive behavior. Journal of Personality & Social Psychology 1974; 30:526–537 [Google Scholar]
- 14.Rotter JB. Generalized expectancies for internal versus external control of reinforcements. Psychological Monographs 1966; 80:Whole No. 609 [PubMed] [Google Scholar]
- 15.You X, Ji M, Han H. The effects of risk perception and flight experience on airline pilots' locus of control with regard to safety operation behaviors. Accident Analysis & Prevention 2013; 57:131–139 [DOI] [PubMed] [Google Scholar]
- 16.Creese S, Hodges D, Jamison-Powell S, et al. (2013) Relationships between password choices, perceptions of risk and security expertise. In Human Aspects of Information Security, Privacy, and Trust (Lecture Notes in Computer Science 8030), Las Vegas, NV. Berlin: Springer-Verlag, pp. 80–89 [Google Scholar]