Rational security: Modelling everyday password use

Acquisti, 2005, Privacy and rationality in individual decision making, IEEE Security and Privacy, 3, 26, 10.1109/MSP.2005.22 Allen, 1990, User models: theory, method, and practice, International Journal of Man–Machine Studies, 32, 511, 10.1016/S0020-7373(05)80032-X Anderson, 1990 Anderson, 2001, Reflections of environment in memory, Psychological Science, 2, 396, 10.1111/j.1467-9280.1991.tb00174.x Anderson, R., 2001. Why information security is hard—an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference, ACSAC'01, New Orleans, USA, pp. 10–14. Baldwin, A., Beres, Y., Duggan, G.B., Cassa Mont, M., Johnson, H., Middup, C., Shiu, S., 2011. Economic methods and decision making by security professionals. In: Proceedings of the Tenth Workshop on Economics and Information Security, WEIS 2011, Fairfax, USA. Beautement, 2009, The economics of user effort in information security, Computer Fraud & Security, 10, 8, 10.1016/S1361-3723(09)70127-7 Bonneau, J., Preibusch, S., 2010. The password thicket: technical and market failures in human authentication on the web. In: Proceedings of the Ninth Workshop on Economics and Information Security, WEIS 2010, London, UK. Browne, 2004, Stopping rule use during information search in design problems, Organizational Behavior and Human Decision Processes, 95, 208, 10.1016/j.obhdp.2004.05.001 Carter, S., Mankoff, J., 2005. When participants do the capturing: the role of media in diary studies. In: Proceedings of the ACM Conference on Human Factors in Computing Systems, pp. 899–908. Cohen, 2007, Should I stay or should I go? How the human brain manages the trade-off between exploitation and exploration, Philosophical Transactions of the Royal Society B: Biological Sciences, 362, 933, 10.1098/rstb.2007.2098 Collinson, 2009, A logical and computational theory of located resource, Journal of Logic and Computation, 19, 1207, 10.1093/logcom/exp021 Collinson, M., Monahan, B., Pym, D., 2010. Semantics for structured systems modelling and simulation. In: Proceedings of the Third International ICST Conference on Simulation Tools and Techniques, Torremolinos, Spain. Cranor, L.F., 2008. A framework for reasoning about the human in the loop. In: Proceedings of the First Conference on Usability, Psychology and Security. Ebbinghaus, 1964 Ericsson, 1988, An experimental analysis of a memory skill for dinner-orders, Journal of Experimental Psychology: Learning, Memory and Cognition, 14, 305, 10.1037/0278-7393.14.2.305 Fischer, 2001, User modeling in human–computer interaction, Journal of User Modeling and User-Adapted Interaction, 11, 65, 10.1023/A:1011145532042 Florencio, D., Herley, C., 2007. A large scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta, Canada, pp. 657–666. Florencio, D., Herley, C., 2010. Where do security policies come from? In: Proceedings of the Symposium on Usable Privacy and Security, SOUPS'10, Redmond, USA. Gaw, S., Felten, E.W., 2006. Password management strategies for online accounts. In: Proceedings of the Symposium on Usable Privacy and Security, SOUPS'06, Pittsburgh, USA, pp. 44–55. Grawemeyer, 2011, Using and managing multiple passwords: a week to a view, Interacting with Computers, 23, 256, 10.1016/j.intcom.2011.03.007 Herley, C., 2009. So long and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the New Security Paradigms Workshop, NSPW'09, Oxford, UK. Hoonakker, P., Bornoe, N., Carayon, P., 2009. Password authentication from a human factors perspective: results of a survey among end-users. In: Proceedings of the Human Factors and Ergonomics Society 53rd Annual Meeting, San Antonio, USA, pp. 459–463. Howes, 2009, Rational adaptation under task and processing constraints: implications for testing theories of cognition and action, Psychological Review, 116, 717, 10.1037/a0017187 Inglesant, P., Sasse, M.A., 2010. The true cost of unusable password policies: password use in the wild. In: Proceedings of the ACM Conference on Human Factors in Computing Systems, CHI'10, Atlanta, USA, pp. 382–392. Ives, 2004, The domino effect of password reuse, Communications of the ACM, 47, 75, 10.1145/975817.975820 Jensen, 2005, Privacy practices of Internet users: self reports versus observed behavior, International Journal of Human-Computer Studies, 63, 203, 10.1016/j.ijhcs.2005.04.019 Johnson, 2003, Towards modeling individual and collaborative construction of jigsaws using task knowledge structures (TKS), ACM Transactions on Computer–Human Interaction, 10, 339, 10.1145/966930.966934 Johnson, 1989, Integrating task analysis into system design surveying designers needs, Ergonomics, 32, 1451, 10.1080/00140138908966917 Kahneman, 2003, A perspective on judgement and choice: mapping bounded rationality, American Psychologist, 58, 697, 10.1037/0003-066X.58.9.697 Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S., 2011. Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the ACM Conference on Human Factors in Computing Systems, CHI'11, Vancouver, Canada, pp. 2595–2604. Keith, 2007, The usability of passphrases for authentication: an empirical field study, International Journal of Human–Computer Studies, 65, 17, 10.1016/j.ijhcs.2006.08.005 McCrickard, 2003, A model for notification systems evaluation—assessing user goals for multitasking activity, ACM Transactions on Computer–Human Interaction, 10, 312, 10.1145/966930.966933 Miller, 2002 Muth, 1961, Rational expectations and the theory of price movements, Econometrica, 29, 315, 10.2307/1909635 O'Neill, 1999, Representations and user-developer interaction in cooperative analysis and design, Human–Computer Interaction, 14, 43, 10.1207/s15327051hci1401&2_3 Pawson, 1997 Parkin, S., van Moorsel, A., Inglesant, P., Sasse, M.A., 2010. A stealth approach to usable security: helping IT security managers to identify workable security solutions. In: Proceedings of the New Security Paradigms Workshop, NSPW'10, Concord, USA. Payne, 2007, Discretionary task interleaving: heuristics for time allocation in cognitive foraging, Journal of Experimental Psychology: General, 136, 370, 10.1037/0096-3445.136.3.370 Rieman, J., 1993. The diary study: a work-place-oriented research tool to guide laboratory efforts. In: Proceedings of the ACM Conference on Human Factors in Computing Systems, pp. 321–326. Salkovskis, 2002, Empirically grounded clinical interventions: cognitive-behavioural therapy progresses through a multi-dimensional approach to clinical science, Behavioural and Cognitive Psychotherapy, 30, 3, 10.1017/S1352465802001029 Sasse, 2001, Transforming the “weakest link”: a human–computer interaction approach to usable and effective security, BT Technical Journal, 19, 122, 10.1023/A:1011902718709 Schneier, 2000 Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., 2010. Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Symposium on Usable Privacy and Security, SOUPS'10, Redmond, USA. Simon, 1957 Spiekermann, S., Grossklags, J., Berendt, B., 2001. E-privacy in 2nd generation e-commerce: privacy preferences versus actual behavior. In: Proceedings of the ACM Conference of Electronic Commerce, EC'01, pp. 38–47. Vu, 2007, Improving password security and memorability to protect personal and organizational information, International Journal of Human–Computer Studies, 65, 744, 10.1016/j.ijhcs.2007.03.007 Wiedenbeck, 2005, PassPoints: design and longtitudinal evaluation of a graphical password system, International Journal of Human–Computer Studies, 63, 102, 10.1016/j.ijhcs.2005.04.010 Wild, P.J., Johnson, P., Johnson, H., 2004. Towards a composite modelling approach for multitasking. In: Proceedings of the Third International Workshop on Task Models and Diagrams for User Interface Design, TAMODIA'04, Prague, Czech Republic, pp. 17–24. Wogalter, 2006, Communication-human information processing (C-HIP) model Yan, 2004, Password memorability and security: empirical results, IEEE Security and Privacy, 2, 25, 10.1109/MSP.2004.81 Zviran, 1999, Password security: an empirical study, Journal of Management Information Systems, 15, 161, 10.1080/07421222.1999.11518226