More than two decades ago, Adams and Sasse in their highly cited seminal work1 challenged the belief widely held—among IT security professionals—that users are the enemy within an organization—the one who does not care about security and subsequently behaves in a threatening way. While much effort has been undertaken by the research community since then to take the burden from end users and to make security systems more usable,6 it seems the situation in organizational security has not improved. According to a survey4 conducted by an online community for IT security professionals—a majority of these professionals still deems "users who are negligent or break the security policy" as "the top data breach risk." Also, as Herley suggests,7 there can be rational reasons why users do not follow security advice, simply because the cost of following it can be higher than the benefits.
At Masaryk University (MU)—a Czech university with approximately 30,000 students—we wanted to find out more about the current state of affairs from the user perspective: Do users (still not) follow the security policy? At the same time, the fact that our university IT infrastructure management had the intention to redesign the (outdated) security directive, constituted an ideal opportunity for us to deeper investigate the topic.
A security directive (a.k.a. information security policy) is a high-level document that builds the basis for defining, communicating, and enforcing an organization's information security strategy. It describes the principles a user must follow to support the protection of an organization's assets (for example, technical infrastructure or knowledge). Some people believe (and we were of this belief too) that having a usable security directive is the cornerstone for motivating users to behave securely.2 Similarly, security decision makers have been repeatedly criticized when they ignored usability aspects in security directive design.9
We tried to improve our security directive to motivate users to follow it. Yet our faith has been hit hard—as we describe in some detail here, but it was not a wasted effort at all. The data we obtained as a side effect shows a new perspective on this area.
Improving the Directive
Six years ago, we had the great opportunity to participate in the modernization of security directive at MU and since we were keen to find the truth, we decided then that besides the implementation of modern trends into the directive,8 we would also design surveys to measure the impact of these changes on the (user self-)reported security behavior. Both legal and IT teams invested quite some effort, as did the university management, hoping the university directive will be easier to follow in practice (its umbrella design is followed by additional documents and measures such as user training, emphasis on a single point of contact to ease communication about incidents, and so forth) and more usable (in terms of accessibility and ease of reading), thus also read by more students and that this would positively contribute to improving their security behavior.
The directive for "Management and Use of Computer Networks of MU" was subsequently modified to the "Use of Information Technology" directive focusing on acceptable use (for work and study tasks, and so forth), behavior during security incidents and protection of authentication data. Within the redesign process, the directive length shrank from 5.5 pages to two pages; moreover, the new directive carried significantly less definitions. Previously mentioned technical issues that did not concern all users (for example, administrator tasks or network hierarchy) were removed, access rights issues shrank to one sentence, and privacy issues were left for a specific directive. Eventually, no sanctions were specified.
Obviously, the directive also concerns the interaction with the MU information system (IS), since students use the IS for critical tasks including registration of courses, exam terms, access study materials, grades, and use the IS email front-end for communication with staff.
Our Study: Better Directive = Better Security?
To find out, we organized a longitudinal study at MU—where we aimed to investigate both security attitudes/ behavior and knowledge of the institutional security directive. The study repeatedly ran in years 2015, 2017, and 2018-2019 corresponding to three phases of institutional life: before the release of a (redesigned) directive (that then happened with a delay in September 2017); two months after the release through standard institutional channels; and finally after a campaign on several security issues like password sharing, extent of malware, or access abuse victims, and so forth.
When we eventually started to analyze the obtained data after the third survey round, we discovered surprising results that led to heated discussions among the research team members.
The campaign we coordinated before the third phase took advantage of the university magazine (the only university-wide periodical) with both online and paper versions. We had a front-page attractor in the print version (6,000 copies), presented surprising results from the first phase, with poor password security. We also emphasized the existence of the new security directive. To increase visibility, the article was promoted via three campaigns on different Facebook groups that reached approximately 15,000 people. For the online version, we achieved 966 unique article page views (650 thanks to Facebook). The article was approximately 1,000 words, and with the measured average time spent on the article page five minutes and one second, the article was read in full considering the average reading speed of approximately 200 words per minute.11
The survey was conducted in MU computer halls available to all MU students. At a student login, the study questionnaire was displayed to each student, with the possibility to completely skip it (and sometimes to be presented at next login). Students of all nine faculties (schools) of MU were exposed to the study, with the primary aim to avoid focus on students of selected disciplines, for example, computing. We had 613 respondents in 2015, 1,100 in 2017, and 1,309 in 2019. They were females at 52.7%, 62.3% and 63.3% in the respective years, with average age 22.98, 22.24, and 22.11.
When we eventually started to analyze the obtained data after the third survey round, we discovered surprising results that led to heated discussions among the research team members. While the results of the directive-related questions were relatively easy to interpret (as unsatisfying), the opinions of what constitutes "bad" or "good" security behavior naturally widely diverged in a multidisciplinary research team consisting of a psychologist, a sociologist, an engineer, computer scientists, and people in management positions. Although security behavior is not yet ideal, we concluded it is quite reasonable under the given context—the majority of users not having read the directive—as we describe here.
Users Read the Directive Less and Less …
The percentage of users who never read the security directive increased significantly over time (see Figure 1; all following results reported here—if not explicitly noted otherwise—were checked for statistical significance at p < 0.05), as did the percentage of those who declared to know nothing of the directive. Please note the answer scales to most of the survey items were grouped and dichotomized to clearly show the differences in behavior and knowledge. The knowledge on matters regulated by the directive also decreased: While 43.6% of respondents (correctly) attested the directive regulates their use of laptops in a dorm network in 2015, the same was attested only by 34.9% in 2017 and 34.1% in 2019. For a private smartphone connected to the university Wi-Fi network, the difference was non-significant but there was a decrease from the first wave (by 4 and 1.8 percentage points, respectively)—31.3% in 2015, 27.3% in 2017, and 29.5% in 2019. These findings negatively surprised us and security decision makers at MU, especially as related studies hint at much lower non-reading rates among employees.5
Figure 1. The graph reports the share of users that never read the directive and the share of users reporting to not know the content. These trends contrast with the decreasing share of users that shared their MU password.
Yet User Security Behavior Is Not that Bad
However, users also reported protecting their computers at levels that we deem quite reasonable and without any significant changes during the period of our study (with the exception of updating applications, where the percentage of users who do not regularly knowingly update increased from 30% in 2015, to 36% in 2017, and 34% in 2019)—only about 30% do not regularly update their OS (or maybe are not aware of this happening), only 12% do not use (or are not aware this being built in their OS) up-to-date malware protection and just 5% report not using a firewall (again, they may not even be aware of this being included in their OS setting). We consider these to be quite positive findings.
Locking a workstation in use when leaving the computer hall is another dimension we investigated. As Figure 2 shows, we discovered improving trends in terms of the percentage of users who lock their screens when they leave their workplace.
Figure 2. The graph shows trends in computer locking through the three data collections for three different reasons of leaving the computer hall—for lunch (blue), coffee/drinks (orange), and a phone call (grey).
Viewing the same situation from a different viewpoint, we wanted to find out the percentage of users who would do something about somebody else's unlocked computer when passing by, following the principle "If you see something, do something." Here, while the percentage of users who would not do anything at all about another user's unlocked computer decreased, we consider it still unpleasantly high—it was 78.5% in 2015, 73.7% in 2017, and 70.0% in 2019.
User behavior when dealing with passwords comes with both positive and negative observations.
User behavior when dealing with passwords comes with both positive and negative observations. Our study showed a very positive trend in the decrease of the proportion of respondents who ever shared their IS password—while 51.1% of them reported ever sharing in 2015, the proportion of sharers reduced to 35.9% in 2017 and 36.3% in 2019. Similarly, approximately one-quarter (26.5%-27.3%) reuses the IS password elsewhere while reusing other passwords between other services even more often (34.8%-37.4%). We consider the latter two numbers a pleasantly surprising finding—as password reuse in the studied age group has been found elsewhere to be as high as 76%.3 On the negative side, for those who shared their password enabling access to the IS, more than a half (56.1%-59.4%) reported not changing their password afterward, making themselves potentially vulnerable to future impersonation attacks. See Figure 3 and its caption for more details.
Epilogue: There Is Reason for Hope
We expected our effort to improve the security directive would show a positive impact on students' security behavior. That did not happen—users simply did not read it. However, the results of a longitudinal study on a large group of university students still show a positive trend in self-reported security behavior—despite the small exposure to the directive. While not yet ideal, the protection of endpoint devices and how people handle their passwords is getting to a reasonable level. Whether this is due to exposure to external sources of relevant information (for example, related work10 hints that only 29.5% learn about secure behavior at work) or to a more naturally increased adoption of technologies remains to be investigated in future work.
3. CSID. Consumer survey: password habits. A study of password habits among American consumers (2012); https://bit.ly/3Hnfd84
4. Dark Reading. Strategic Security Survey (2019); https://bit.ly/3DgMrn8
9. Parkin, S. et al. A stealth approach to usable security: Helping IT security managers to identify workable security solutions. In Proceedings of the 2010 New Security Paradigms Workshop, (2010), 33–50.
10. Redmiles, E.M. et al. How I learned to be secure: A census-representative survey of security advice sources and behavior. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, (2016), 666–677.
11. Trauzettel-Klosinski, S. and Dietz, K. Standardized assessment of reading performance: The new international reading speed texts IReST. Investigative Ophthalmology and Visual Science 53, 9 (2012), 5452–5461.
The authors want to express their thanks to students and support staff of Masaryk University for their involvement in our experiments, to David Smahel, Lenka Dedkova, and Vlasta Bukacova for cooperation during the years of experiment setting and data collection, to Michal Muzik for assistance with data analyses, and to the reviewers for useful suggestions. Lydia Kraus also thanks the ERDF project CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence (No. CZ.02.1.01/0.0/0.0/16_019/0000822) for support during the preparation of this Viewpoint.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2022 ACM, Inc.