Assessing the User Experience of Password Reset Policies in a University

Parkin, Simon; Driss, Samy; Krol, Kat; Sasse, M. Angela

doi:10.1007/978-3-319-29938-9_2

Cited by 3 publications

(2 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Account remediation is not only a protocol that websites should follow; it is a complex way that brings in the sociotechnical components to ensure data protection and prevent further data leakage for an account compromise. Additionally, the proper account remediation process enables users to protect their accounts as a preventive measure through secure behavior such as prevention of password rotation [65], [77]. Our transcontinental analysis for the 158 websites measures the account remediation for different aspects like changing passwords, reviewing past activities, enabling 2FA, and others.…”

Section: Implications and Recommendationsmentioning

confidence: 99%

See 1 more Smart Citation

A Transcontinental Analysis of Account Remediation Protocols of Popular Websites

Markert¹,

Adhikari²,

Das³

2023

Proceedings 2023 Symposium on Usable Security

View full text Add to dashboard Cite

Websites are used regularly in our day-to-day lives, yet research has shown that it is challenging for many users to use them securely, e.g., most prominently due to weak passwords through which they access their accounts. At the same time, many services employ low-security measures, making their users even more prone to account compromises with little to no means of remediating compromised accounts. Additionally, remediating compromised accounts requires users to complete a series of steps, ideally all provided and explained by the service. However, for U.S.-based websites, prior research has shown that the advice provided by many services is often incomplete. To further understand the underlying issue and its implications, this paper reports on a study that analyzes the account remediation procedure covering the 50 most popular websites in 30 countries, 6 each in Africa, the Americas, Asia, Europe, and Oceania. We conducted the first transcontinental analysis on the account remediation protocols of popular websites. The analysis is based on 5 steps websites need to provide advice for: compromise discovery, account recovery, access limitation, service restoration, and prevention. We find that the lack of advice prior work identified for websites from the U.S. also holds across continents, with the presence ranging from 37% to 77% on average. Additionally, we identified considerable differences when comparing countries and continents, with countries in Africa and Oceania significantly more affected by the lack of advice. To address this, we suggest providing publicly available and easyto-follow remediation advice for users and guidance for website providers so they can provide all the necessary information.

show abstract

Section: Implications and Recommendationsmentioning

confidence: 99%

“…As part of this study, we checked website password requirements and found that, on average, 53% of them do not check for a proper password rotation [65], [77]. This check is possible without any security infringement, as knowledge of the old password also needs to be double-checked.…”

Section: Robust Security Requirementsmentioning

confidence: 99%

A Transcontinental Analysis of Account Remediation Protocols of Popular Websites

Markert¹,

Adhikari²,

Das³

2023

Proceedings 2023 Symposium on Usable Security

View full text Add to dashboard Cite

show abstract

You’ve Left Me No Choices: Security Economics to Inform Behaviour Intervention Support in Organizations

Demjaha

Parkin

Pym

2021

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal securityrelated choices. Conflict arises due to information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote 'good enough' decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both neoclassical economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. We also point to applications of the framework in negotiating sustainable security behaviours, such as policy concordance and just security cultures.

show abstract

The boundedly rational employee: Security economics for behaviour intervention support in organizations1

Demjaha

Parkin

Pym

2022

JCS

Self Cite

View full text Add to dashboard Cite

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal security-related choices. Conflict arises because of information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote ‘good enough’ decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both traditional economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. Our four stage plan to Capture, Adapt, Realign, and Enable behaviour choices provides guidance for security managers, focusing on a more effective response to the uncertainty associated with security behaviour in organizations.

show abstract

Assessing the User Experience of Password Reset Policies in a University

Cited by 3 publications

References 23 publications

A Transcontinental Analysis of Account Remediation Protocols of Popular Websites

A Transcontinental Analysis of Account Remediation Protocols of Popular Websites

You’ve Left Me No Choices: Security Economics to Inform Behaviour Intervention Support in Organizations

The boundedly rational employee: Security economics for behaviour intervention support in organizations1

Contact Info

Product

Resources

About