You are here: Home Contents V9 N1 V9N1_Pendegraft.html
Personal tools

User Attitudes Toward Password Security: Survey and Simulation



Full text

Journal of Information Systems Security
Volume 9, Number 1 (2013)
Pages 321
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Norman Pendegraft — University of Idaho, USA
Information Institute Publishing, Washington DC, USA




Previous simulation studies of IS security are extended to allow for two user types.  In order to improve the model of user behavior, a group of students was surveyed about their security preferences in several situations. The data reveal that users preferences are non-homogeneous. These preferences were then used in a simulation of a system with two user types while under attack. Simulation results suggest that the nature of user preferences is significant in determining evolution of system value, and should, therefore, be of concern to security policy makers.




Information Security, Simulation, Systems Dynamics, Security Modeling




Ackerman, M.A., Cranor, L.F., Reagle J. (1999) Privacy In E-Commerce: Examining User Scenarios And Privacy Preferences. Proceedings of the 1st ACM conference on electronic commerce. Retrieved 17June 2010 from 

Albrechtsen. E. (2007). A Qualitative Study Of Users’ View Of Information Security. Computers and Security 26(4), 276-289. Retrieved 17 June 2010 from

Beautement, A., Sasse, M.A., & Wonham, M. (2008). The Compliance Budget: Managing Security Behavior in Organizations, NSPW 08, Lake Tahoe. 

Becker, G. S. (1968). Crime and punishment: An economic approach. Journal of Political Economy 78, 169-217. 

Behara, R.R., Huang, C.D. & Hu.,Q. (2010). A Systems Dynamics Model of Information Security Investments, J. of Information System Sec 6(2). 

Braun W. (2002). The system archetypes. Retrieved 22June2010 from 

Davis, F.D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MISQuart, 13(3), 319-340. 

Davis, M.A., 2012. 2012 Strategic Security Survey. InformationWeek,, retrieved 29 May 2012. 

DeLone, W.H., & McLean, E.R. (1992). Information System Success: The Quest For The Dependent Variable. Information Systems Research, 3(1), 60-95. 

Dutta, A. & Roy, R. (2008). Dynamics of Organizational Information Security, System Dynamics Review 24(3) 349-375. 

Gamer, M., Lemon. J., Fellows, I., & Singh, P. (2010). irr: Various Coefficients of Interater Reliability and Agreement. R package version 0.83. 

Gordon, L.A. & Loeb. M.P., (2002). The Economics of Information Investment, ACM Transactions on Information and System Security 5(4), 438 – 457. 

Greenwald, S.J., Olthoff, K.G., Victor Raskin, V., & Ruch, W. (2004). The user non=acceptance paradigm: INOFSEC’s dirtly little secret. NSPW 04 Proceedings of the 2004 Workshop On New Security Paradigms. ACM, New York. doi>10.1145/1065907.1066032. Retrieved 11 June 2012. 

Grossklags, W., (2001). Experimental Economics An Experimental Computer Science: A Survey. ExpCS, San Diego. HPS: High Performance Systems, IThink, Lebanon, NH. 

Komanduri, S. 1, Shay, R., Kelley, P.G., 1 Mazurek, M.L., Bauer, L., 1, Nicolas Christin, N., Cranor, L.F., & Egelman, S. (2010). Of Passwords and People: Measuring the Effect of Password-Composition Policies, Symposium on Usable Privacy and Security (SOUPS) 2010, July 14–16, 2010, Redmond, WA USA.

Legendre, P. 2005. Species Association: The Kendall Coeffcient of Concordance Revisited, Journal of Agricultura, Giological , and Enviromental Statitics 10#2, 226-245. 

Lehtinen, R., Russell, D., & Ganemi, G.T.,(2006). Computer Security Basics, O’Reilly, Sebastapol. 

Lemon, J. & Fellows, I. (2007). concord: Concordance and reliability. R package version 1.4-9. 

Ligges, U. and Mächler, M. (2003). Scatterplot3d - an R Package for Visualizing Multivariate Data. Journal of Statistical Software 8(11), 1-20. 

Novakovic, L..McGill, T., & Dixon, M. (2009). Understanding User Behavior Towards Passwords Through Acceptance And Use Modeling. Int. Journal of Information System Security And Privacy 3(1), 11-29. 

Pendegraft, N. (2008a). A Simulation of IS Security With Two User Types. Mountain Plains Management Conference, Pocatello. 

Pendegraft, N. (2008b). Examination of User Attitudes Toward Computer Security, Allied Academies Summer Internet Conference. 

Pendegraft, N. & Rounds, M. (2007). A Simulation Model of IS Security, International Journal of Information Security and Privacy, 1.

Peng Liu, P., Zang, W. &Yu, M. (2005) . Incentive-Based Modeling and Inference of Attacker Intent, Objectives and Strategies, ACM Transactions on Information and System Security 8(1), 78-118. 

R Development Core Team (2008). R: A Language And Environment For Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria. ISBN 3-900051-07-0, URL 

Rosenfeld, S.N., Rus, I. & Cukier M. (2007). Archetypal Behavior in Computer Security. J. System & Software 80, 1594-1606. 

Rounds, M. , Pendegraft, N. & Taylor, C. (2007). The Ecology of IS Security: A Research Agenda.  Information Resources Management Association International Meeting, Vancouver. 

Senge, P., (1990). The Fifth Discipline. Currency Doubleday, New York. 

Shay, R., Komanduri, S. ,Kelley, P.G., Leon, P.G., Michelle L. Mazurek, M.L., Bauer,L., Christin, N., Cranor, L.F. (2010) Encountering Stronger Password Requirements: User Attitudes and Behaviors, Symposium on Usable Privacy and Security (SOUPS), July 14–16,2010, Redmond, WA USA 

Shay, R.J.K., Bhargav-Spantzel, A., & Bertine, E. (2007). Password Policy Suimulation and Analysis. DIM’07, November 2, 2007, Fairfax, Virginia, USA. 

Stanton, J.M., Stam, K.R., Mastrangelo, P. & Jolton, J. (2005). Analysis of End User Security Behaviors. Computers and Security 24, 124-133. 

Tversky, A. & Kahneman, D. (1986). Rational Choice and the Framing of Decisions, Journal of Business 59(S4).

West, R. (2008). The Psychology of Security, CACM 51#4 (34-40).