Professors Kevin McCrohan and Jim Harvey of the School of Management's Marketing Area presented the webinar "Threat Awareness and Improved Security Behaviors” to the Computer Security Institute, the leading educational membership organization for information security professionals (http://gocsi.com/). The conference was chaired by Pam Salaway, Manager, Special Programs for CSI.
The audience members included security professionals from American Express, Cisco, Corning, Ericsson, Inc., Intel, Freddie Mac, Federal Reserve Banks, New York Life, Procter & Gamble, Quest Diagnostics, Research In Motion, Sasktel, Sprint, Nextel, State Farm, T. Rowe Price, Verizon Wireless, Visa and others.
Professors McCrohan and Harvey summarized the work they recently published in the Journal of Internet Commerce, “Influence of Awareness and Training on Cyber Security,” with Kathryn Engel of Aptima, Inc., Washington, D.C.
Their study used a controlled experiment that tracked the impact of awareness of threats to e-commerce on improved online security behavior. The study documented the effect of threat awareness exposure treatment on password strength. The results showed that password strength only increased when participants were informed of the threats to online commerce.
The study also showed that nearly 75% of all the study participants began the experiment with weak passwords. Both the control group and the treatment group were educated about the character of weak and strong passwords. Participants’ password strength in the control actually declined somewhat, two weeks later.
Only the participants who were randomly assigned to the experimental group and educated concerning the threats to online commerce (consequences treatment) increased their password strength an average 36%. Their results indicate users require exposure to high levels of information regarding threats in order to change behavior to enhance information security.
Although change in password robustness was the key test variable they suggest that any negative behavior e.g., posting too much personal and organization information info on social network sites would benefit from similar approach.