Asia pacific journal of information systems

The Korea Society of Management Information Systems (한국경영정보학회)
권호 표지

A Study on the Factors Affecting the Information Systems Security Effectiveness of Password

패스워드의 정보시스템 보안효과에 영향을 미치는 요인에 관한 연구

  • 김종기 (부산대학교 상과대학 경영학부) ;
  • 강다연 (부산대학교 일반대학원 경영학과)
  • Published : 2008.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Rapid progress of information technology and widespread use of the personal computers have brought various conveniences in our life. But this also provoked a series of problems such as hacking, malicious programs, illegal exposure of personal information etc. Information security threats are becoming more and more serious due to enhanced connectivity of information systems. Nevertheless, users are not much aware of the severity of the problems. Using appropriate password is supposed to bring out security effects such as preventing misuses and banning illegal users. The purpose of this research is to empirically analyze a research model which includes a series of factors influencing the effectiveness of passwords. The research model incorporates the concept of risk based on information systems risk analysis framework as the core element affecting the selection of passwords by users. The perceived risk is a main factor that influences user's attitude on password security, security awareness, and intention of security behavior. To validate the research model this study relied on questionnaire survey targeted on evening class MBA students. The data was analyzed by AMOS 7.0 which is one of popular tools based on covariance-based structural equation modeling. According to the results of this study, while threat is not related to the risk, information assets and vulnerability are related to the user's awareness of risk. The relationships between the risk, users security awareness, password selection and security effectiveness are all significant. Password exposure may lead to intrusion by hackers, data exposure and destruction. The insignificant relationship between security threat and perceived risk can be explained by user's indetermination of risk exposed due to weak passwords. In other words, information systems users do not consider password exposure as a severe security threat as well as indirect loss caused by inappropriate password. Another plausible explanation is that severity of threat perceived by users may be influenced by individual difference of risk propensity. This study confirms that security vulnerability is positively related to security risk which in turn increases risk of information loss. As the security risk increases so does user's security awareness. Security policies also have positive impact on security awareness. Higher security awareness leads to selection of safer passwords. If users are aware of responsibility of security problems and how to respond to password exposure and to solve security problems of computers, users choose better passwords. All these antecedents influence the effectiveness of passwords. Several implications can be derived from this study. First, this study empirically investigated the effect of user's security awareness on security effectiveness from a point of view based on good password selection practice. Second, information security risk analysis framework is used as a core element of the research model in this study. Risk analysis framework has been used very widely in practice, but very few studies incorporated the framework in the research model and empirically investigated. Third, the research model proposed in this study also focuses on impact of security awareness of information systems users on effectiveness of password from cognitive aspect of information systems users.

Keywords

References

  1. 강병서, 조철호, SPSS와 AMOS 활용 연구조사방법론, 무역경영사, 2005
  2. 권영옥, 김병도, "정보보안 사고와 사고방지관련 투자가 기업가치에 미치는 영향," 정보시스템학회, 제9권 제1호, 2007, pp. 105-120
  3. 김종기, "정보시스템 보안의 효과성 모형에 관한 실증적 연구," 정보시스템연구, 제7권 제2호, 1998, pp. 91-108
  4. 김종기, 전진환, "컴퓨터 바이러스 통제를 위한 보안행위의도 모형," 정보화정책, 제13권 제3호, 2006, pp. 174-186
  5. 박성희, "효과적인 정보시스템 보안을 위한 통합적 모형의 연구," 경영교육논총, 제35집, 2004, pp. 271-298
  6. 박승배, 박설배, 강문설, "타인의 관찰에 의한 패스워드 노출로부터 안전한 패스워드 시스템," 정보처리학회논문지, 제10C권 제2호, 2003, pp. 141-144
  7. 이필중, 문희철, "패스워드 시스템의 보안에 관한 고찰," 한국통신정보보호학회지, 제1권 제1호, 1991, pp. 109-118
  8. 임채호, "효과적인 정보보호인식 제고 방안," 정보보호학회지, 제16권 제2호, 2006, pp. 30-36
  9. 정경수, 김기영, 박종필, "패스워드 이용과 관한 실증분석: 대학과 종합병원을 중심으로," 한국경영정보학회, 제30권 제1호, 2001, pp. 143-157
  10. 정보통신부, 2006 국가정보보호백서, 정보통신부, 2006
  11. 정보통신부, 패스워드 선택 및 이용가이드, 정보통신부, 2008
  12. 정해철, 김현수, "조직구성원의 정보보안 의식과 조직의 정보보안 수준과의 관계 연구," 정보기술과 데이터베이스저널, 제7권 제2호, 2000, pp. 117-134
  13. 최상수, 방영환, 최성자, 이강수, "보안관리 및 위험분석을 위한 분류체계, 평가기준 및 평가스케일의 조사연구," 정보보호학회지, 제13권 제3호, 2003, pp. 28-49
  14. KISA, "2006년 정보보호 실태조사 당신의 정보보호 수준은?," 정보보호 뉴스, 2007a, pp. 12-17
  15. KISA, "8월 개인정보침해 민원접수 현황 및 분석," 정보보호뉴스, 2007b, pp. 10- 11
  16. KISA, "당신의 패스워드, 얼마나 안전할까요?," 정보보호뉴스, 2007c, pp. 12-16
  17. KISA, "10월 개인정보침해 민원접수 현황 및 분석," 정보보호뉴스, 2008, pp. 12-13
  18. 홍승필, 김영철, 최신 이론과 경향으로 배우는 정보보호의 이해, 아이워크북, 2004
  19. 홍일유, 이종삼, "국내기업의 정보시스템 보안위협 인식에 관한 연구," 경영학회지, 제27권 제1호, 2000, pp. 157-185
  20. Adams, A., Sasse, M.A., and Lunt, P., "Making Passwords Secure and Usable," Proceedings of HCI on People and Computers XII, 1997, pp. 1-19
  21. Anderson, J. and Gerbing, D., "Structural Equation Modeling in Practice: A Review and Recommended Two-Step Approach," Psychological Bulletin, Vol. 103, No. 4, 1988, pp. 411-423 https://doi.org/10.1037/0033-2909.103.3.411
  22. Bob, L. and Jane, T.S., "Critical review of Queensland's Crime and Misconduct Commission Inquiry into abuse of children in foster care: Social work's contribution to reform," Australian Social Work, Vol. 58, No. 1, 2005, pp. 86-99 https://doi.org/10.1111/j.1447-0748.2005.00194.x
  23. Bagozzi, R. and Yi, Y., "On the Evaluation of Structural Equation Models," Journal of the Academy of Marketing Science, Vol. 16, 1988, pp. 74-97 https://doi.org/10.1007/BF02723327
  24. Baldwin, N.S. and Rice, R.E. "Information- Seeking Behavior of Securities Analysis: Individual Institutional Influences, Information Sources and Channels, and Outcomes," Journal of the American Society for Information Science, Vol. 48, No. 8, 1997, pp. 674-693 https://doi.org/10.1002/(SICI)1097-4571(199708)48:8<674::AID-ASI2>3.0.CO;2-P
  25. Barclay, D., Thompson, R., and Higgins, C., "The Partial Least Squares(PLS) Approach to Causal Modeling, Personal Computer Adoptiong and Use as Illustration," Technology Studies, Vol. 2, No. 2, 1995, pp. 285-324
  26. Baskerville, R., "Risk Analysis: An Interpretive Feasibility Tool in Justifying Information Security," European Journal of Information Systems, Vol. 1, No. 2, 1991, pp. 121-130 https://doi.org/10.1057/ejis.1991.20
  27. BSI, BS7799: Code of Practices for Information Security Management, United Kingdom, 1999
  28. BSI, Code of Practices for Information Security Management. London: British Standards Institution, 2005
  29. Chin, W., "Issues and Opinions on Structural Equation Modeling," MIS Quarterly, Vol. 22, No. 1, 1998, pp. 7-16
  30. CMU/SEI, Operationally Critical Threat, Asset, Vulnerability Evaluation(OCTAVE) Framework, Ver. 1.0, CMU/SEI-99-TR-017. Carnegie Mellon University/Software Engineering Institute, June 1999
  31. Crockford, N. An Introduction to Risk Management, Woodhead-Faulkner Limited, Cambridge, England, 1980
  32. CSE, Guide to Security Risk Management for IT Systems, Communications Security Establishment, Government of Canada, 1996
  33. Doherty, N.F. and Fulford, H., "Aligning the Information Security Policy with the Strategic Information Systems Plan," Computers & Security, Vol. 25, 2006, pp. 55-63 https://doi.org/10.1016/j.cose.2005.09.009
  34. Drevin, L., Kruger, H.A., and Steyn, T., "Value-Focused Assessment of ICT Security Awareness in an Academic Environment," Computers & Security, Vol. 26, 2007, pp. 36-43 https://doi.org/10.1016/j.cose.2006.10.006
  35. Fornell, C. and Bookstein, F.L., "Two Structural Equation Models: LISREL and PLS Applied to Consumer Exit-Voice Theory," Journal of Marketing Research, Vol. 19, No. 4, 1982, pp. 440-452 https://doi.org/10.2307/3151718
  36. Frank, J., Shamir, B., and Briggs, W., "Security- related Behavior of PC Users in Organizations," Information & Management, Vol. 21, No. 3, 1991, pp. 127-135 https://doi.org/10.1016/0378-7206(91)90059-B
  37. Furnell, S., "An Assessment of Website Password Practices," Computers & Security, Vol. 26, 2007, pp. 445-451 https://doi.org/10.1016/j.cose.2007.09.001
  38. Gefen, D., "Assessing Unidimensionality through LISREL: An Explanation and Example," Communications of the Association for Information Systems, Vol. 12, No. 2, 2003, pp. 23-47
  39. Gilbert, I.A., "Risk Analysis: Concepts and Tools," Datapro Reports on Information Security, 1991, pp. 101-112
  40. Goodhue, D. and Straub, D., "Security Concerns of System Users: A Study of Perception of the Adequacy of Security," Information & Management, Vol. 20, No. 1, 1991, pp. 13-27 https://doi.org/10.1016/0378-7206(91)90024-V
  41. Haller, S.C., "PRIVACY: What Every Manager Should Know," The Information Management Journal, 2002, pp. 33-40
  42. Highland, H., "Changing Passwords," Computers & Security, Vol. 16, No. 3, 1997, pp. 183-184
  43. ISO/IEC, Guidelines for the Management of IT Security (GMITS), International Organization for Standardization/International Electrotechnical Commission, 2005
  44. ISO/IEC, Guidelines for the Management of IT Security (GMITS) TR 13335-5, International Organization for Standardization/International Electrotechnical Commission, 2001
  45. Jackson, K.M. and J. Hruska, "British Library Cataloging in Publication Data," Computer Security Reference Book, 1992, pp. 227-263
  46. Jarvenpaa, S., Tractinsky, N., and Vitale, M., "Consumer trust in an Internet store," Information Technology and Management, Vol. 1, 2000, pp. 45-71 https://doi.org/10.1023/A:1019104520776
  47. Jeffrey, M.S., Kathryn, R.S., M.P., and Jeffrey, J., "Analysis of End User Security Behaviors," Computers & Security, Vol. 24, 2005, pp. 124-133 https://doi.org/10.1016/j.cose.2004.07.001
  48. Jobusch, D.L. and Oldhoeft, A.E., "A Survey of Password Mechanisms: Weakness and Potential Improvements, Part 1," Computers & Security, Vol. 8, No. 7, 1989, pp. 587-604 https://doi.org/10.1016/0167-4048(89)90051-5
  49. Juang, W., "Efficient Password Authenticated Key Agreement Using Smart Cards," Computers & Security, Vol. 23, 2004, pp. 167-173 https://doi.org/10.1016/j.cose.2003.11.005
  50. Karyda, M., Kiountouzis, E., and KoKolakis, S., "Information System Security Policies: A Contextual Perspective," Computers & Security, Vol. 24, 2005, pp. 246-260 https://doi.org/10.1016/j.cose.2004.08.011
  51. Kim, D., Song, Y., Braynov, S., and Rao, R., "A B-To-C Trust Model for On-Line Exchange," Proceedings of Seventh Americas Conference on Information Systems, 2001, pp. 784- 787
  52. King, R.C. and Xia, W., "Media Appropriateness: Effects of Experience on Communication Media Choice," Decision Sciences, Vol. 28, No. 4, 1997, pp. 877-910 https://doi.org/10.1111/j.1540-5915.1997.tb01335.x
  53. Kruger, H.A. and Kearney, W.D., "A Prototype for Assessing Information Security Awareness," Computers & Security, Vol. 25, 2006, pp. 289-296 https://doi.org/10.1016/j.cose.2006.02.008
  54. Leach, J., "Improving User Security Behavior," Computers & Security, Vol. 22, No. 8, 2003, pp. 685-692 https://doi.org/10.1016/S0167-4048(03)00007-5
  55. Lee, S.M., Kim, Y.R., and Lee, J., "An Empirical Study of the Relationships among End-User Information Systems Acceptance, Training, and Effectiveness," Journal of Management Information Systems, Vol. 12, No. 2, 1995, pp. 189-202 https://doi.org/10.1080/07421222.1995.11518086
  56. Loch, K., Carr, H., and Warkentin, M., "Treats to Information Systems: Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol. 16, No. 2, 1992
  57. Menkus, B., "Understanding the Use of Passwords," Computers & Security, Vol. 7, No. 2, 1988, pp. 132-136 https://doi.org/10.1016/0167-4048(88)90325-2
  58. Miller, H.E. and Engemann, K.J., "A Methodology for Managing Information-Based Risk," Information Resources Management Journal, Spring, 1996, pp. 17-24
  59. NIST, Risk management Guide for Information Technology Systems Recommendations of the Institute of Standards and Technology, NIST SP 800-30, 1998
  60. NIST, Risk management Guide for Information Technology Systems, Special Publication 800- 30, 2001
  61. O'Gorman, L., Bagga, A., and Bentley, J., "Query-Directed Passwords," Computers & Security, Vol. 24, 2005, pp. 546-560 https://doi.org/10.1016/j.cose.2005.06.006
  62. Parker, D.B., Computer Security Management, Reston Publishing Co., Reston, VA, 1981
  63. Peltier, T., Information Security Risk Analysis, Auerbach, 2001
  64. Peyravian, M. and Zunic, N., "Methods for Protecting Password Transmission," Computers & Security, Vol. 19, No. 5, 2000, pp. 466-469 https://doi.org/10.1016/S0167-4048(00)05032-X
  65. Post, G.V. and Kagan, A., "Evaluating Information Security Tradeoffs: Restricting Access Can Interfere With User Tasks," Computers & Security, Vol. 26, 2007, pp. 229-237 https://doi.org/10.1016/j.cose.2006.10.004
  66. Pounder, C., "Security with Unfortunate Side Effects," Computers & Security, Vol. 22, No. 2, 2003, pp. 115-118 https://doi.org/10.1016/S0167-4048(03)00206-2
  67. Rainer, R., Snyder, C., and Carr, H., "Risk Analysis for Information Technology," Journal of Management Information System, Vol. 8, No. 1, 1991, pp. 129-147 https://doi.org/10.1080/07421222.1991.11517914
  68. Ronald, C., Curtis, C., and Aaron, J., "Phishing for User Security Awareness," Computers & Security, Vol. 26, 2007, pp. 73-80 https://doi.org/10.1016/j.cose.2006.10.009
  69. Russell, D. and Gangemi, G., Computer Security Basics, O'Reilly and Associates, 1991
  70. Salisbury, D., Pearson, R., Pearson, A., and Miller, D., "Perceived security and World Wide Web purchase intention," Industrial Managemet and Data Systems, Vol. 101, No. 4, 2001, pp. 165-176 https://doi.org/10.1108/02635570110390071
  71. Smith, H.J., Milberg, S.J., and Burke, S.J., "Information Privacy: Measuring Individuals Concerns about Organizational Practices," MIS Quarterly, Vol. 20, 1996, pp. 165-195
  72. Stanton, J.M., Stam, K.R., Mastrangelo, P., and Jolton, J., "Analysis of End User Security Behaviors," Computers & Security, Vol. 24, 2005, pp. 124-133 https://doi.org/10.1016/j.cose.2004.07.001
  73. Straub, D., "Effective IS Security: An Empirical Study," Information System Research, Vol. 1, No. 3, 1990, pp. 255-276 https://doi.org/10.1287/isre.1.3.255
  74. Torkzadeh, G. and Dhillon, G., "Measuring Factors that Influence the Sucess of Internet Commerce," Information Systems Research, Vol. 13, No. 2, 2002, pp. 187-204 https://doi.org/10.1287/isre.13.2.187.87
  75. Tregear, J., "Risk Assessment," Information Security Technical Report, Vol. 6, No. 3, 2001, pp. 19-27
  76. Urban, G., Sultan, F., and Qualls, W., "Placing Trust at the Center of Your Internet Strategy," Sloan Management Review, Fall, 2000, pp. 39-69
  77. Whitaker, R., The End of Privacy: How Total Surveillance is becoming a Reality, NY: New Press, 1999
  78. Wiant, T.L., "Information Security Policy's Impact on Reporting Security Incidents," Computers & Security, Vol. 24, 2005, pp. 448-459 https://doi.org/10.1016/j.cose.2005.03.008
  79. Wood, C., "Effective Information System Security with Password Controls," Computers & Security, Vol. 2, No. 1, 1983, pp. 5-10 https://doi.org/10.1016/0167-4048(83)90028-7
  80. Zviran, M. and Haga, W., "Password Security: An Empirical Study," Journal of Management Information Systems, Vol. 15, No. 4, 1999, pp. 161-185 https://doi.org/10.1080/07421222.1999.11518226