research-article

Modifying smartphone user locking behavior

Authors:
Dirk Van Bruggen

University of Notre Dame

University of Notre Dame
View Profile

,
Shu Liu

University of Notre Dame

University of Notre Dame
View Profile

,
Mitch Kajzer

University of Notre Dame

University of Notre Dame
View Profile

,
Aaron Striegel

University of Notre Dame

University of Notre Dame
View Profile

,
Charles R. Crowell

University of Notre Dame

University of Notre Dame
View Profile

,
John D'Arcy

University of Delaware

University of Delaware
View Profile

SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and SecurityJuly 2013Article No.: 10Pages 1–14https://doi.org/10.1145/2501604.2501614

Published:24 July 2013Publication History

SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

Pages 1–14

ABSTRACT

With an increasing number of organizations allowing personal smart phones onto their networks, considerable security risk is introduced. The security risk is exacerbated by the tremendous heterogeneity of the personal mobile devices and their respective installed pool of applications. Furthermore, by virtue of the devices not being owned by the organization, the ability to authoritatively enforce organizational security polices is challenging. As a result, a critical part of organizational security is the ability to drive user security behavior through either on-device mechanisms or security awareness programs. In this paper, we establish a baseline for user security behavior from a population of over one hundred fifty smart phone users. We then systematically evaluate the ability to drive behavioral change via messaging centered on morality, deterrence, and incentives. Our findings suggest that appeals to morality are most effective over time, whereas deterrence produces the most immediate reaction. Additionally, our findings show that while a significant portion of users are securing their devices without prior intervention, it is difficult to influence change in those who do not.

References

CTIA. U.S. Wireless Quick Facts, 2012.Google Scholar
Cisco. Cisco VNI Mobile Data Traffic Forecast 2012-2017. Feburary 2013.Google Scholar
Webroot. SURVEY: Mobile Threats are Real and Costly, 2012.Google Scholar
Enterproid. Implementing Your BYOD Mobility Strategy. 2012.Google Scholar
B. Bergstein. IBM Faces the Perils of "Bring Your Own Device" - Technology Review, 2012.Google Scholar
Cisco. Cisco NAC Appliance (Clean Access), 2012.Google Scholar
Apperian. Solving Android Multiple Personality Disorder: No Drugs Required. 2011.Google Scholar
Fraunhofer. BizzTrust, 2012.Google Scholar
J. H. Fowler and N. A. Christakis. Estimating peer effects on health in social networks, 2008.Google Scholar
P. Puhakainen and M. Siponen. Improving employees' compliance through information systems security training: an action research study. MIS Quarterly, 34(4):757--778, December 2010. Google ScholarCross Ref
iGillottResearch. Securing Mobile Devices on Converged Networks. 2006.Google Scholar
J. D'Arcy and A Hovav. Does one size fit all? examining the differential effects of is security countermeasures. Journal of Business Ethics, 89:59--71, 2009.Google ScholarCross Ref
P. Dunphy, A. P. Heiner, and N. Asokan. A closer look at recognition-based graphical passwords on mobile devices. Proceedings of the Sixth Symposium on Usable Privacy and Security - SOUPS '10, page 1, 2010. Google ScholarDigital Library
S. Cobb. Sizing Up the BYOD Security Challenge. 2012.Google Scholar
P. J. Connolly. iPad, iPhone Challenge Management Orthodoxy, 2012.Google Scholar
C. L. Anderson and R. Agarwal. Practicing Safe Computing: A MultiMethod Empirical Examination of Home Computer User Security Behavioral Intentions. MIS Quarterly, 34(3):613--643, 2010. Google ScholarDigital Library
R. Jaroslovsky. Help for Lost Cell Phones, 2012.Google Scholar
Enterproid. The Divide#8482;platform enables BYOD mobility, 2012.Google Scholar
Samsung. Mobile Device Management, 2013.Google Scholar
Android. Device Administration API, 2012.Google Scholar
M. Becher, F. C. Freiling, J. Hoffmann, T. Holz, S. Uellenbeck, and C. Wolf. Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In Security and Privacy (SP), 2011 IEEE Symposium on, pages 96--111. IEEE, 2011. Google ScholarDigital Library
AP Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proceedings of the 2nd USENIX conference on Web application development, pages 7--7. USENIX Association, 2011. Google ScholarDigital Library
S. Liu and A. Striegel. Casting doubts on the viability of wifi offloading. In Proceedings of the 2012 ACM SIGCOMM workshop on Cellular networks: operations, challenges, and future design, CellNet '12, pages 25--30, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
C. Herley. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop, pages 133--144. ACM, 2009. Google ScholarDigital Library
P. T. Costa and R. R. McCrae. Professional manual: revised neo personality inventory (neo-pi-r) and neo five-factor inventory (neo-ffi). Odessa, FL: Psychological Assessment Resources, 1992.Google Scholar
S Liu and A. Striegel. Accurate extraction of face-to-face proximity using smartphones and bluetooth. In Computer Communications and Networks (ICCCN), 2011 Proceedings of 20th International Conference on, pages 1--5, 2011.Google ScholarCross Ref
N. Eagle and AS Pentland. Reality mining: sensing complex social systems. Personal Ubiquitous Comput., 10(4):255--268, March 2006. Google ScholarDigital Library
F. C. Harris. Subject reactivity in direct observational assessment: A review and critical analysis. Clinical Psychology Review, 2:523--538, 1982.Google ScholarCross Ref
J. F. George. Computer-based monitoring: common perceptions and empirical results. MIS Quarterly, 20(4):459--480, 1996. Google ScholarDigital Library
J. Gittelsohn, A. V. Shankar, K. P. West, and R. M. Ram. Estimating reactivity in direct observation studies of health behaviors. Human Organization, 56(2):182--189, 1997.Google ScholarCross Ref
M. Richtel. "Young, in Love and Sharing Everything, Including a Password", 2012.Google Scholar
A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In USENIX 4th Workshop on Offensive Technologies, 2010. Google ScholarDigital Library
N. H. Zakaria, D. Griffiths, S. Brostoff, and J. Yan. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS '11, pages 6:1--6:12, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
R. Wash and J. K. Mackie-mason. Security When People Matter: Structuring Incentives For User Behavior. Screening, 2007.Google Scholar
J. M. Stanton, K. R. Stam, P. R. Mastrangelo, and J. Jolton. Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices. In Information Security, 2004.Google Scholar
R. West. The psychology of security. Commun. ACM, 51(4):34--40, April 2008. Google ScholarDigital Library
A. C. Johnston. Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 34(3):549--566, 2010. Google ScholarCross Ref
H. Xu and M. B. Rosson. Increasing the Persuasiveness of IT Security Communication: Effects of Fear Appeals and Self-View. Workshop on Usable IT Security, 2007.Google Scholar
C. Wright and P. Ayton. Focusing on what might happen and how it could feel: can the anticipation of regret change students' computing-related choices? International Journal of Human-Computer Studies, 62(6):759--783, June 2005. Google ScholarDigital Library
R. B. Cialdini. Basic social influence is underestimated. Psychological inquiry, 16(4):158--161, 2005.Google ScholarCross Ref
E. A. Locke. Toward a theory of task motivation and incentives. Organizational Behavior and Human Performance, 3(2):157--189, 1968.Google ScholarCross Ref
M. T. Siponen. Advanced topics in information resources management. chapter On the role of human mortality in information system security: from the problems of descriptivism to non-descriptive foundations, pages 301--319. IGI Publishing, Hershey, PA, USA, 2003. Google ScholarDigital Library
P. M. King and M. J. Mayhew. Moral judgement development in higher education: Insights from the defining issues test. Journal of moral education, 31(3):247--270, 2002.Google Scholar
M. Siponen, R. Willison, and R. Baskerville. Power and practice in information systems security research. 2008.Google Scholar
J. P. Gibbs. Crime, punishment, and deterrence. Elsevier New York, 1975.Google Scholar
S. Pahnila, M. Siponen, and A. Mahmood. Employees' behavior towards is security policy compliance. In System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on, pages 156b--156b. IEEE, 2007. Google ScholarDigital Library
T. August and T. I. Tunca. Network software security and user incentives. Management Science, 52(11):1703--1720, 2006. Google ScholarDigital Library
B. Bulgurcu. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. Women, 221(243):243, 2010.Google Scholar
SR Boss and LJ Kirsch. The last line of defense: motivating employees to follow corporate security guidelines. In Proceedings of the 28th International Conference on Information Systems, pages 9--12, 2007.Google Scholar
J. D'arcy and T. Herath. A review and analysis of deterrence theory in the is security literature: making sense of the disparate findings. European Journal of Information Systems, 20(6):643--658, 2011.Google ScholarCross Ref
R. D. Gopal and G L Sanders. Preventive and deterrent controls for software piracy. Journal of Management Information Systems, pages 29--47, 1997. Google ScholarDigital Library
A. Kankanhalli, HH Teo, B. CY Tan, and KK Wei. An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2):139--154, 2003. Google ScholarDigital Library
C. B. Foltz and P. Adviser-Cronan. The impact of deterrent countermeasures upon individual intent to commit misuse: a behavioral approach. University of Arkansas, 2000.Google Scholar
S. J. Harrington. The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS quarterly, pages 257--278, 1996. Google ScholarDigital Library
S. M. Lee, SG Lee, and S. Yoo. An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41(6):707--718, 2004. Google ScholarDigital Library
L. Myyry, M. Siponen, S. Pahnila, T. Vartiainen, and A. Vance. What levels of moral reasoning and values explain adherence to information security rules&quest; an empirical study. European Journal of Information Systems, 18(2):126--139, 2009.Google ScholarCross Ref
L. Kohlberg. Stages in the development of moral thought and action, 1969.Google Scholar
M. T. Siponen. On the role of human mortality in information system security: from the problems of descriptivism to non-descriptive foundations. Information Resources Management Journal (IRMJ), 14(4):15--23, 2001. Google ScholarDigital Library
A. Blasi. Bridging moral cognition and moral action: A critical review of the literature. Psychological Bulletin, 88(1):1, 1980.Google ScholarCross Ref
J. Greenberg. Who stole the money, and when? individual and situational determinants of employee theft. Organizational Behavior and Human Decision Processes, 89(1):985--1003, 2002.Google ScholarCross Ref
Notre Dame. Information Security Policy, 2012.Google Scholar
DL Huang, PL P Rau, and G Salvendy. Perception of information security. Behaviour & Information Technology, 29(3):221--232, 2010. Google ScholarDigital Library

Index Terms

Modifying smartphone user locking behavior
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Usability and Security of Text Passwords on Mobile Devices
CHI '16: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems

Recent research has improved our understanding of how to create strong, memorable text passwords. However, this research has generally been in the context of desktops and laptops, while users are increasingly creating and entering passwords on mobile ...
Read More
Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance
NordiCHI '14: Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational

In this paper, we present the results of two studies on the influence of mobile devices on authentication performance and password composition. A pre-study in the lab (n = 24) showed a lower performance for password-entry on mobile devices, in ...
Read More
Awareness, Knowledge, and Ability of Mobile Security Among Young Mobile Phone Users

The research literature on awareness, knowledge, and ability of mobile security of young mobile phone users was reviewed in this article. The existing literature suggests that young mobile phone users are usually not aware of potential mobile security ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security
July 2013
241 pages
ISBN:9781450323192
DOI:10.1145/2501604
Conference Chairs:
Lujo Bauer
Carnegie Mellon University
,
Konstantin Beznosov
University of British Columbia
,
General Chair:
Lorrie Faith Cranor
Carnegie Mellon University
Copyright © 2013 Copyright is held by the owner/author(s)
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 July 2013
Check for updates
Author Tags
awareness
mobile devices
passwords
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate15of49submissions,31%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 41
  Total Citations
  View Citations
- 1,074
  Total Downloads
- Downloads (Last 12 months)50
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Modifying smartphone user locking behavior

SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Usability and Security of Text Passwords on Mobile Devices

Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance

Awareness, Knowledge, and Ability of Mobile Security Among Young Mobile Phone Users