What 4,500+ People Can Tell You – Employees’ Attitudes Toward Organizational Password Policy Do Matter

  • Yee-Yin ChoongEmail author
  • Mary Theofanos
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


Organizations establish policies on how employees should generate, maintain, and use passwords to authenticate and gain access to the organization’s information systems. This paper focuses on employees’ attitudes towards organizational password policies and examines the impacts on their work-related password activities that have security implications. We conducted a large-scale survey (4,573 respondents) to investigate the relationships between the organizational password policies and employees’ password behaviors. The key finding of this study is that employees’ attitudes toward the rationale behind cybersecurity policies are statistically significant with their password behaviors and experiences. Positive attitudes are related to more secure behaviors such as choosing stronger passwords and writing down passwords less often, less frustration with authentication procedures, and better understanding and respecting the significance to protect passwords and system security. We propose future research to promote positive employees’ attitudes toward organizational security policy that could facilitate the balance between security and usability.


Password behavior Organizational password policy Cybersecurity Perception Attitudes Usability 


  1. 1.
    Sasse, M.A., Brostoff, B., Weirich, D.: Transforming the ‘weakest link’ — a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)CrossRefGoogle Scholar
  2. 2.
    Vu, K.P.L., Bhargav, A., Proctor, R.W.: Imposing password restrictions for multiple accounts: Impact on generation and recall of passwords. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting 47(11), 1331–1335 (2003)Google Scholar
  3. 3.
    Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Appl. Cogn. Psychol. 18(6), 641–651 (2004)CrossRefGoogle Scholar
  4. 4.
    Vu, K.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B., Cook, J., Schultz, E.E.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum Comput Stud. 65, 744–757 (2007)CrossRefGoogle Scholar
  5. 5.
    Florêncio, D., Herley, C.: A Large-Scale Study of Web Password Habits. In: Proceedings of the 16th International Conference on World Wide Web 2007, pp. 657–666 (2007)Google Scholar
  6. 6.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Proceedings of NDSS (2014)Google Scholar
  7. 7.
    Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392. ACM (2010)Google Scholar
  8. 8.
    Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: a week to a view. Interact. Comput. 23(3), 256–267 (2011)CrossRefGoogle Scholar
  9. 9.
    Kraus, S.J.: Attitudes and the prediction of behavior: a meta-analysis of the empirical literature. Pers. Soc. Psychol. Bull. 21(1), 58–75 (1995)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Avey, J.B., Wernsing, T.S., Luthans, F.: Can positive employees help positive organizational change? Impact of psychological capital and emotions on relevant attitudes and behaviors. J. Appl. Behav. Sci. 44(1), 48–70 (2008)CrossRefGoogle Scholar
  11. 11.
    Choong, Y.-Y.: A cognitive-behavioral framework of user password management lifecycle. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 127–137. Springer, Heidelberg (2014)Google Scholar
  12. 12.
    Ong, A.D., Weiss, D.J.: The impact of anonymity on responses to sensitive questions. J. Appl. Soc. Psychol. 30(8), 1691–1708 (2000)CrossRefGoogle Scholar
  13. 13.
    Choong, Y.-Y., Theofanos, M., Liu, H.-K.: United States Federal Employees’ Password Management Behaviors – a Department of Commerce Case Study. NISTIR 7991, National Institute of Standards and Technology, Gaithersburg, US (2014)Google Scholar
  14. 14.
    Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)CrossRefGoogle Scholar
  15. 15. New Webroot Survey Reveals Poor Password Practices that May Put Consumers’ Identities At Risk (2010). Accessed on 20 Jan 2015
  16. 16.
    National Strategy for Trusted Identities in Cyberspace. The White House, Washington, DC, US (2014). Accessed on 08 Jan 2015

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations