Can individuals’ neutralization techniques be overcome? A field experiment on password policy

6533b857fe1ef96bd12b45e7

RESEARCH PRODUCT

Can individuals’ neutralization techniques be overcome? A field experiment on password policy

Petri Puhakainen Mikko T. Siponen Anthony Vance

subject

Password Authentication Password policy General Computer Science information security business.industry Computer science Internet privacy tietoturvapolitiikka 020206 networking & telecommunications Context (language use)02 engineering and technology Information security neutralization salasanat passwords Authentication (law)Password strength information security policy 0202 electrical engineering electronic engineering information engineering 020201 artificial intelligence & image processing tietoturva business henkilöstökoulutus Law

description

Individuals’ lack of adherence to password security policy is a persistent problem for organizations. This problem is especially worrisome because passwords remain the primary authentication mechanism for information systems, and the number of passwords has been increasing. For these reasons, determining methods to improve individuals’ adherence to password-security policies constitutes an important issue for organizations. Extant research has shown that individuals use neutralization techniques, i.e., types of rationalizations, to disregard organizational information-security policies. What has not been determined from extant information security research is whether these neutralizations can be changed through educational training interventions. We argue that training based on principles of cognitive dissonance theory is a promising method for reducing individuals’ use of neutralization techniques. We contribute by showing empirically that training based on cognitive dissonance theory can reduce the use of neutralization techniques when such training is designed to counter such techniques. Using a quasi-experimental design at an organization, individuals received training on neutralization techniques in the context of password security. Using a quasi-experimental design, we found that individuals who received our training treatment exhibited substantially less intent to use neutralization techniques and were significantly more likely to use secure passwords. Additionally, a follow-up measurement three weeks after the training session showed that the experimental treatment retained its effectiveness, i.e., the experimental group exhibited substantially less intent to use neutralization techniques and a greater likelihood of using strong passwords in the future. Additionally, intent was significantly greater in the experimental group. Implications for practice and future research are discussed. peerReviewed

year	journal	country	edition	language
2020-01-01	Computers & Security

https://doi.org/10.1016/j.cose.2019.101617