A Model for Enhancing Human Behaviour with Security Questions: A Theoretical Perspective
📝 Abstract
Security questions are one of the mechanisms used to recover passwords. Strong answers to security questions (i.e. high entropy) are hard for attackers to guess or obtain using social engineering techniques (e.g. monitoring of social networking profiles), but at the same time are difficult to remember. Instead, weak answers to security questions (i.e. low entropy) are easy to remember, which makes them more vulnerable to cyber-attacks. Convenience leads users to use the same answers to security questions on multiple accounts, which exposes these accounts to numerous cyber-threats. Hence, current security questions implementations rarely achieve the required security and memorability requirements. This research study is the first step in the development of a model which investigates the determinants that influence users’ behavioural intentions through motivation to select strong and memorable answers to security questions. This research also provides design recommendations for novel security questions mechanisms.
💡 Analysis
Security questions are one of the mechanisms used to recover passwords. Strong answers to security questions (i.e. high entropy) are hard for attackers to guess or obtain using social engineering techniques (e.g. monitoring of social networking profiles), but at the same time are difficult to remember. Instead, weak answers to security questions (i.e. low entropy) are easy to remember, which makes them more vulnerable to cyber-attacks. Convenience leads users to use the same answers to security questions on multiple accounts, which exposes these accounts to numerous cyber-threats. Hence, current security questions implementations rarely achieve the required security and memorability requirements. This research study is the first step in the development of a model which investigates the determinants that influence users’ behavioural intentions through motivation to select strong and memorable answers to security questions. This research also provides design recommendations for novel security questions mechanisms.
📄 Content
Australasian Conference on Information Systems
Micallef & Arachchilage 2017, Hobart, Australia
Enhancing Human Behaviour with Security Questions
1
A Model for Enhancing Human Behaviour with Security
Questions: A Theoretical Perspective
Nicholas Micallef
Australian Centre for Cyber Security
School of Engineering and Information Technology
University of New South Wales
Canberra, Australia
Email: n.micallef@adfa.edu.au
Nalin Asanka Gamagedara Arachchilage
Australian Centre for Cyber Security
School of Engineering and Information Technology
University of New South Wales
Canberra, Australia
Email: nalin.asanka@adfa.edu.au
Abstract
Security questions are one of the mechanisms used to recover passwords. Strong answers to security
questions (i.e. high entropy) are hard for attackers to guess or obtain using social engineering techniques
(e.g. monitoring of social networking profiles), but at the same time are difficult to remember. Instead,
weak answers to security questions (i.e. low entropy) are easy to remember, which makes them more
vulnerable to cyber-attacks. Convenience leads users to use the same answers to security questions on
multiple accounts, which exposes these accounts to numerous cyber-threats. Hence, current security
questions implementations rarely achieve the required security and memorability requirements. This
research study is the first step in the development of a model which investigates the determinants that
influence users’ behavioural intentions through motivation to select strong and memorable answers to
security questions. This research also provides design recommendations for novel security questions
mechanisms.
Keywords Cyber Security, Usable Security, Security Questions, Human-computer interaction and
design.
Australasian Conference on Information Systems
Micallef & Arachchilage 2017, Hobart, Australia
Enhancing Human Behaviour with Security Questions
2
1 Introduction
Internet users are increasingly dealing with more online accounts (statistics show that 92% of
Australians use the internet (Poushter 2016)), for personal emails, social networks, e-commerce, banks
etc. Hence, internet users are finding it more challenging to remember the passwords of all of their
online accounts (Florencio and Herley 2007; Stavova et al. 2016). Recent research found that password
managers have not been widely adopted (Alkaldi and Renaud 2016). Thus, resetting passwords is
increasingly becoming a much more frequent task (Florencio and Herley 2007; Stavova et al. 2016).
Various types of fall-back authentication mechanisms have been studied to address this problem with
password recovery mechanisms (Stavova et al. 2016). The most popular being email-based password
recovery, text-based password recovery and security questions (Schechter and Reeder 2009). Although
both email-based and text-based password recovery have recently been adopted by major companies
(e.g. Google and Facebook), they still have major limitations (e.g. security vulnerabilities and lack of
mobility) (Stavova et al. 2016). For instance, with email-based password recovery users might require
to pay a higher cost for data roaming if they need to recover their passwords, when they are abroad. Also,
for text-based password recovery, users might not carry their device with them when on vacation. In this
situation, it would be impossible for users to recover their forgotten password.
From a security questions perspective, weak answers to security questions (i.e. low entropy) are easy to
remember (Zviran and Haga 1990), which makes them more vulnerable to the art of human hacking (i.e.
guessing attacks, dictionary attacks, observational attacks and shoulder surfing attacks) (Bonneau et al.
2010; Denning et al. 2011). Instead, strong answers to security questions (i.e. high entropy) are less
vulnerable to cyber-attacks (Shay et al. 2012), but at the same time are difficult to remember (Micallef
and Just 2011). Therefore, convenience leads users to use the same answers to security questions on
multiple accounts (Honan 2012), which exposes these accounts to numerous cyber-threats.
One could argue, that the main problem with security questions is that they are poorly designed, since
more effort has been invested in improving the security and usability of passwords (Bonneau et al. 2012)
(e.g. password meters (Komanduri et al. 2011), password rules). While in comparison, research on
improving the security and memorability of security questions is still quite limited (e.g. there are no
websites that provide security questions answer meters) (Senarath et al. 2016). Research on designing
secure and usable security questions might still be limited due to the fact that passwords are considered
to be more important, since passwords are used as the main mechanism to login into an online account
(Bonneau and Preibusch 2010). Alternatively, security questions are m
This content is AI-processed based on ArXiv data.