Rational security: modelling everyday password use


Duggan, G. B., Johnson, H. and Grawemeyer, B., 2012. Rational security: modelling everyday password use. International Journal of Human-Computer Studies, 70 (6), pp. 415-431.

Related documents:

PDF (Duggan,_Johnson_&_Grawemeyer,_12.pdf) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
Download (672kB) | Preview

    Official URL:

    Related URLs:


    To inform the design of security policy, task models of password behaviour were constructed for different user groups—Computer Scientists, Administrative Staff and Students. These models identified internal and external constraints on user behaviour and the goals for password use within each group. Data were drawn from interviews and diaries of password use. Analyses indicated password security positively correlated with the sensitivity of the task, differences in frequency of password use were related to password security and patterns of password reuse were related to knowledge of security. Modelling revealed Computer Scientists viewed information security as part of their tasks and passwords provided a way of completing their work. By contrast, Admin and Student groups viewed passwords as a cost incurred when accessing the primary task. Differences between the models were related to differences in password security and used to suggest six recommendations for security officers to consider when setting password policy.


    Item Type Articles
    CreatorsDuggan, G. B., Johnson, H. and Grawemeyer, B.
    Related URLs
    URLURL Type
    DepartmentsFaculty of Humanities & Social Sciences > Health
    Faculty of Science > Computer Science
    Research CentresCentre for Pain Research
    Publisher StatementDuggan,_Johnson_&_Grawemeyer,_12.pdf: NOTICE: this is the author’s version of a work that was accepted for publication in International Journal of Human-Computer Studies. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Journal of Human-Computer Studies, 70, 6, 2012. DOI: 10.1016/j.ijhcs.2012.02.008
    ID Code29203


    Actions (login required)

    View Item

    Document Downloads

    More statistics for this item...