Perceptions of the risks of password related activities

Many studies have investigated people’s risky password related activities such as writing down passwords, sharing them with other people and re-using them across accounts, but few studies have investigated people’s perceptions of the risks of these activities. This paper reports on an online survey with 129 people rating the risks of 11 different password related activities in four domains (social networking, email, eBanking and eCommerce). There were fewer differences between the perceived riskiness of activities due to domain than expected, but differences between the activities and the numbers of respondents who said they would engage in the different activities. There were interesting patterns of differences in the ratings of the riskiness, severity of the consequences, usefulness and likelihood of encountering the different activities, which may help explain why people undertake risky password activities.


INTRODUCTION
Authentication using passwords is still the most common method for digital services (Ur et al., 2016;Bonneau et al., 2015).Users create and manage passwords in order to log-in, and use the services of their online banking, email, social networking accounts, amongst many others.Managing a password and ensuring its security are the responsibility of a password holder.However, recalling the right password for a specific account is not easy.A recent study in password behaviours showed that on average British respondents manage 22.3 total systems requiring passwords (Petrie and Merdenyan, 2016).
The management of passwords for that many systems requires a substantial effort.Prior studies have shown that users have difficulties in managing their passwords (Stobert and Biddle, 2014;Gaw and Felten, 2006), and exhibit risky password management activities such as re-using passwords, writing them down, and sharing passwords with others (Shay et al., 2010).But, how do users perceive the risks when they undertake these activities?Despite numerous studies on password behaviour (see Background section, below), little attention has been given to understand how users perceive the risks of different common password related activities.Moreover, there is no study to our knowledge investigating the password management activities through a range of different digital domains.As users' risk perceptions differ for different website domains (LeBlanc and Biddle, 2012), it is important to investigate whether users have different perceptions of the risks of password management activities in different domains.
Therefore this study investigated people's perceptions of the risk of a range of password related activities in a range of different domains.It also investigated people's attitudes to other aspects of the activities, such as whether people would engage in the activity, their perception of the severity of the consequences of a password compromise due to the activity, the usefulness of the activity and the likelihood of encountering the activity in real life.All these attitudes may throw light on people's perception of risk.
Two studies which have addressed users' perceptions of password management are Notoatmodjo and Thomborson (2009) and Creese et al. (2013).Notoatmodjo and Thomborson (2009) conducted a survey with 26 university students in New Zealand to investigate their perceptions of their password.They found that students were aware of the possible security risks of re-using passwords and that they were able to mentally categorize accounts according to their importance: online banking accounts were categorized as high importance accounts, whereas online newspapers were categorized as low importance accounts.Using this categorization, it was found that the participants tended to re-use passwords for low importance accounts, whereas they avoided reusing passwords for high importance accounts.Nonetheless, the participants also stated that having multiple accounts forced them to re-use passwords as they were unable to remember a distinct password for each account.Creese et al. (2013) asked fifty security experts from industry and academia and fifty non-expert participants to rate the level of risk they perceived in relation twenty potentially risky online and offline (real world) activities.There were a number of significant differences between the ratings of the two groups, for example non-experts rated 'not-updating operating system, web browser, and applications' significantly lower in risk than experts, whereas experts rating 'emailing credit card details' significantly lower than non-experts.Despite these differences, the authors concluded that in general non-experts and experts provided similar risk assessments.
Although there is little study of risk perceptions of password behaviour, the study of risk and its perception in other areas is a major topic.The development of risk perception started in 1960s, with the rapid rise of new technologies, especially nuclear technologies.The necessity of risk comparisons was first suggested by Sowby (1965), to balance the benefits and risks of the nuclear power.Risk perception differences amongst laypeople and experts were found in relation to nuclear technologies.It was interesting that laypeople perceived the risks of some activities (e.g.smoking, driving) as being lower than the risks of nuclear technologies (Sjöberg et al., 2004).Later, Starr (1969) claimed that the reason of this difference relies on the voluntariness of the activity (risk) taken.His claim explained the reason why laypeople accepted the risks of smoking but not of that nuclear technologies.His work lead to a raised awareness and interest on discovering how people accept, tolerate, and perceive risks.
In 1970s, researchers investigated the perceived risks associated with gambling and lotteries.Langer (1975) made several studies and found that people perceived the risk of winning a lottery higher when they were given the chance to pick numbers.It was found that people perceive risks lower when they think that the situation is under control.This phenomenon was called 'illusion of control'.Fischhoff et al. (1978) used psychometric procedures to reveal quantitative judgments of perceived risk, and perceived benefit.Psychometrics is the science of measuring mental processes; hence, the psychometric paradigm is a methodological approach to explore the characteristics of risk perception (Breakwell, 2007).Researchers using the psychometric paradigm ask participants to rate the riskiness of a set of hazardous activities, and to express their desires for risk reduction of that hazard, within various domains.The paradigm assumes that people can provide answers to difficult questions such as 'What is the risk associated with the use of nuclear power?' (Slovic, 2000).The paradigm suggests that risk is subjectively defined by people who are influenced by various psychological, social, cultural, and institutional factors, and assumes that with appropriate design of surveys it is possible to quantify and model the interrelationships of these factors (Slovic, 2000).
Our study was influenced by the psychometric approach to risk and investigated a number of psychological factors which might influence people's perception of the risk of password related activities, including their perception of the severity of the consequences of a password compromise due to the activity, the usefulness of the activity and the likelihood of encountering the activity in real life.

Design
The study used an online survey via Amazon Mechanical Turk (MTurk).
11 potentially risky password related activities were created (see Table 2) based on an analysis of the relevant research on password management.These activities were related to four domains in which people typically have passwords: social network sites (SNSs), email, eBanking and eCommerce.These domains were chosen because users have different types of information stored in these domains and may regard them as having different levels of importance and privacy.Not every activity seemed appropriate to every domain, so a total of 35 specific activities resulted.
As asking respondents to answer questions about this number of activities, they were divided into four sets with only one activity per set and a range of different domains.Different respondents did each set (due to an oversight in materials preparation for Activity 4, two versions of this activity went in the same set, which complicated the statistical analysisit meant that repeated measures analyses had to be conducted for this activity).
On each activity, respondents were asked a number of questions, including Likert rating items and openended questions.These covered how risky they thought the activity was, whether they would engage in it, how severe they thought the consequences would be and whether they thought the activity is useful.

Respondents
Respondents were recruited through the MTurk crowdsourcing service.A total of 129 individuals responded and provided sufficient data for analysis.Table 1 summarises the demographics of the sample which was close to gender balanced (55.8% male, 43.4% female, 0.8% preferred not to say).The mean age of respondents was 33.4 year (range: 19 -62 years).80 respondents were from the USA, 35 were from India and 14 from other countries.
Respondents were quite evenly divided between the four sets of activities: two groups had 31 respondents, one group had 32 and one group had 35.

Materials
Four versions of an online questionnaire were developed with 8 or 9 activities.For each activity there were 5 questions: How risky is the activity?(Likert) Would you ever engage in the activity?(Yes/No) If your password were compromised as a result of engaging this activity, how severe do you think the negative consequences would be? (Likert) How useful is the activity?(Likert) How likely do you think you are to face the activity in real life?(Likert) For each Likert item questions, respondents were invited to explain their rating by an optional openended question (why did you give that rating?)After completing the 8 or 9 sets of activity questions, respondents were asked to complete a brief demographic questionnaire.

Procedure
The online survey was distributed via MTurk.No specific qualification was required to be a respondent, and there were no geographical restrictions to complete the survey.In the description of the task respondents were informed about the approximate completion time of the survey (15 minutes, established via a pilot study conducted with researchers at the University of York).Potential respondents were informed that all information they provided would be confidential and that they would not be asked for any of their passwords or any information that might compromise the security of their passwords.
All respondents who completed the survey and provided sufficient information were rewarded USD 0.50 (£0.40 at the time of the study).
The aim was to have 40 respondents complete each of the four sets of activities.However, it was necessary to reject 31 responses (for incomplete or totally inappropriate responses), which resulted in the final sample of 129 responses.

RESULTS
The rating scale variables were normally distributed, so parametric statistics were used for the analyses.

Differences in perception of risk between the different domains
When the perception of risk of the activities was compared across the four different domains, there were fewer differences than might be expected.Figure 1 shows the mean ratings of the perception of how risky the activity was for the 11 activities and the four domains (note for some activities not all four domains were asked about, see section 3.1).For only three of the 9 activities in which more than one domain was investigated were there significant differences.These were on "storing a password on paper at home" (F 3, 124 = 2.84, p = .04;post-hoc tests revealed that this was perceived as more risky for eBanking and eCommerce than for SNS, email was intermediate and not significantly different from the other three domains); on "re-using a password across different accounts" (F 3, 125 = 3.25, p = 0.03; post-hoc tests revealed that eBanking was perceived as more risky than either SNS or email); and "logging onto a shared computer" (F 1, 124 = 3.85, p = 0.01, post-hoc tests again revealed that eBanking was perceived as more risky than either SNS or email).

Differences in perception of risk between the different types of task
As the perception of risk was not substantially affected by domain, the perception of risk of the different activities was investigated, averaging across the four domains.Figure 2 shows the 11 different activities organized from that perceived as most risky (sharing a password with colleagues, mean risk rating: 6.06/7, standard deviation: 1.24) to that perceived as least risky (sharing a password with a partner, mean risk rating: 4.31, standard deviation: 2.05).However, it is interesting to note that the standard deviation on sharing a password with a partner was over 65% higher than the standard deviation for sharing with a friend, and was by far the highest standard deviation, so there is much more disagreement about the risk of sharing a password with a partner.All the mean ratings, apart from that of sharing with a partner are significantly above the midpoint of the rating scale, so respondents perceive all these activities to be substantially risky.

Propensity to engage in the activities, relationship to perception of risk consequences, usefulness and likelihood of encountering the activities
Respondents were asked whether they would engage in of the activities.Table 3 presents the numbers who said they would and would not for each of the activities, with a chi-square test of whether the distribution differed significantly from random.It can be seen that the activity respondents most frequently said they would engage in was reusing a password with slight variation across accounts, with over 60% of respondents saying they would do this, a significantly large proportion of the sample.The activity participants least frequently said they would engage in was sharing a password to an SNS with friends, with only approximately 5% of respondents saying they would do this, a significantly low proportion of the sample.(Sharing passwords for SNSs and email with friends were not combined across domains for this analysis as these were presented to the same respondents).
The perceptions of the respondents who said they would and would not engage with each activity were compared on their other perceptions about the activity.These analyses are summarized in Table 4.This shows that on all but two activities, respondents who said they would engage in the activity rated is as significantly less risky than respondents who said they would not engage in the activity.The two exceptions were sharing passwords with colleagues and sharing passwords for SNS with friends (again sharing passwords for SNSs and email with friends were not combined across domains for this analysis as these were presented to the same respondents).
However, the ratings of the severity of consequences of their password being compromised through the activity, there were no significant differences between the respondents who said they would engage in the activity and those who would not.The ratings of the usefulness of the activity again showed a pattern of significant differences.For all but one activity, the respondents who would engage in the activity rated it as significantly more useful, often by a very substantial amount.The exception was sharing SNS passwords with friends.
Finally, the ratings of likelihood of encountering the activity in real life again showed a pattern of consistent differences, with respondents who would engage in the activity rating it significantly more likely that they would encounter the activity in real life in nine activities, with a marginally significant result in a tenth (p = 0.06) and a significant difference in two activities.

DISCUSSION AND CONCLUSIONS
This study investigated perceptions of the risk of a range of password related activities in four different domains and associated attitudes towards the severity of the consequences of the risk, the usefulness of the activity and the likelihood of encountering the activity in real life.
Four different domains were investigated as it was expected there would be differing perceptions of the risk of the different password related activities would vary with domain, with eBanking being the domain which participants would consider the most risky.However, the differences between the domains were not as great as expected, with only three of the nine activities investigated showing a significant difference in the perception of risk between the domains.However, in all three cases, it was eBanking for which the risk was considered significantly highest, with eCommerce being also considered highest in one case.
Comparing the different activities, all but one activity was rated significantly above the midpoint of the risk perception scale, suggesting that respondents viewed them all as quite risky.The exception was sharing passwords with partners which did not differ significantly from the midpoint.But interestingly, there was considerable disagreement amongst respondents on this activity (as evidenced by the high standard deviation), suggesting that some respondents trust their partners a lot more than others.
The activity which the most respondents said they would engage in was re-using a password with a slight variation on different accounts, with just over 60% of respondents saying they would do this.This result corresponds well with previous studies, for example Brown et al. (2004) found that approximately 65% of password use involved duplication of the password, a similar figure to ours.Gaw and Felten (2006) and Florencio and Herley (2007) also found high levels of password re-use, although percentages of participants reporting this behaviour were not reported by those studies.
Recording passwords was also an activity many respondents said they would engage in, with just over half saying they would record them digitally and just over 40% saying they would store them on paper.Again, these results correspond well with earlier findings, Brown et al. (2004) found that approximately half their participants keep a written record of passwords.However, the most interesting findings from this study are from the ratings of the risk, consequences, usefulness of the activities and likelihood of encountering the activity in real life, from respondents who said they would engage in the activities and those who said they would not.When their ratings of the level of risk of the activities were compared, it is perhaps not surprising that those who said they would engage in an activity consistently rated it significantly less risky than those who said they would not engage in it.However, it was surprising that when asked about the severity of the consequences of the activity if their password were compromised as a result of engaging in the activity, there was no significant difference between the two groups in their ratings.
Initially this seems contradictorythe groups are differing in the rating of risk, but not in the severity of the consequences?What is risk if it is not the consequences of an activity?The answer to this apparent contradiction may lie in the answers to three further questions.Firstly, respondents were asked how useful each activity was.Respondents who said they would engage in the activity consistently rated it as significantly more useful than those who said they would not engage in the activity, with a very large mean difference between the groups of 2.5 points on the 7 point Likert scale.Similarly, those who said they would engage in the activity rated the likelihood that they would encounter it in real life consistently significantly higher than those who would not engage in the activity, again with a very large mean difference between the groups of 2.6 on the 7 point Likert scale.
These results suggest that respondents who say they would engage with the activity, while agreeing about the level of the severity of the consequences of their password being compromised with those who would not engage with it, are swayed in their overall perception of the risk by the usefulness of the activity as a password management or other digital strategy.In addition, the fact that they report they are more likely to encounter the activity in real life may well reflect the fact that they have actually undertaken the activity in real life without dire consequences and this is also affecting their perception of the risk.One of the problems of risky password activities, like many other risky activities, is that negative consequences do not result from every instance of the activity, and negative consequences which do result may not be causally linked back to the instance of the action.Thus, one might share an email password with a colleague so they can access some important data for a meeting, and no negative consequences arise, even though it was a risky thing to do.So one's perception of the consequences goes down.Or, one might share an email password with a colleague, and not ever realize they have used it to send a malicious email in one's name.So one never connects the risky activity with the negative consequences that it caused.
Thinking about risk perception of password related activities through the lens of the psychometric approach developed by Slovic (1986Slovic ( , 2016) ) and considering the different aspects of people's attitudes around risky password activities, has begun to throw some interesting light on the relationships between various factors influencing the overall perception of risk of different risky activities.
However, we now realize that we need to explore much more about how people's perceptions of risk in this area are developed.For example, we did not ask people what negative experiences they had had in relation to password activities, but respondents' answers to the open-ended questions showed that this can have a very strong effect on risk perception.For example, relevant comments from respondents included: Other limitations of the current study include the fact that respondents were from many different countries, with substantial numbers from the USA and India.Previous work has shown that there are complex cultural differences in attitudes to password management (Petrie and Merdenyan, 2016), although the countries studied in that study did not include either the USA or India.But there may be differences in the attitudes of respondents from these two countries which are obscuring effects in the current study.The other limitation, shared with much research on usable security, is that we are relying on self-reports of activities which may be influenced by social desirability factors.People know that should not share passwords or write them down, so may be less inclined to say they would engage in the activity than they actually do.Nonetheless, substantial numbers of respondents did admit to engaging in these activities and clear and interesting patterns of responses emerged.

Figure 2 :
Figure 2: Mean ratings of risk for the 11 activities

"
..I went to a cybercafé and left the social networks open.Someone posted obscene things from my accounts, but I could change the password before they hacked me" (P1-25)"… used a computer with a keylogger on it, had social media affected.Had to go through lengthy process to change passwords across all platforms" (P1-31) "..When I lost my wallet I was afraid, whether I'd kept password inside it.Later I had to change all the passwords of all online services.Ever since I have stopped keeping passwords inside my wallet" (P2-8)

Table 1 :
Demographic information for the respondents

Table 2 :
Password related activities and domains Mean ratings of risk of activities by domain

Table 3 :
Distribution of respondents who said they would or would not engage in each activity

Table 4 :
Mean ratings (and standard deviations of risk, consequences, usefulness and likelihood of encountering the activities for respondents who would engage with them or not