Can Relaxing Security Policy Restrictiveness Improve User Behavior? A Field Study of Authentication Credential Usage

摘要

Often, security policies take an overly proscriptive approach designed to shape 'secure' behavior in the specification of constraints, controls, and impediments to free action. In the case of very detailed policies, the user may not even understand the logic behind the behavior. This research poses a simple premise: if a desired state of system security can be achieved with a policy that affords the user a range of behavioral options, would the user be more likely to comply with the policy? We present findings from a field experiment in the context of password selection where secure behavior was enhanced by relaxing proscription (and prescription) by allowing universal cues in additional feedback tools to take precedence over explicit behavioral requirements. This is in keeping with aspects of Activity Theory which proposes that familiar tools influence actor-structure interactions that lead to desired outcomes.