Academic journal article Informing Science: the International Journal of an Emerging Transdiscipline

Evaluation of the Human Impact of Password Authentication Practices on Information Security

Academic journal article Informing Science: the International Journal of an Emerging Transdiscipline

Evaluation of the Human Impact of Password Authentication Practices on Information Security

Article excerpt


The increase in computing and networking expansion as well as increases in threats have enhanced the need to perpetually manage information security within an organization. Although there is literature addressing the human side of information security, events such as 9/11 and the war on terrorism has created more of a burden for organizations, government and private industry, enhancing the need for more research in information security. Carnegie Mellon's Computer Emergency Response Team (2004) has collected statistics showing that 6 security incidents were reported in 1988 compared to 137,529 in 2003. A survey by the Federal Bureau of Investigation (FBI) suggested that 40% of organizations surveyed claimed that system penetrations from outside their organization have increased from the prior year by 25% (Ives, Walsh, & Schneider, 2004). The U.S. Department of Homeland Security (2002) is concerned with the need for information security measures. Therefore, the Federal Information Security Management Act of 2002 was put into place for the purposes of protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability of information. The government has an information security responsibility ranging from protecting intelligence information to issuing social security numbers for each citizen. Private industry must also be concerned with information security as it is vital for the livelihood of any company to protect customer's personal information along with the management of each company's supply chain (Olivia, 2003).

Earlier research identified the presence of human error risks to the security of information systems (Wood & Banks 1993, Courtney as cited in NIST, 1992). A survey conducted by one of the authors, identified password issues as the second most likely human error risk factor to impact an information system. The significance of this is enhanced when realizing that passwords are the primary source of user authentication for the majority of personal and private information systems. The past research findings of password issues as a human error risk factor has been further identified as a threat to security by the University of Findlay Center for Terrorism Preparedness (2003), who developed a vulnerability assessment methodology to better help organizations identify their weaknesses in terms of information security.

Extensive password requirements can overload human memory capabilities as the number of passwords and their complexity level increases. The exponential growth in security incidents (Carnegie Mellon Computer Emergency Response Team, 2004) requires a comprehensive approach to the development of password guidelines which do not exceed human memory limitations yet maintain strength of passwords as necessitated by the information technology (IT) community. The IT community consists of network administrators or security officers who are directly responsible for information security in terms of integrity, confidentiality, and availability of information. In earlier investigations, over 50% of incidents that occur within government and private organizations have been connected to human errors (NIST, 1992). The impact of human error on information security is an important issue that left unresolved can have adverse affects on industry. This research is focused on measuring the impact of password demands as a means of authentication and mitigating the risks that result when these demands exceed human capabilities.

Literature Review

Information Security

Information security involves making information accessible to those who need the information, while maintaining integrity and confidentiality. The three categories that are used to classify information security risks are confidentiality, integrity, and accessibility or availability of information (U. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.