Improving Password Cyber-Security Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals

Information Technology for Development, vol. 20(2), pp. 196–213

31 Pages Posted: 12 Jul 2013 Last revised: 8 Jun 2014

See all articles by Jeffrey L. Jenkins

Jeffrey L. Jenkins

University of Arizona

Mark Grimes

University of Arizona - Department of Management Information Systems

Jeffrey Proudfoot

University of Arizona - Department of Management Information Systems

Paul Benjamin Lowry

Virginia Polytechnic Institute & State University - Pamplin College of Business

Date Written: April 28, 2014

Abstract

Password reuse — using the same password for multiple accounts — is a prevalent phenomenon that can make even the most secure systems vulnerable. When passwords are reused across multiple systems, hackers may compromise accounts by stealing passwords from low-security sites to access sites with higher security. Password reuse can be particularly threatening to users in developing countries in which cyber-security training is limited, law enforcement of cyber-security is non-existent, or in which programs to secure cyberspace are limited. This article proposes a two-pronged solution for reducing password reuse through detection and mitigation. First, based on the theories of routine, cognitive load, and motor movement, we hypothesize that password reuse can be detected by monitoring characteristics of users’ typing behavior (i.e., keystroke dynamics). Second, based on protection motivation theory, we hypothesize that providing just-in-time fear appeals when a violation is detected will decrease password reuse. We tested our hypotheses in an experiment and found that users’ keystroke dynamics are diagnostic of password reuse. By analyzing changes in typing patterns, we were able to detect password reuse with 81.71% accuracy. We also found that just-in-time fear appeals decrease password reuse; 88.41% of users who received a fear appeal subsequently created unique passwords, whereas only 4.45% of users who did not receive a fear appeal created unique passwords. Our results suggest that future research should continue to examine keystroke dynamics as an indicator of cyber-security behaviors, and use just-in-time fear appeals as a method for reducing non-secure behavior. The findings of our research provide a practical and cost-effective solution to bolster cyber-security through discouraging password reuse.

Keywords: password reuse, keystroke dynamics, protection motivation theory, just-in-time fear appeals, support vector machine, cyber-security, developing countries

Suggested Citation

Jenkins, Jeffrey L. and Grimes, Mark and Proudfoot, Jeffrey and Lowry, Paul Benjamin, Improving Password Cyber-Security Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals (April 28, 2014). Information Technology for Development, vol. 20(2), pp. 196–213 . Available at SSRN: https://ssrn.com/abstract=2292761

Jeffrey L. Jenkins

University of Arizona ( email )

Department of History
Tucson, AZ 85721
United States

Mark Grimes

University of Arizona - Department of Management Information Systems ( email )

AZ
United States

HOME PAGE: http://www.gmarkgrimes.com

Jeffrey Proudfoot

University of Arizona - Department of Management Information Systems ( email )

AZ
United States

Paul Benjamin Lowry (Contact Author)

Virginia Polytechnic Institute & State University - Pamplin College of Business ( email )

1016 Pamplin Hall
Blacksburg, VA 24061
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
113
rank
233,530
Abstract Views
553
PlumX Metrics