Organizational Security: Implementing a Risk-Reduction-Based Incentivization Model for MFA Adoption

In Proceedings of the International Conference on Financial Cryptography and Data Security, March, 2021, Grenada (Virtual).

8 Pages Posted: 19 Jan 2021

See all articles by Sanchari Das

Sanchari Das

University of Denver

Andrew Kim

Indiana University Bloomington

L. Jean Camp

Indiana University Bloomington - School of Informatics and Computing

Date Written: January 18, 2021

Abstract

Multi-factor authentication (MFA) is a useful measure for strengthening authentication. Despite its security effectiveness, the adoption of MFA tools remains low. To create more human-centric authentication solutions, we designed and evaluated the efficacy of a risk-reduction-based incentivization model. We examined the real-life use of MFA and developed text-based and video-based risk communication strategies. We implemented our proposed model in a large-scale organization with more than 92; 025 employees, and we collected survey data from 287 participants and interviewed 41 participants. Our goal was to under- stand how MFA can protect corporate servers, employee accounts, and MFA user perceptions. We observed negative perceptions and degraded understandings of MFA technology due to the absence of proper risk and bene t communication in the control group. Meanwhile, the experimental group employees showed positive perceptions of MFA use for their work and personal accounts. Our analysis and implementation strategy are critical for reducing users' risks, creating positive security tool usage experiences, and motivating users to enhance their security practices.

Keywords: Authentication, Multi-Factor Authentication, Risk Communication, User Studies, Organizational Security

Suggested Citation

Das, Sanchari and Kim, Andrew and Camp, L. Jean, Organizational Security: Implementing a Risk-Reduction-Based Incentivization Model for MFA Adoption (January 18, 2021). In Proceedings of the International Conference on Financial Cryptography and Data Security, March, 2021, Grenada (Virtual)., Available at SSRN: https://ssrn.com/abstract=3768846 or http://dx.doi.org/10.2139/ssrn.3768846

Sanchari Das (Contact Author)

University of Denver ( email )

2201 S. Gaylord St
Denver, CO 80208-2685
United States

Andrew Kim

Indiana University Bloomington ( email )

Dept of Biology
100 South Indiana Ave.
Bloomington, IN 47405
United States

L. Jean Camp

Indiana University Bloomington - School of Informatics and Computing ( email )

901 E 10th St
Bloomington, IN 47401
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
338
Abstract Views
997
Rank
168,617
PlumX Metrics