User Resistance to Password Security Explored
Though most organizations have policies and guidelines to protect their information systems from unauthorized access, research has shown that employee compliance is often a problem.
“Even if the policies are mandatory, individual perceptions, interpretations, and behavior vary within the process of complying,” said France Belanger, Pamplin College of Business accounting and information systems professor at Virginia Tech.
Belanger and three Pamplin doctoral students completed a new study exploring the attitudes and “resistance behavior” of individuals faced with a required information technology security change. Previous studies, she said, largely focused on voluntary behavior.
Using Virginia Tech as a case study, Belanger and her team — Eric Negangard and Kathy Enget (accounting and information systems) and Stephane Collignon (business information technology) — surveyed undergraduate and graduate students, faculty members, staff, and administrators at Virginia Tech. The university required its information systems account holders to change their passwords by July 1, 2011, after evaluating password practices in the wake of recurring security problems. Accounts would not be accessible with old passwords after the deadline.
Managers who develop and implement information security procedures may find some useful lessons about change management in the study, Belanger said. It highlights the role of user awareness of the security change in influencing user attitudes toward the change and shows the relative importance of various organizational measures to publicize the change.