ORCID
https://orcid.org/0000-0002-5349-4011
Document Type
Article
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.
Disciplines
Computer Sciences
Abstract
Authentication security advice is given with the goal of guiding users and organisations towards secure actions and practices. In this article, a taxonomy of 270 pieces of authentication advice is created, and a survey is conducted to gather information on the costs associated with following or enforcing the advice. Our findings indicate that security advice can be ambiguous and contradictory, with 41% of the advice collected being contradicted by another source. Additionally, users reported high levels of frustration with the advice and identified high usability costs. The study also found that end-users disagreed with each other 71% of the time about whether a piece of advice was valuable or not. We define a formal approach to identifying security benefits of advice. Our research suggests that cost-benefit analysis is essential in understanding the value of enforcing security policies. Furthermore, we find that organisation investment in security seems to have better payoffs than mechanisms with high costs to users.
Recommended Citation
Hazel Murray and David Malone. 2023. Costs and Benefits of Authentication Advice. ACM Trans. Priv. Sec. 26, 3, Article 30 (May2023), 35 pages. https://doi.org/10.1145/3588031
Publication Details
ACM Transactions on Privacy and Security, vol. 26, no. 3. ©2023 Copyright held by the owner/author(s).