Password behaviour: A threat to cyber security A study of future financial sector employees in Denmark

Several reports demonstrate that one of the weakest links in organisations, regardless of size, industry or country of operation, is the human factor (Howarth, 2014) (Turban, et al., 2015) (IBM Security, 2019) (Center for Cybersikkerhed, 2019). Individual employees are an easy target through which malicious adversaries, using social engineering, gain access. At the human aspect, the high probability of threat to cyber-attacks lies within two somewhat embarrassingly simple and seemingly uncomplicated areas; these are opening malware emails and creating and reusing insecure passwords. This paper focus on the latter.
The research question driving the study is “Are future financial sector employees’ online attitudes and behaviours putting the sector at risk of cyber-attacks?”.

Aims

Research on password creation and use concentrates primarily on theory and generic, non-specific situations.  The literature does not cover the coupling of theoretical insight directly to implications for a specific business sector.
Cyber security is the risk causing most concern within the financial sector; a risk compounded by the sector’s dependence on IT.  A recent 2020 survey of trust and risk shows a slight decrease in concern by respondents – those responsible for risk in the financial sector – from 81% in 2019 to 74% in 2020.  The 7% decline could be an indication of one of two factors; namely, an increased effort in the investment or that other risks have become more challenging, either way, they agree that cybercrime adversaries, social engineers, are continually more skilled and advanced criminals. (Finanstilsynet/Financial Services Authority, 2020)
This paper seeks to explore the extent of risk, concentrating specifically on the financial sector, most recently identified by the Centre for Cybersecurity, a separate entity of the Danish Ministry of Defence, as the most susceptible to cyber-attack in Denmark (Center for Cybersikkerhed, 2019).
The study explores future financial sector employees’, identified as Generation Z, attitudes and behaviours towards cyber security and specifically password creation and use.
To lay the foundation for understanding the vulnerability at the human factor, the theoretical section of the paper provides a concise overview of social engineering, behaviour economics and password creation and use. The focus then turns towards future financial sector employees, presenting literature on  Generation Z, their digital behaviour, attitudes towards security, and finally their attitudes towards personal data sharing in the cybersphere.

Research and findings are directly related to finance studies at every level and can be included under subject areas, “god skik”, communication and digital communication.

Cyber security is at the top of the executive agenda with governments around the world focusing more on solutions to cyber-attacks.  Both the state and private organisations are investing in research and software systems, creating stringent policies, protocols, reporting procedures and training to minimize the risk of cyber-attacks.  Investment in precautionary measures focuses heavily on systems software. While this is an improvement on the preceding state of affairs, the question is whether enough is being done at the human factor.
Based on the research findings, a framework for Password creation and use policy that falls under IT security policy, and thus compliance, is proposed.

1. Literature review: A review of existing literature spanning 3 decades was carried out. Several academics having studied the deficiencies of the security side of the establishment of the internet, and in particular password authentication systems. Results demonstrate that major setbacks arise from human limitations (Zhang, et al., 2010).  Amongst others, decision making  (Kahneman, 2013), human memory (Yan, et al., 2003) and socio-cultural contexts  (Han & Northoff, 2009).

Data collection: Focus group recruitment for this study was targeted at students studying on the finance graduate and undergraduate degree programs, a target group not previously explored by academics in their research on password creation and use

Data collection and analysis focuses on exploring future financial sector employees’ attitudes and behaviour towards password creation and use. For this purpose, exploratory, qualitative method using focus groups of students across financial studies was carried out.  The analysis is based on the works of Yin (1989), Krueger (1994), Robson (2002), Raibiee (2004) and Krueger & Casey (2015) using coding to reduce the data to gain the bigger picture. Data analysis strategy and design focused on thematization as in figure 1 and 2 below:

Figure 1. Framework approach to data analysis using thematization

(Rabiee, 2004)

Figure 2. Strategy for analysis and conceptualisation of focus group data

(Krueger, 2000) (Rabiee, 2004) (Krueger & Casey, 2015)

Projektets teoretiske ståsted
Theoretical grounding is based upon social engineering, behavioural design, and Generation Z.
Amongst others:

• Social Engineering (Hadnagy, 2011)
• Consideration of future consequences (CFC) (Strathman et al., 1994)
• Decision making trade-off- security versus ease of memory. (Qureshi, et al, 2009)
• Sense of Agency (Kahneman, 2011), (di Costa, et al., 2017) and (Goldberg, 2017)
• Digital natives, Generation Z

Existing literature on password creation and use spanning three decades creates a grounding for policy framework:
Causal effect of insecure behaviour, friction based on perceived effort (Kahneman, 2013), low consideration of consequences resulting in the misconception of high effort for low reward (Strathman, et al., 1994). Recommendations from literature include shared responsibility, increasing the consideration of consequence and assisting memory (Strathman, et al., 1994) (Yan, et al., 2003) (Qureshi, et al., 2009) (Hansen & Nissenbaum, 2009) (Sotirakopoulos, 2011).

Projektets empiri
Seven focus groups with 32 students of financial studies across disciplines and degree levels at the IBA Kolding.