Password behaviour: A threat to cyber security A study of future financial sector employees in Denmark

Projekttitel Password behaviour: A threat to cyber security A study of future financial sector employees in Denmark
Projekttype Anvendt forskning og udvikling
Frascati Ja
Tema Business | IT | Teknologi
Teaser Cyber security policies focus on systems, often overlooking the human factor. Is Generation Zs password authentication behaviour a risk to the financial sector?
Status Afsluttet
- Akademi IBA Erhvervsakademi Kolding
- Kontaktperson Lucy Caroline Gabrielsen
Nat./Int. Nationalt
Projektperiode 01. oktober 2018 - 18. maj 2022
- Projektresumé

Several reports demonstrate that one of the weakest links in organisations, regardless of size, industry or country of operation, is the human factor (Howarth, 2014) (Turban, et al., 2015) (IBM Security, 2019) (Center for Cybersikkerhed, 2019). Individual employees are an easy target through which malicious adversaries, using social engineering, gain access. At the human aspect, the high probability of threat to cyber-attacks lies within two somewhat embarrassingly simple and seemingly uncomplicated areas; these are opening malware emails and creating and reusing insecure passwords. This paper focus on the latter.
The research question driving the study is “Are future financial sector employees’ online attitudes and behaviours putting the sector at risk of cyber-attacks?”.


Research on password creation and use concentrates primarily on theory and generic, non-specific situations.  The literature does not cover the coupling of theoretical insight directly to implications for a specific business sector.
Cyber security is the risk causing most concern within the financial sector; a risk compounded by the sector’s dependence on IT.  A recent 2020 survey of trust and risk shows a slight decrease in concern by respondents – those responsible for risk in the financial sector – from 81% in 2019 to 74% in 2020.  The 7% decline could be an indication of one of two factors; namely, an increased effort in the investment or that other risks have become more challenging, either way, they agree that cybercrime adversaries, social engineers, are continually more skilled and advanced criminals. (Finanstilsynet/Financial Services Authority, 2020)
This paper seeks to explore the extent of risk, concentrating specifically on the financial sector, most recently identified by the Centre for Cybersecurity, a separate entity of the Danish Ministry of Defence, as the most susceptible to cyber-attack in Denmark (Center for Cybersikkerhed, 2019).
The study explores future financial sector employees’, identified as Generation Z, attitudes and behaviours towards cyber security and specifically password creation and use.
To lay the foundation for understanding the vulnerability at the human factor, the theoretical section of the paper provides a concise overview of social engineering, behaviour economics and password creation and use. The focus then turns towards future financial sector employees, presenting literature on  Generation Z, their digital behaviour, attitudes towards security, and finally their attitudes towards personal data sharing in the cybersphere.

- Baggrund og formål

Research and findings are directly related to finance studies at every level and can be included under subject areas, “god skik”, communication and digital communication.

Cyber security is at the top of the executive agenda with governments around the world focusing more on solutions to cyber-attacks.  Both the state and private organisations are investing in research and software systems, creating stringent policies, protocols, reporting procedures and training to minimize the risk of cyber-attacks.  Investment in precautionary measures focuses heavily on systems software. While this is an improvement on the preceding state of affairs, the question is whether enough is being done at the human factor.
Based on the research findings, a framework for Password creation and use policy that falls under IT security policy, and thus compliance, is proposed.

- Aktiviteter og handling
  1. Literature review: A review of existing literature spanning 3 decades was carried out. Several academics having studied the deficiencies of the security side of the establishment of the internet, and in particular password authentication systems. Results demonstrate that major setbacks arise from human limitations (Zhang, et al., 2010).  Amongst others, decision making  (Kahneman, 2013), human memory (Yan, et al., 2003) and socio-cultural contexts  (Han & Northoff, 2009).

Data collection: Focus group recruitment for this study was targeted at students studying on the finance graduate and undergraduate degree programs, a target group not previously explored by academics in their research on password creation and use

- Projektets Metode

Data collection and analysis focuses on exploring future financial sector employees’ attitudes and behaviour towards password creation and use. For this purpose, exploratory, qualitative method using focus groups of students across financial studies was carried out.  The analysis is based on the works of Yin (1989), Krueger (1994), Robson (2002), Raibiee (2004) and Krueger & Casey (2015) using coding to reduce the data to gain the bigger picture. Data analysis strategy and design focused on thematization as in figure 1 and 2 below:


Figure 1. Framework approach to data analysis using thematization

(Rabiee, 2004)

Figure 2. Strategy for analysis and conceptualisation of focus group data

(Krueger, 2000) (Rabiee, 2004) (Krueger & Casey, 2015)

Projektets teoretiske ståsted
Theoretical grounding is based upon social engineering, behavioural design, and Generation Z.
Amongst others:

  • Social Engineering (Hadnagy, 2011)
  • Consideration of future consequences (CFC) (Strathman et al., 1994)
  • Decision making trade-off- security versus ease of memory. (Qureshi, et al, 2009)
  • Sense of Agency (Kahneman, 2011), (di Costa, et al., 2017) and (Goldberg, 2017)
  • Digital natives, Generation Z

Existing literature on password creation and use spanning three decades creates a grounding for policy framework:
Causal effect of insecure behaviour, friction based on perceived effort (Kahneman, 2013), low consideration of consequences resulting in the misconception of high effort for low reward (Strathman, et al., 1994). Recommendations from literature include shared responsibility, increasing the consideration of consequence and assisting memory (Strathman, et al., 1994) (Yan, et al., 2003) (Qureshi, et al., 2009) (Hansen & Nissenbaum, 2009) (Sotirakopoulos, 2011).

Projektets empiri
Seven focus groups with 32 students of financial studies across disciplines and degree levels at the IBA Kolding.

- Projektets Forventede Resultater
- Projektets Forventede Effekt
- Studerende IBA Erhvervsakademi Kolding (32)
- Medarbejdere
- Virksomhedsrepræsentanter
- Andre
  • During the course of the research, two smaller working papers have been published directly on LinkedIn (see 18.0 below)
  • LinkedIn article posts:
    • LinkedIn article post 1. 20/04/2020
    • LinkedIn article post 2. 17/02/2021
  • The research paper was submitted to the academic journal of cyber security for peer review. Main paper post review corrections is available on EAViden and
  • Study related case exercises for financial students, specifically Financial Bachlors (Finans Bachelorer) and Financial Managers (Finanasøkonomer) as listed below:
    • FBA E2019 bundenforudsætning Del 1
    • FBA E2019 bundenforudsætning Del 2
    • FBA E2020 Segmenteringsøvelse
    • FBA E2020 Bundenforudsætning – skriftlig og Pecha Kucha
    • FIN E2020 Segmenteringsøvelse
    • FIN F2021 Semester opgave
  • Project poster to use in classroom as student material.

The findings demand a shift from system one (unconscious and automatic) to system two (deliberate and effortful) decision making and an increase in concentration and effort of mental activity when creating passwords.
The findings demonstrate that behaviours and attitudes towards password security, of digital natives studying for a career in the sector most vulnerable to cyber-attack, are no different from any other group. This presents a high-risk factor for society

EAviden_Report_Password behaviour_Still a threat to cyber security_Lucy Gabrielsen

EAviden_Research poster_Lucy Gabrielsen

- Resultatets formidling

• Forskningsdøgn 22/04/2020
• IBA videndag 15/11/2019
• Afdelingsmøder på finansuddannelser
o Afdelingsmøde 28/03/2019
o Afdelingsmøde 05/01/2021
• LinkedIn

- Resultaternes værdi
- Målgruppen
- Vidensprodukter Website/blog