International Journal of Information Management

Transcription

1 Internatonal Journal of Inforaton Manageent 32 (2012) Contents lsts avalable at ScVerse ScenceDrect Internatonal Journal of Inforaton Manageent j our nal ho e p age: Iprovng nforaton securty anageent: An analyss of ID password usage and a new logn vulnerablty easure Youngsok Bang a, Dong-Joo Lee b, Yoon-Soo Bae c, Jae-Hyeon Ahn c, a Desautels Faculty of Manageent, McGll Unversty, 1001 Sherbrooke Street West, Montreal, Quebec, Canada b Dvson of Manageent, Hansung Unversty, 102 Hansungdae Street, Sungbook-gu, Seoul, Republc of Korea c KAIST Busness School, Chongyangr-dong, Dongdaeoon-gu, Seoul, Republc of Korea a r t c l e n f o Artcle hstory: Avalable onlne 18 February 2012 Keywords: Inforaton securty anageent ID Password Vulnerablty easureent E-busness a b s t r a c t Statstcs show that the nuber of dentty theft vcts n the US ncreased by 12% n 2009, to 11.1 llon adults, whle the total annual fraud aount ncreased by 12.5%, to $54 bllon. As the e-coerce volue s ncreasng and varous onlne servces are becong ore popular, the nuber of stes to whch an average Internet user subscrbes s ncreasng rapdly. Gven the lted eory capacty of huan bengs, an Internet user s logn credentals (n the for of a cobnaton of a user ID and a password) are usually reused over ultple accounts, whch can cause sgnfcant securty probles. In ths study, we address the vulnerablty of logn credentals. Frst, based on a unque Internet user data set, we analyze the behavoral characterstcs of logn credentals usage. We fnd that the sae logn credentals are used for any ore accounts and reused uch ore often than prevously expected. Furtherore, usage patterns are found to be qute skewed. Second, buldng on a network perspectve of logn credentals usage, we suggest a vulnerablty easure of an ndvdual s logn credentals and analyze the vulnerablty of current Internet users. The resultng nforaton s valuable not only to the research county but also to anagers and polcy akers strvng to reduce securty vulnerablty Elsever Ltd. All rghts reserved. 1. Introducton A gudng tenet of nforaton securty s that securty s only as strong as the weakest lnk and users are the weakest lnk (Schneer, 2000). As such, nforaton securty s not only a techncal ssue but also a behavoral ssue nvolvng users. Much research has been conducted to understand users securty-related behavors, such as nforaton systes suse (D Arcy, Hovav, & Galletta, 2009; Sponen & Vance, 2010; Straub, 1990; Workan, Boer, & Straub, 2008) or securty-enhancng actons (Bulgurcu, Cavusoglu, & Benbasat, 2010; Johnston & Warkentn, 2010; Kankanhall, Teo, Tan, & We, 2003; LaRose, Rfon, & Enbody, 2008) ostly n work envronent settngs. Unlke eployees n a work envronent settng, however, general end users are not subject to tranng, nor are they protected by a techncal securty staff at work. Thus, wth over a bllon people wth access to the Internet, ndvdual Internet users represent a sgnfcant pont of weakness n cybersecurty (Anderson & Agarwal, 2010). As e-coerce volue contnues to expand and varous Correspondng author. Tel.: ; fax: E-al addresses: [email protected] (Y. Bang), [email protected] (D.-J. Lee), [email protected] (Y.-S. Bae), [email protected] (J.-H. Ahn). onlne servces ncludng e-al, fnancal, socal networkng, and content servces becoe ncreasngly popular, the nuber of stes to whch an average Internet user subscrbes s ncreasng rapdly, generatng a sgnfcant securty ssue over ultple accounts. To gan access to a webste account, each user usually has to go through an dentfcaton and authentcaton process (Pernul, 1995). The ost prevalent webste dentfcaton/authentcaton echans s the use of credentals n the for of a user ID/password (PW) cobnaton (hereafter referred to as logn credentals). Securty-enhancng easures generally fall nto four dstnct sequental actvtes called the Securty Acton Cycle deterrence, preventon, detecton, and recovery (Straub & Welke, 1998). The dentfcaton/authentcaton echans s representatve of preventon actvtes n the cycle (Doherty, Anastasaks, & Fulford, 2011; Kankanhall et al., 2003; Straub & Welke, 1998). Snce ultple accounts exst, the reuse of logn credentals (the sae cobnaton of an ID and a PW) for accessng ore than one account can cause serous probles, as has been wdely suggested n the lterature (e.g., Adas & Sasse, 1999; Gaw & Felten, 2006; Ives, Walsh, & Schneder, 2004; Zhang, Luo, Akkaladev, & Zegelayer, 2009). For exaple, a securty breach on one ste can trgger a securty rsk on other stes, because a hacker who gans access to one account ay be able to gan access to others (Ives et al., 2004). In fact, users who reuse PWs often fal to realze that /$ see front atter 2012 Elsever Ltd. All rghts reserved. do: /j.jnfogt

2 410 Y. Bang et al. / Internatonal Journal of Inforaton Manageent 32 (2012) ther ost well-defended account s not ore secure than ther ost poorly defended account due to the reuse (Ives et al., 2004). The effect of the resultng dentty fraud can be substantal. Statstcs show that the nuber of dentty fraud vcts n the US n 2009 ncreased by 12%, to 11.1 llon adults, whle the total annual fraud aount ncreased by 12.5%, to $54 bllon (Javeln Strategy and Research, 2010). A recent case n South Korea provdes a clear exaple of the proble of a securty breach and the subsequent cre cotted by usng reused logn credentals. In 2008, two hackers attacked about 100 sall, less secure webstes n South Korea such as flower delvery stes, onlne gae stes, and real estate stes and stole the logn credentals of 2.3 llon users. Usng these logn credentals, they hacked nto Naver.co, whch s the ost popular portal ste n South Korea coandng over 60% of the arket share. As any as 150,000 accounts n the portal ste were successfully attacked. The hackers exploted the account nforaton for fraudulent advertsng and sold the personal nforaton acqured fro the accounts. Whle Naver.co s generally consdered to have strong syste securty, ths case shows that the copany s user data are no longer secure because of the copany s lnks wth other less secure stes n whch the logn credentals of users are the sae as those n Naver.co. Therefore, t s reasonable to expect that the rsks caused by reusng logn credentals wll ncrease exponentally, because the nuber of systes protected by logn credentals (partcularly sall webstes) s ncreasng (Ives et al., 2004). 1 Cogntve psychology theory provdes an explanaton for the reuse behavor. It argues that huan bengs have an nherently lted eory capacty (Mller, 1994). Gven ultple accounts, users ust perfor a ental process of searchng and retrevng the account-logn credental pars fro ther eory (Zhang et al., 2009). Because of the eory proble, reeberng and anagng ultple IDs and PWs becoes dffcult and cubersoe. The startng pont for addressng the vulnerablty of logn credentals s to understand the status of reuse behavor. However, t s dffcult to obtan even a sngle fr s data about users actual logn credentals. Therefore, objectve and coprehensve statstcs are rarely avalable at present. In fact, ost statstcs about reused credentals fro prevous studes (e.g., Gaw & Felten, 2006; Kaspersky Lab, 2007; RSA, 2004) are based on the respondents speculaton about ther accounts and ther usage of logn credentals n the accounts rather than on objectve data. However, recall ay not be relable. When users subscrbe to any stes, they ay fal to recall soe of the logn credentals used and even forget soe of the stes n general. Our results show that current recall-based reuse statstcs are usually qute based. The study by Florenco and Herley (2007) s exceptonal because t s based on large-scale, objectve data on PW reuse, gathered over 10 weeks through a coponent of Wndows Lve Toolbar. However, as the authors ndcate, the study ay have ssed a large fracton of PW usage behavor, because users ay log nto ther accounts fro ore than one achne, whch could not be accounted for n the data-gatherng ethod, and PWs wth a bt strength of less than 20 were not ncluded n the collecton. Furtherore, PWs used at only one ste were excluded, because data were collected only for reused PWs. In addton, users ay not have logged nto soe nfrequently vsted stes durng the 10-week observaton perod. Therefore, our knowledge of the current state of the reuse of logn credentals appears to be lted. To overcoe ths proble, we provde and analyze objectve and coprehensve statstcs based on a unque data set about the reuse of logn credentals. Ths s the frst objectve of ths study. The second objectve of the study s to suggest a easure of the vulnerablty of logn credentals and analyze the data to assess the vulnerablty of current Internet users. An approprate easure of vulnerablty can be used to assess related rsks and can gude the allocaton of resources for securty proveent (Alhaz, Malaya, & Ray, 2007). Although several easures of logn credentals vulnerablty such as PW strength, eorablty, and the PW reuse rato have been appled, they ether gnore logn credentals reuse over ultple accounts (e.g., PW strength and eorablty) or do not reflect the structural characterstcs of the reuse (e.g., the PW reuse rato). PW strength, whch easures the effectveness of a sngle PW n preventng guessng and brute-force attacks, presues that the account s well defended f the PW s long, coplex, and unpredctable (Burr, Dodson, & Polk, 2006; Horcher & Tejay, 2009; Weber, Guster, & Safonov, 2008). Therefore, a rando sequence of upperand lower-case letters, punctuatons, sybols, and nubers are typcally used to generate an deal PW. However, as we can see fro the dentty theft case of Naver.co, the vulnerablty of an account depends not only on the securty level of the account tself, but also on the behavoral patterns of logn credentals reuse. In addton, a strong PW tends to be dffcult to reeber and that ay lead to a securty proble because a user ght keep an nsecure wrtten record of t or rely on an nsecure backup authentcaton procedure after forgettng t (Yan, Blackwell, Anderson, & Grant, 2004). Gven ths PW strength eorablty tradeoff, PW eorablty, whch easures the ease wth whch the user can reeber a PW, has drawn research attenton to exane effcent ways to prove eorablty wthout coprosng strength (Bunnell, Podd, Henderson, Naper, & Kennedy-Moffat, 1997; Nelson & Vu, 2010; Vu et al., 2007; Yan et al., 2004). However, slar to PW strength, PW eorablty has a focus on a sngle PW, wthout consderng logn credentals usage over ultple accounts. Fnally, the PW reuse rato, another popular easure of logn credentals vulnerablty (e.g., Brown, Bracken, Zoccol, & Douglas, 2004; Florenco & Herley, 2007; Gaw & Felten, 2006), s defned as the nuber of stes to whch a user subscrbes dvded by the nuber of unque PWs used at the stes. As long as a gven nuber of unque logn credentals are used over a gven nuber of accounts, the reuse rato s dentcal, regardless of the structural characterstcs of the reuse, that s, how the logn credentals are dstrbuted over the accounts. Therefore, the reuse rato s ost approprate when the logn credentals are unforly dstrbuted, whle t s subject to a bas when appled to a skewed usage pattern of logn credentals, whch s shown to be the case n ths paper. These ltatons of the current easures suggest the need for a new easure of vulnerablty that captures the behavoral patterns and structural characterstcs of the logn credentals usage over ultple accounts. 2 To fll ths gap, we propose a easure of the logn credentals vulnerablty that can be appled n practce and have a clearly defned nterpretaton. The rest of the study s organzed as follows. Secton 2 detals the ethod of data collecton. Secton 3 presents the ajor fndngs fro the analyss of logn credentals usage and copares the statstcs fro our data wth those fro prevous studes. Secton 4 suggests a network perspectve on the usage of logn credentals to clearly understand the characterstcs of usage patterns of logn 1 In Aprl 2011, one of the largest recorded data breaches occurred at Sony s coputer networks. Over 100 llon accounts were coprosed fro PlayStaton Network, Qrocty, and Sony Onlne Entertanent Network. Stolen account nforaton ncluded IDs, PWs, naes, addresses, etc. (McMllan, 2011). 2 Other lterature has suggested ethods to easure the vulnerablty of IT systes (e.g., Farahand, Navathe, Sharp, & Enslow, 2005; Patel, Graha, & Ralston, 2008; Wang, Wang, & Wulf, 1997). However, syste-level easures are hard to apply for the assessent of the vulnerablty of logn credentals at the ndvdual user level.

3 Y. Bang et al. / Internatonal Journal of Inforaton Manageent 32 (2012) credentals and the resultng vulnerablty. Secton 5 proposes a new vulnerablty easure reflectng the characterstcs of logn credentals usage. Fnally, n Secton 6, soe dscussons and concludng rearks are presented. 2. Data collecton Our an saple conssts of 49 Internet users n South Korea. 3 To collect ther logn credentals for the dfferent stes that they have subscrbed to as thoroughly as possble, we used an Internet securty ste ( whch searched about 30,000 South Korean stes and provded a lst of all the stes to whch an Internet user had subscrbed on the bass of the user s dentfcaton nforaton (nae and socal securty nuber, or SSN). Ths s possble because users real naes and SSNs are requred and verfed by alost all South Korean webstes upon sgn-up. Ths unque feature akes South Korea an excellent regon for obtanng relable, although not perfect, data for the study. The partcpants were asked to enter ther dentfcaton nforaton nto the ste to obtan a lst of the stes to whch they were subscrbng. Then, they were asked to provde ther IDs and PWs for the stes usng a seral nuber (e.g., ID1, ID2,...; PW1, PW2,...); the sae seral nuber for IDs n two stes ndcated the sae ID for the stes, and slarly for PWs. To ensure the accuracy of the data, every data collecton sesson was conducted face-to-face and each respondent was asked to log nto all the stes retreved. Upon falure to recall ether an ID or a PW for a ste, the respondent was asked to nqure the ste for correct nforaton on ID or PW. Thus, we could verfy whether each respondent s IDs (PWs) for any par of stes were the sae. We offered the partcpants soe fnancal rewards. It usually took about 1 2 h to coplete the data collecton for each partcpant. Snce the data collected were very prvate, t was dffcult to get a large saple sze. There were 34 (69%) ale and 15 (31%) feale respondents; 32 (65%) respondents were n ther 20 s, 11 (23%) were n ther 30 s, three (6%) were n ther 40 s, and the reanng three (6%) were n ther 50 s. Of all the respondents, 18 (37%) were undergraduate or graduate students, and 31 (57%) had full-te jobs whle three (6%) were housewves. 3. Analyss of logn credentals usage Ths secton analyzes the data to understand logn credental usage behavors over ultple accounts and contrasts the results wth those fro prevous recall-based studes. Table 1 suarzes the an descrptve statstcs fro our data analyss. We provde the ajor fndngs below Fndng 1: the nuber of subscrbng accounts s consderably larger than prevously expected. The statstcs on the nuber of subscrbng accounts obtaned usng our unque data set are substantally dfferent fro those obtaned n prevous studes. Ths dfference causes a great dfference n the reuse rato estates, as explaned subsequently. The average nuber of accounts s (edan = 95), rangng fro 27 to 199 (see Table 1, frst row). The average nuber s consderably larger than those n the exstng statstcs suarzed n Table 2, where the average or edan values are ostly less than 10 and at ost 25. For exaple, Gaw and Felten (2006) found that the average nuber of accounts was only 7.9. In ther study, the 49 partcpants were asked to ndcate the webstes they used out of 139 stes. Further, they were requested to recall and add other 3 We also gathered data fro another saple, whch s descrbed n Secton 3. stes at whch they had ther own accounts. Another recall-based survey of 150 users n the UK by Kaspersky Lab (2007) revealed that 62% of users have 10 or fewer onlne accounts wth PWs and that only 23% of users have ore than 20 accounts. Brown et al. (2004) surveyed 218 college students and reported a slar result: Each student had on, an average, 8.2 PW-protected accounts. The substantal dscrepancy between our results and those of exstng studes sees to be closely related wth the dfference n data-gatherng ethods (.e., objectve versus recall based). 4 Alternatvely, the dscrepancy ay have been caused by the dfference n Internet usage aong dfferent users of dfferent countres. However, related statstcs do not show any sgnfcant dfference n Internet usage aong the users n South Korea, the US, and the UK: As of 2010, Internet penetraton rates, the nuber of Internet users out of total populaton, were 81.1%, 77.3%, and 82.0%, respectvely, n the three countres (Mnwatts Marketng Group, 2011). The usage rates of the users for ajor Internet servces are also slar between South Korea and the US: 87.8% and 91.0% for servces, 61.3% and 71.0% for Internet shoppng, 45.0% and 55.0% for Internet bankng, and 86.7% and 70.0% for Internet news servces, respectvely (Natonal Internet Developent Agency of Korea, 2009). As of 2009, the average Internet user fro South Korea and the US spent an estated 2.0 h and 2.1 h onlne per day, respectvely, and 2.1 h and 1.9 h as of 2010 (Korea Councatons Cosson and Korea Internet & Securty Agency, 2009, 2010; The Nelsen Copany, 2010a, 2010b). Thus, the dfference n Internet usage aong countres s not lkely to be the source of the dscrepancy n the analyss results. Gven the sall nuber of respondents n our an saple, we gathered another set of data (hereafter referred to as the suppleentary data set) to deonstrate that recall-based surveys of logn credentals usage tend to sgnfcantly under-report the nuber of accounts used. The data were collected fro 50 undergraduate students enrolled n an nforaton systes class at a South Korean unversty who dd not overlap wth the respondents n the an saple. Both the recall-based ethod as n the prevous studes and the objectve ethod as n Secton 2 were appled to each respondent. Specfcally, each respondent was frst asked to recall the webstes to whch he or she was subscrbng and provde the estate of the total nuber of the stes. Next, each respondent was asked to retreve a lst of the subscrbng stes fro the Internet securty ste and provde the total nuber of retreved stes. Ths approach enabled us to analyze the effect of the datagatherng ethod whle controllng for other confoundng factors such as Internet usage or envronental dfferences. We also gathered data about the respondents reactons to perodc PW change requests fro webstes, whch wll be dscussed later. The analyss of the suppleentary data shows that the results are consstent wth those fro the an saple. Frst, the average nuber of stes retreved fro the Internet securty ste s (edan = 119.5). Ths nuber s not statstcally dfferent fro the average nuber of stes n the an saple (105.7), wth t = (p = 0.131), plyng that the statstcs n Table 1 are lkely to be robust across both saples. Second, the average nuber of stes recalled by the respondents s 50.0 (edan = 31.0). A parwse t- test verfes that the nuber of retreved stes s sgnfcantly larger than the nuber of recalled stes, wth t = (p < 0.001). The above results fro our two saples suggest that Internet users have dffculty recallng the stes to whch they subscrbe. 4 Our result s also qute dfferent fro that of Florenco and Herley (2007), who found on the bass of large-scale, objectve data that the average nuber of accounts of an Internet user s 25. Ths sees to be related to the potental sources of error n the study, as entoned before.

4 412 Y. Bang et al. / Internatonal Journal of Inforaton Manageent 32 (2012) Table 1 Status of logn credentals usage. Ite Mean S.D. Mn Medan Max No. of stes that users subscrbe to (accounts) No. of unque IDs used No. of unque PWs used No. of unque (ID, PW) cobnatons used ID reuse rato a PW reuse rato a (ID, PW) reuse rato a Percentage of actve (ID, PW)s b 45.6% 16.7% 13.3% 42.9% 100.0% a The ID (PW) reuse rato s the nuber of stes that users subscrbe to dvded by the nuber of unque IDs (PWs) used; the (ID, PW) reuse rato s the nuber of stes that users subscrbe to dvded by the nuber of unque (ID, PW) cobnatons used. b The percentage of actve (ID, PW) cobnatons s the nuber of unque (ID, PW) cobnatons used dvded by the product of the nubers of unque IDs and PWs used). They usually substantally underestate the nuber and therefore ay underrate the potental rsks n reusng logn credentals. Hence, recall-based studes have sgnfcant ltatons n provdng a credble pcture of logn credentals usage. cobnaton of the two; ths perspectve s adopted n the followng analyss Fndng 2: the sae IDs and PWs are very frequently used for ultple accounts Table 1 shows that the respondents use only a sall nuber of unque PWs, that s, 1 15 PWs, wth an average of 4.7 (edan = 4) PWs. Ths result s slar to those of prevous studes (see Table 2), where the average nubers range fro 3.3 to 6.5 and the edans are less than 5. Usng the data on the nuber of the stes to whch each respondent subscrbes, we can copute the PW reuse rato for respondents, whch s defned as the nuber of stes to whch a user subscrbes dvded by the nuber of unque PWs used at the stes. As shown n Table 1, the average of the ratos s 29.2 (edan = 23). Ths contrasts sharply wth the average reuse ratos reported n prevous studes, whch range fro 1.8 to 3.9 (see Table 2). Therefore, snce the Internet users PWs are reused ntensvely over ultple accounts, the resultng vulnerablty s consderably greater than what was prevously expected. Our study also provdes statstcs on ID usage, whch have been rarely reported to date. The respondents use 6.6 unque IDs on average (edan = 6), wth the range beng The average ID reuse rato s 19.1, whch s also very hgh. By relatng the ID usage data to the PW usage data, we fnd that the respondents use a hgher nuber of unque IDs than unque PWs (t = 3.997, p < 0.001). In addton, the correlaton coeffcent (0.106) between the nuber of unque IDs and the nuber of unque PWs s not sgnfcant (p = 0.472) when one unusual observaton wth 14 unque IDs and 15 unque PWs s excluded. That s, users antanng ore dversty n ther IDs do not necessarly use ore PWs; rather, both are ndependent. Snce Internet users eploy ultple IDs as well as ultple PWs and snce both IDs and PWs are hghly reused over a larger nuber of accounts, the anageent of logn credentals and the correspondng rsks need to be exaned fro the perspectve of a 3.3. Fndng 3: only a lted proporton of the possble (ID, PW) cobnatons s actually used. Furtherore, the reuse rato of (ID, PW) cobnatons s hgher for users wth ore accounts By replacng IDs or PWs n the above analyss wth cobnatons of IDs and PWs denoted (ID, PW) we fnd that the respondents use 11.8 unque (ID, PW) cobnatons, on average. Therefore, they use cobnatons n a ore dversfed anner copared to just IDs or PWs (see the second to fourth rows n Table 1). However, the reuse ratos of the cobnatons are stll very hgh, wth an average of 10.5 (the seventh row n Table 1). An nterestng fndng s that the respondents do not dversely use the possble cobnatons of IDs and PWs. Consder a user who has sx IDs and fve PWs; 30 unque cobnatons of IDs and PWs are then possble. However, the respondents use only 45.6% of the possble cobnatons, on average (see Table 1, last row). Thus, the reuse rato of the actve (ID, PW) cobnatons ncreases. Ths result ples that Internet users ay substantally tgate the probles of reusng logn credentals by dversfyng the cobnatons of ther current IDs and PWs wthout usng addtonal IDs or PWs. Another related observaton s that the nuber of accounts and the nuber of cobnatons are not sgnfcantly correlated, wth a correlaton coeffcent of Further, the reuse rato of cobnatons s found to have a strong postve correlaton wth the nuber of accounts (correlaton coeffcent = 0.648, p < 0.001). Therefore, subscrpton to ore stes s not usually accopaned by dverse (ID, PW) cobnatons, leadng to a hgher reuse rato. Ths result can also be attrbuted to the cogntve ltatons of users n anagng ther logn credentals over ultple stes. Table 2 Statstcs fro prevous studes. Study Account type Data-gatherng ethod No. of unque accounts No. of unque PWs Reuse rato Gaw and Felten (2006) Webstes A recall-based survey of 49 respondents Kaspersky Lab (2007) Webstes A recall-based survey of 150 users n the UK Florenco and Herley (2007) Webstes Observaton of half a llon users Brown et al. (2004) Webstes, credt card, A recall-based survey of coputer systes, etc. 218 students n the US RSA (2004) Webstes, coputer A recall-based survey of systes, ATMs, etc adults n the US Mean = 7.9 Mean = : 62% 20: 15% 21: 23% 4: 51% 10: 30% 11: 19% Not reported Mean = 25 Mean = Mean = 8.2 Mean = Not reported 4: 63% 5: 37% Not reported

5 Y. Bang et al. / Internatonal Journal of Inforaton Manageent 32 (2012) cobnaton s shared consttutes another coponent (Coponent B). Coponent C s constructed the sae way, wth three nodes (Nodes 10 12). If an (ID, PW) cobnaton s used only for one ste, the correspondng node has no lnk and becoes an solate (n network theory ternology). In Fg. 1, both Nodes 13 and 14 are solates. Thus, the nuber of (ID, PW) cobnatons used by a user s equal to the su of the nuber of solates and the nuber of coponents n the correspondng network. Usng ths approach, we can derve, for each respondent, an ID PW usage network of the stes to whch the respondent subscrbes and apply network theory to nvestgate ts structural characterstcs. Table 3 suarzes the results. Fg. 1. An llustraton of a user s ID PW usage network (wth three coponents and two solates). 4. A network perspectve to logn credentals vulnerablty The prevous secton, usng the easure of reuse rato, contrasted logn credental usage statstcs fro our study wth those fro recall-based studes and found that recall-based data tend to generate substantally based results on logn credental usage behavors. Ths secton carres the analyss a step further to exane the usage structure of logn credentals and thereby show the ltaton of the reuse rato n capturng securty vulnerablty. Our analyss s based on network theory. Euler (1741) lad the foundaton for network theory by ntroducng graph concept. A graph conssts of ponts (called nodes), a set of dscrete eleents, and lnes (called lnks), a set of connectons between pars of ponts. These ponts and lnes concepts could be alost anythng: people and frendshps (Rapoport & Horvath, 1961), coputers and councaton lnes (Faloutsos, Faloutsos, & Faloutsos, 1999), checals and reactons (Jeong, Tobor, Albert, Oltva, & Barabas, 2000; Wagner & Fell, 2001), scentfc papers and ctatons (Redner, 1998), and journal authors and ther jont papers (Goldenberg, Lba, Muller, & Streersch, 2010). The network perspectve abstracts away all the detals of the real proble, focusng on the structure of connectvty (relatonshp). Recently, network theory has been wdely appled to busness research such as user IT syste nteractons (Kane & Alav, 2008), advertsng copetton (Chang, Oh, Pnsonneault, & Kwon, 2010), knowledge dffuson (Bluenberg, Wagner, & Beborn, 2009; Hansen, 2002; Janhonen & Johanson, 2011), and new servce developent (Syson & Perks, 2004). By applyng network theory to logn credentals usage, we can easly capture how an Internet user anages her logn credentals for her subscrbng accounts. Specfcally, the Internet stes to whch a user subscrbes can be odeled as a network n whch each ste s vewed as a node. A lnk between two stes s created f the user uses the sae logn credentals on both stes. Thus, the lnk between the stes aps the transsson of vulnerablty caused by the reuse of logn credentals. Fg. 1 llustrates a network representaton of a hypothetcal user (ID, PW) usage wth fve (ID, PW) cobnatons over 14 stes. The cobnatons are used, respectvely, on fve stes (Stes 1 5), four stes (Stes 6 9), three stes (Stes 10 12), one ste (Ste 13), and one ste (Ste 14). Each ste s represented by a node wth the correspondng nuber. Because the user uses the sae cobnaton on Stes 1 5, Nodes 1 5 are lnked together: these nodes consttute a coponent (denoted by Coponent A n Fg. 1). In network theory, a coponent s defned as a axal connected subnetwork, that s, a subnetwork of the nodes that are lnked between theselves but not lnked outsde to other nodes (Nooy, Mrvar, & Batagelj, 2005). Slarly, Nodes 6 9 on whch another 4.1. Fndng 4: the usage patterns of logn credentals are hghly skewed In network theory, the nclusveness of a network s defned as the nuber of connected nodes expressed as a proporton of the total nuber of nodes (Nooy et al., 2005). The respondents ID PW usage networks have an average nclusveness of 0.94 (see Table 3, frst row). Ths eans that for an average user, 94% of the stes to whch the user subscrbes have the sae logn credentals as at least one other ste, whch results n potental securty breach chans, and only 6% of stes are solated n ters of the securty rsk of logn credentals. Gven the hgh level of nclusveness, a queston follows concernng the dstrbuton of (ID, PW) cobnatons over stes wth connectons, that s, the dstrbuton of the sze of the coponents. A coon easure of the rato of the kth largest coponent to the entre network, or the nuber of stes n the kth largest coponent to the total nuber of stes n the network (Goldenberg et al., 2010), provdes relevant nforaton, as shown n Table 3. The rato of the largest coponent to the entre network s 0.54 (average); that s, the ost frequently used cobnaton for each respondent s used for alost 54% of the total stes to whch the respondent subscrbes. Therefore, f the logn credentals are stolen, for exaple, whle sgnng up at a fake ste, ore than half of the total accounts are potentally at rsk. In an extree case, one respondent had used a sngle cobnaton for over 87% of her total accounts. The average ratos for the second and thrd largest coponents are 0.18 and 0.09, respectvely. Therefore, the three ost frequently used cobnatons of each respondent are used for an average of 81% of the respondent s accounts. By coparng ths result wth the average nuber of unque cobnatons, 11.8, n Table 1, we can see that Internet users usage patterns of ther logn credentals are hghly skewed. They use very few cobnatons for ost stes. The hghly skewed nature of logn credentals usage ples an nherent ltaton of the reuse rato as a easure of vulnerablty. For a gven nuber of accounts and a gven nuber of unque (ID, PW) cobnatons, the reuse rato s dentcal by defnton, ndependent of whether the usage s unfor or skewed over the accounts. However, both usage patterns are not subject to the sae level of vulnerablty because the severty of a potental breach would be affected by the degree of skewness of the (ID, PW) usage network, as shown n the followng secton. Thus, we suggest a new easure of vulnerablty that consders the structure of the network and captures the vulnerablty caused by the skewness. The above fndngs are based on our saple data. They ay need to be nterpreted wth cauton, snce the saple s relatvely sall and not fro rando saplng, anly due to the hghly prvate nature of the data-gatherng ethod and the sgnfcant effort requred for response. However, the results can serve as an portant startng pont on why a new vulnerablty easure s needed.

6 414 Y. Bang et al. / Internatonal Journal of Inforaton Manageent 32 (2012) Table 3 Structural characterstcs of ID PW usage networks. Ite Mean Standard devaton Mn Medan Max Inclusveness Rato of the largest coponent to the entre network Rato of the second largest coponent to the entre network Rato of the thrd largest coponent to the entre network Vulnerablty ndex (VI) Fg. 2. Illustraton of the VI. 5. Vulnerablty of logn credentals: a easure and analyss In ths secton, we suggest a useful and nforatve easure of the vulnerablty of logn credentals, tered the vulnerablty ndex (VI), and analyze the data. Suppose that a user s subscrbng to N stes and uses (ID, PW) cobnatons on the stes. Let c denote cobnaton ( = 1, 2,..., ) and n denote the nuber of stes where cobnaton s used (n 1 + n n = N). Consder an extree case n whch the user uses unque cobnatons for the stes (.e., = N). Then, all the nodes becoe solates and no lnk exsts. A securty breach at any one ste would not ake the logn credentals for other stes vulnerable. Thus, ths s the ost secure case. In the other extree case, the user ay use only one cobnaton across all stes ( = 1). Then, all the pars of nodes are lnked, generatng N C 2 lnks. A breach at any one ste would ake the logn credentals for all reanng N 1 stes vulnerable. Thus, ths s the least secure case. In an nteredate case (1 < < N), at least one coponent should exst and solates ay exst. If a breach occurs n one ste, the other stes n the sae coponent are exposed to the rsk. On the other hand, a breach at any solated ste does not har the other stes. Thus, the severty of a potental breach depends on the structure of the network and the ste of the ntal breach. Usng ths observaton, the VI of an ID PW usage network s defned as the expected proporton of stes subject to potental breaches f a breach at one ste occurs. Suppose that N = 6, = 3, n 1 = 3, n 2 = 2, and n 3 = 1. Assue that the probablty of beng a vct of the ntal breach s the sae for all stes. Then, gven a breach at one ste, the logn credentals for the ste would be c 1 wth probablty 3/6, c 2 wth probablty 2/6, or c 3 wth probablty 1/6. If the logn credentals are c 1, a breach rsk nvolvng c 1 exsts at two addtonal stes. If the logn credentals are c 2, a breach rsk nvolvng c 2 exsts at one addtonal ste. If the logn credentals are c 3, no addtonal breach rsk exsts. Thus, the expected proporton of vulnerable stes s equal to (3/6) (2/5) + (2/6) (1/5) + (1/6) (0/5) = 0.27, whch ples that one successful breach could cause breaches at 27% (average) of the reanng stes. By a sple generalzaton, we obtan the followng foral expresson: VI = =1 ( n N ) ( n ) 1 N 1 To derve Eq. (1), we assue the sae probablty of beng the vct of the ntal breach for all N stes. However, t can be shown analytcally that the VI forula s vald even n the presence of dfferences n probablty. It s easy to verfy that VI = 0 when = N and VI = 1 when = 1. A larger value of VI ndcates a hgher level of vulnerablty. For a gven N and, t can be shown that VI ncreases wth the varance of n. 5 Thus, VI s nu (VI n ) when the varance of n s zero; that s, all the cobnatons are used on the sae nuber of stes (.e., n 1 = n 2 = = n = N/). 6 In ths case, VI n = (N )/(N 1) (fro footnote 4). The varance of n would be hghest when n = 1 for /= j and n j = N ( 1), and n ths case VI wll be axu (VI ax ) and VI ax = (N + 1)(N )/N(N 1) fro Eq. (1). The VI proposed does not dstngush the relatve portance of ID and PW. ID s known publcally n soe cases because t ay be 5 VI = = N(N 1) N(N 1) [ [ ( n N )( n ) 1 = N 1 N(N 1) ( n 2 n ( ) 2 N Var[n ] + N ] ) 2 + ( ( ) n 2 n n ) 2 = N(N 1) Var[n ] + N (N 1) 6 Snce every n s an nteger, the nu varance would be larger than zero f N/ s not an nteger. Thus, VI n would be larger than (N )/(N 1). However, the gap, Var[n ]/N(N 1), s neglgble, gven that N s suffcently large and Var[n ] s close to zero. n ] = (1)

7 Y. Bang et al. / Internatonal Journal of Inforaton Manageent 32 (2012) VI B A Reuse rato of (ID, PW) pars Fg. 3. Respondents reuse rato and VI values. ncluded n an or used as a ncknae for a county. Consderng the publcty of ID, as a suppleent, we can calculate the VI on the bass of PW usage only, whch can be easly derved analogously to the VI proposed here. Fg. 2 llustrates the nu and axu VI values as a functon of for N = 100. As ncreases, both VI n and VI ax decrease. Suppose that pont A represents the current VI, 0.4, of a user s ID PW usage network. The user can decrease the VI (e.g., fro A to A ) by reducng the varaton n the nuber of stes where each cobnaton s used (.e., by decreasng the varance of n ). Alternatvely, the user can decrease the VI (e.g., fro A to A ) by usng ore cobnatons (). In ether case, the user can further decrease the VI (to VI or VI ) by nzng the varance of n. Thus, VI provdes nforaton about not only the current level of vulnerablty but also the possble extent of reducton n vulnerablty. We calculate the VI values for the 49 respondents. As shown n Table 3 above, the average VI s qute hgh (0.38); therefore, f a breach occurs at any one of the stes to whch a respondent subscrbes, on average, 38% of the reanng stes could experence potental breaches. Fg. 3 lnks the reuse ratos and the VI values for the respondents. It clearly shows that substantal varatons exst n the VI values of respondents wth slar reuse ratos. For exaple, respondents A and B have slar reuse ratos of about 10, but ther VI values (0.17 and 0.75, respectvely) are copletely dfferent. Furtherore, any respondents wth a lower reuse rato than respondent A have hgher VI values. These results show how sleadng the reuse rato can be n dagnosng securty vulnerablty due to ts nablty to ncorporate the skewness of the usage of logn credentals. Fg. 4 shows the dstrbuton of the VI values dependng on the nuber of unque (ID, PW) pars: we observe a large varaton of the VI values for a gven. For exaple, the respondent correspondng to pont A has a low VI of 0.15 wth = 10. On the other hand, the two respondents correspondng to the ponts wthn the crcle B have very hgh VI values of 0.75 and 0.69, respectvely, wth values (10 and 11, respectvely) that are slar to that of respondent A. Ths eans that even wth the sae nuber of unque (ID, PW) pars used, the vulnerablty of users logn credentals tends to vary consderably, dependng on how users allocate the pars to the stes to whch they subscrbe. Fg. 4 also shows that a saller nuber of unque (ID, PW) pars does not necessarly lead to a hgher level of vulnerablty. Let us consder pont A agan. Whle 27 respondents use a hgher nuber of unque (ID, PW) pars than respondent A, 22 of the have hgher VI values than respondent A. In addton, let us copare respondents A and C. Whle respondent C uses a consderably hgher nuber of unque (ID, PW) pars ( = 23) than respondent A ( = 10), there s no sgnfcant dfference between the vulnerablty of ther respectve credentals. These observatons ply that the securty of Internet users logn credentals can be sgnfcantly proved wthout creatng new IDs, PWs, or (ID, PW) cobnatons, whch ay be a challenge because of users cogntve ltatons. To verfy ths, we calculate the gap between VI and VI n for each respondent. Fg. 5 shows the dstrbuton of the gaps over the nuber of unque (ID, PW) pars. We fnd that the gaps are substantal, wth an average of By coparng wth the average VI of 0.38 (Fg. 4), we can see that the respondents VI values can be reduced by 76% (average) by unforalzng the usage of (ID, PW) cobnatons. Note that the reuse rato reans the sae under unforalzaton, agan showng ts ltaton. The easure of VI plctly assues that the potental loss caused by a securty breach s unfor across all stes. 7 However, dfferent stes can have dfferent values for a user and therefore the potental losses can also vary. For exaple, stes that nvolve fnancal transactons, such as bankng stes, or senstve prvate nforaton, such as SSNs and health care records, are usually ore portant than other stes. Ths varaton can be ncorporated easly by pluggng the losses nto the VI forula as follows: n ( 1 ) ( n ) l=1 Revsed VI = w l w j, (2) N =1 j=1 k=1 nk l=1 w kl w j where w j denotes the loss fro a securty breach at the jth ste n coponent. Note that wth w j = 1 for all and j, Eq. (2) s reduced to Eq. (1). To su up, relyng on a network perspectve for logn credentals vulnerablty, the proposed easure of VI ncorporates the structure of the (ID, PW) usage network by lnkng the vulnerablty wth the dstrbuton of (ID, PW) cobnatons over ultple accounts. The applcaton of the easure to the saple data shows that the reuse rato can be sgnfcantly sleadng about the vulnerablty current Internet users face and that users can substantally reduce vulnerablty by balancng ther logn credentals usage. 6. Dscusson and concluson 6.1. Why so vulnerable? The reason why Internet users behavoral patterns of ID and PW usage ake ther logn credentals vulnerable can be explaned usng cybernetc theory and cogntve psychology theory. Accordng to cybernetc theory, a dscrepancy-enlargng feedback loop s nvolved n acts of avodance, as n reducng securty vulnerablty (Carver & Scheer, 2002; Lang & Xue, 2009). Ths loop s trggered by dentfyng one s present state (e.g., present vulnerablty) and coparng t wth an undesred end state (e.g., beng the vct of securty breach). If both states are too close, a behavor s actvated to ake changes to enlarge the gap between the. These processes together for a dscrepancy-enlargng feedback loop. Anecdotal evdence fro ths study suggests that ths feedback loop s unlkely to be effectve n the case of ost Internet users. More specfcally, durng the course of data gatherng, we found that alost no respondents had any dea about the current state of vulnerablty of ther logn credentals. When the data gatherng was fnshed, any of the respondents were surprsed at ther behavoral patterns, especally the sall nubers of PWs they were usng (dentfcaton of the present state and deternaton of the closeness between the present state and the undesred state). Soe 7 The easure of the reuse rato s also based on the sae plct assupton.

8 416 Y. Bang et al. / Internatonal Journal of Inforaton Manageent 32 (2012) VI B A C Nuber of unque (ID, PW) pars () Average = 0.38 Fg. 4. VI values dependng on the nuber of unque (ID, PW) pars VI VI n Average = Nuber of unque (ID, PW) pars () Fg. 5. Potental reducton n vulnerablty. of the sad that they should use ore PWs to reduce the securty rsks (ntenton to ake changes). Therefore, users need to know ther current state of vulnerablty to trgger feedback loops for reducng vulnerablty. For dong so, the VI can be an effectve dagnostc easure. As a practcal ethod, we recoend the Internet user apply and calculate the VI values for a subset of the stes he or she s subscrbng to (e.g., frequently used stes) nstead of all of the. Cogntve psychology theory ples that whle people ay be able to reeber a few unque (ID, PW) cobnatons wthout dffculty, as the nuber of cobnatons ncreases, they have great trouble reeberng the. As a result, a securty convenence tradeoff exsts. The suppleentary data set supports the securty convenence tradeoff. Many webstes request that ther users perodcally change ther PWs. We surveyed the respondents reactons to the request and found that 80% of users kept ther current PWs when possble. In addton, 16% of the respondents sad that they changed ther current PW to one of the PWs they were usng on another ste. Only 4% of the respondents answered that they created a copletely new PW. 8 To enhance eory of Internet users, soe neonc technques can be appled to the tradtonal ID PW based userauthentcaton echans n webstes. Nelson and Vu (2010) showed that age-based neonc technques can help users eorze and recall ther PWs effectvely, copared to cases 8 Gven the PW change request, soe users ay change ther current PWs and keep an electronc lst of ther (ste, ID, PW) cobnatons, whch has ts own sgnfcant securty rsks. We thank a revewer for ths nsght. n whch proactve password checkng restrctons or text-based neonc technques are appled Iplcaton Fro a practcal vewpont, the results of ths study suggest several recoendatons to frs and polcy akers addressng the ssue of logn credentals vulnerablty. Frst, frs need to have a network perspectve on the securty of users logn credentals and be acquanted wth ther lnkages wth other frs n ters of securty vulnerablty. Wth ths perspectve, they are advsed to collaborate wth other frs. Gven the network nature of logn credentals and the accopanyng vulnerablty, as n the case of Naver.co entoned prevously, frs should understand that the efforts to prove the securty of ther own stes or systes are not satsfactory. Instead, n extree cases, frs can prove ther securty ore effectvely by supportng the securty proveent efforts of other frs wth fewer resources rather than by focusng on ther own securty proveents. Major frs would want to lead the organzaton and fundng of these collaboratve efforts. The largest telecouncatons servce copany n South Korea, s a good exaple. As an ndustry-wde collaboratve effort, t provdes securty solutons to sall and d-szed Internet busnesses (Kwon, 2010). Second, frs would want to develop and pleent new authentcaton systes other than IDs and PWs. Consderng the nherent behavoral ltatons of users, IDs and PWs are nherently vulnerable. In the long-ter, new authentcaton systes that are less subject to the behavoral ltatons of huan bengs should be pleented. Ths recoendaton s equally applcable to governent agences. To copleent the vulnerablty of logn credentals, publc key certfcate-based authentcaton echans

9 Y. Bang et al. / Internatonal Journal of Inforaton Manageent 32 (2012) has been wdely adopted aong onlne frs, especally for onlne bankng and coerce stes. The adopton should be expanded to stes n other areas. Other possble echanss to adopt nclude age authentcaton (Chang & Ln, 2008; Renaud, 2009), two or ult-factor authentcaton wth boetrcs nforaton (Apapa, Zhang, Wlls, & Argles, 2008; Bhargav-Spantzel et al., 2007) and one-te password authentcaton based on te and users locaton (Wen-Bn & Jenq-Shou, 2011). Thrd, polcy akers ust enforce the pleentaton of securty easures for logn credentals across the board. Many countres have been forcng frs to pleent securty easures n a selectve anner; that s, soe frs are subject to enforceent whle others not. The South Korean governent, for exaple, requres about 1000 ajor webstes (portals wth ore than 50,000 vstors a day and webstes wth ore than 10,000 vstors a day) to eet specfc gudelnes so that dentty theft can be prevented. The Identty Theft Red Flags Rule n the US, ssued n 2007, requres credtors and fnancal nsttutons to pleent dentty theft preventon progras. These gudelnes requre credtors and fnancal nsttutons wth covered accounts to develop and eploy wrtten dentty theft preventon progras (Fnklea, 2010). However, network perspectve analyss suggests that these polces ay not be effectve, even for the relevant nsttutons, f they are lnked to other vulnerable stes or to nsttutons that are exepted fro the andatory pleentaton. Thus, we ust focus on ncreasng the securty level of edu and sall organzatons, whch are often ore vulnerable to dentty theft. Fnally, the publc awareness of securty needs to be proved, as a general approach to facltate vulnerablty-reducng feedback loops. Specfcally, awareness about not only overall dentty securty but also the anageent of logn credentals based on the network perspectve s requred Concluson Ths study aed to advance our knowledge of logn credentals vulnerablty on the Internet and to prove nforaton securty anageent practces for logn credentals. On the bass of unque data fro Internet users and a novel perspectve on logn credentals usage, ths study ade the followng contrbutons. Frst, whle ost exstng studes have provded usage statstcs of logn credentals fro recall-based survey data, ths study s based on the actual data set on the usage. Our analyss contrbutes to the nforaton securty lterature by showng that recall ay not be credble and thus a recall-based study tends to generate a based pcture of logn credentals usage, usually underestatng the vulnerablty. Specfcally, we fnd that the sae logn credentals are used for ore accounts and reused ore often than prevously suggested n the lterature. Second, ths study contrbutes to the securty research by showng the ltatons of current vulnerablty easures of logn credentals and by proposng a new vulnerablty easure fro a network perspectve. Based on ths perspectve, we fnd that Internet users logn credentals usage patterns are sgnfcantly skewed. The ost frequently used cobnaton of ID and PW for each user s used for as any as 54% of all the stes to whch the user subscrbes. Meanwhle, the current vulnerablty easures of logn credentals ether fal to consder the reuse of logn credentals over ultple accounts (e.g., PW strength) or do not reflect the skewness of usage patterns (e.g., PW reuse rato). By relyng on a network perspectve for logn credentals vulnerablty, we suggest a new vulnerablty easure of ndvdual users that captures the structural characterstcs of the ID PW usage network. The suggested easure VI can be used to enhance our understandng on logn credental vulnerablty by consderng a behavoral pattern of the usage of logn credentals, whch s generally hghly skewed. Fnally, ths study contrbutes to the nforaton securty anageent practces by provdng several plcatons for anagers and polcy akers strvng to reduce securty vulnerablty. There are three areas that warrant further research. Frst, the results of our study suggest that behavoral research on securty needs to be ore rgorous to ensure that accurate data are consdered. Snce the speculaton-based data obtaned fro users ay be unrelable, ore objectve data on users behavor are an essental prerequste for verfyng the valdty of research. Therefore, ore research to nvestgate easy ethods for obtanng relable data on users behavors s needed. Second, whle the suggested easure of the VI ncorporates the structure of the logn credentals usage network, t does not consder the characterstcs of ndvdual logn credentals. Takng nto account the strength and coplexty of user PWs to upgrade the easure would be an portant venue for further research. Thrd, deternants of Internet users ID PW usages patterns need to be studed further. Durng the nvestgaton of Internet users ID PW usages, we found that the varaton of VI values s large aong respondents. Whch factors nfluence the VI of an Internet user? Why do soe people anage ther logn credentals better than others? These are other venues for further research. Acknowledgent Ths research was fnancally supported by Hansung Unversty. References Adas, A., & Sasse, M. A. (1999). Users are not the eney. Councatons of the ACM, 42(12), Alhaz, O. H., Malaya, Y. K., & Ray, I. (2007). Measurng, analyzng and predctng securty vulnerabltes n software systes. Coputers & Securty, 26(3), Anderson, C. L., & Agarwal, R. (2010). Practcng safe coputng: A ultethod eprcal exanaton of hoe coputer user securty behavoral ntentons. MIS Quarterly, 34(3), 613. Apapa, K. M., Zhang, T., Wlls, G. B., & Argles, D. (2008). Ensurng prvacy of boetrc factors n ult-factor authentcaton systes. In Internatonal conference on securty and cryptography n ICETE 08 Portugal, Porto, Bhargav-Spantzel, A., Squccarn, A. C., Mod, S., Young, M., Bertno, E., & Ellott, S. J. (2007). Prvacy preservng ult-factor authentcaton wth boetrcs. Journal of Coputer Securty, 15(5), Bluenberg, S., Wagner, H.-T., & Beborn, D. (2009). Knowledge transfer processes n IT outsourcng relatonshps and ther pact on shared knowledge and outsourcng perforance. Internatonal Journal of Inforaton Manageent, 29(5), Brown, A. S., Bracken, E., Zoccol, S., & Douglas, K. (2004). Generatng and reeberng passwords. Appled Cogntve Psychology, 18(6), Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Inforaton securty polcy coplance: An eprcal study of ratonalty-based belefs and nforaton securty awareness. MIS Quarterly, 34(3), Bunnell, J., Podd, J., Henderson, R., Naper, R., & Kennedy-Moffat, J. (1997). Cogntve, assocatve and conventonal passwords: Recall and guessng rates. Coputers & Securty, 16(7), Burr, W. E., Dodson, D. F., & Polk, W. T. (2006). Inforaton securty: Electronc authentcaton gudelne. NIST specal report (pp ). Carver, C. S., & Scheer, M. F. (2002). Control processes and self-organzaton as copleentary prncples underlyng behavor. Personalty and Socal Psychology Revew, 6(4), Chang, C. C., & Ln, P. Y. (2008). A color age authentcaton ethod usng parttoned palette and orphologcal operatons. IEICE Transactons on Inforaton and Systes, 91(1), Chang, R. M., Oh, W., Pnsonneault, A., & Kwon, D. (2010). A network perspectve of dgtal copetton n onlne advertsng ndustres: A sulaton-based approach. Inforaton Systes Research, 21(3), D Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of securty countereasures and ts pact on nforaton systes suse: A deterrence approach. Inforaton Systes Research, 20(1), Doherty, N. F., Anastasaks, L., & Fulford, H. (2011). Renforcng the securty of corporate nforaton resources: A crtcal revew of the role of the acceptable use polcy. Internatonal Journal of Inforaton Manageent, 31(3), Euler, L. (1741). Soluto probleats ad geoetra stus pertnents. Coentar acadeae scentaru Petropoltanae, 8, Faloutsos, M., Faloutsos, P., & Faloutsos, C. (1999). On power-law relatonshps of the Internet topology. SIGCOMM Coputer Councaton Revew, 29(4),

10 418 Y. Bang et al. / Internatonal Journal of Inforaton Manageent 32 (2012) Farahand, F., Navathe, S. B., Sharp, G. P., & Enslow, P. H. (2005). A anageent perspectve on rsk of securty threats to nforaton systes. Inforaton Technology and Manageent, 6(2), Fnklea, K. M. (2010). Identty theft: Trends and ssues. DIANE Publshng Copany. Florenco, D., & Herley, C. (2007). A large-scale study of web password habts. In Proceedngs of the 16th nternatonal World Wde Web conference. Banff, Alberta, Canada: ACM Press. Gaw, S., & Felten, E. W. (2006). Password anageent strateges for onlne accounts. In Syposu on usable prvacy and securty Pttsburgh, PA. Goldenberg, J., Lba, B., Muller, E., & Streersch, S. (2010). Database subsson The evolvng socal network of arketng scholars. Marketng Scence, 29(3), Hansen, M. T. (2002). Knowledge networks: Explanng effectve knowledge sharng n ultunt copanes. Organzaton Scence, 13(3), Horcher, A. M., & Tejay, G. P. (2009). Buldng a better password: The role of cogntve load n nforaton securty tranng. In IEEE nternatonal conference on ntellgence and securty nforatcs. Ives, B., Walsh, K. R., & Schneder, H. (2004). The dono effect of password reuse. Councatons of the ACM, 47(12), Janhonen, M., & Johanson, J.-E. (2011). Role of knowledge converson and socal networks n tea perforance. Internatonal Journal of Inforaton Manageent, 31(3), Javeln Strategy & Research. (2010). Javeln study fnds dentty fraud reached new hgh n 2009, but consuers are fghtng back. javelnstrategy.co/news/831/92/javeln-study-fnds-identty-fraud- Reached-New-Hgh-n-2009-but-Consuers-are-Fghtng-Back/d, press- RooDetal Jeong, H., Tobor, B., Albert, R., Oltva, Z. N., & Barabas, A. L. (2000). The large-scale organzaton of etabolc networks. Nature, 407(6804), Johnston, A. C., & Warkentn, M. (2010). Fear appeals and nforaton securty behavors: An eprcal study. MIS Quarterly, 34(3), Kane, G. C., & Alav, M. (2008). Castng the net: A ultodal network perspectve on user syste nteractons. Inforaton Systes Research, 19(3), Kankanhall, A., Teo, H.-H., Tan, B. C. Y., & We, K.-K. (2003). An ntegratve study of nforaton systes securty effectveness. Internatonal Journal of Inforaton Manageent, 23(2), Kaspersky Lab. (2007). Onlne accounts vulnerable to dentty theft, says Kaspersky Lab. Accounts Vulnerable to Identty Theft says Kaspersky Lab Korea Councatons Cosson and Korea Internet & Securty Agency. (2009) survey on the Internet usage: Executve suary. pageindex=2 Korea Councatons Cosson and Korea Internet & Securty Agency. (2010) survey on the Internet usage: Executve suary. pageindex=1 Kwon, C. (2010). KT provdng free securty soluton. Coputer Tes, LaRose, R., Rfon, N. J., & Enbody, R. (2008). Prootng personal responsblty for nternet safety. Councatons of the ACM, 51(3), Lang, H. G., & Xue, Y. J. (2009). Avodance of nforaton technology threats: A theoretcal perspectve. MIS Quarterly, 33(1), McMllan, R. (2011). Sony cuts off Sony onlne entertanent servce after hack. Coputer World, /Sony cuts off Sony Onlne Entertanent servce after hack Mller, G. A. (1994). The agcal nuber 7, plus or nus 2 Soe lts on our capacty for processng nforaton(reprnted fro psychologcal revew, vol. 63, pg. 81, 1956). Psychologcal Revew, 101(2), Mnwatts Marketng Group. (2011). Internet world stats: Usage and populaton statstcs. Natonal Internet Developent Agency of Korea. (2009). Internet usage coparson between Korea and the U.S. jsp?pageid=040100&bbsid=7&teid=768&pageindex=2 Nelson, D., & Vu, K. P. L. (2010). Effectveness of age-based neonc technques for enhancng the eorablty and securty of user-generated passwords. Coputers n Huan Behavor, 26(4), Nooy, W. D., Mrvar, A., & Batagelj, V. (2005). Exploratory socal network analyss wth Pajek. New York: Cabrdge Unversty Press. Patel, S. C., Graha, J. H., & Ralston, P. A. S. (2008). Quanttatvely assessng the vulnerablty of crtcal nforaton systes: A new ethod for evaluatng securty enhanceents. Internatonal Journal of Inforaton Manageent, 28(6), Pernul, G. (1995). Inforaton systes securty: Scope, state-of-the-art, and evaluaton of technques. Internatonal Journal of Inforaton Manageent, 15(3), Rapoport, A., & Horvath, W. J. (1961). A study of a large socogra. Behavoral Scence, 6(4), Redner, S. (1998). How popular s your paper? An eprcal study of the ctaton dstrbuton. The European Physcal Journal B: Condensed Matter and Coplex Systes, 4(2), Renaud, K. V. (2009). Gudelnes for desgnng graphcal authentcaton echans nterfaces. Internatonal Journal of Inforaton and Coputer Securty, 3(1), RSA. (2004). RSA securty study shows dentty theft awareness hgh, but consuer confdence low. release.aspx?d=3377 Schneer, B. (2000). Secrets & les: Dgtal securty n a networked world. New York: Wley Coputer Publshng. Sponen, M., & Vance, A. (2010). Neurtralzaton: New nsghts nto the proble of eployee nforaton systes securty polcy volatons. MIS Quarterly, 34(3), 487. Straub, D. W. (1990). Effectve IS securty: An eprcal study. Inforaton Systes Research, 1(3), Straub, D. W., & Welke, R. J. (1998). Copng wth systes rsk: Securty plannng odels for anageent decson akng. MIS Quarterly, 22(4), Syson, F., & Perks, H. (2004). New servce developent: A network perspectve. Journal of Servces Marketng, 18(4-5), The Nelsen Copany. (2010a). Top onlne stes and brands n the U.S. oble/june-2010-top-onlnestes-and-brands-n-the-u-s The Nelsen Copany. (2010b). Top U.S. web brands and ste usage. oble/top-u-s-web-brandsand-ste-usage-deceber-2009 Vu, K.-P. L., Proctor, R. W., Bhargav-Spantzel, A., Ta, B.-L., Cook, J., & Eugene Schultz, E. (2007). Iprovng password securty and eorablty to protect personal and organzatonal nforaton. Internatonal Journal of Huan-Coputer Studes, 65(8), Wagner, A., & Fell, D. A. (2001). The sall world nsde large etabolc networks. Proceedngs of the Royal Socety of London. Seres B: Bologcal Scences, 268(1478), Wang, N. C., Wang, C., & Wulf, W. A. (1997). Towards a fraework for securty easureent. In 20th natonal nforaton systes securty conference Baltore, MD, (pp ). Weber, J. E., Guster, D., & Safonov, P. (2008). A developental perspectve on weak passwords and password securty. Journal of Inforaton Technology Manageent, 19(3), 1 8. Wen-Bn, H., & Jenq-Shou, L. (2011). Desgn of a te and locaton based One- Te Password authentcaton schee. In Wreless councatons and oble coputng conference (IWCMC) Istanbul, Turkey. Workan, M., Boer, W. H., & Straub, D. (2008). Securty lapses and the osson of nforaton securty easures: A threat control odel and eprcal test. Coputers n Huan Behavor, 24(6), Yan, J., Blackwell, A., Anderson, R., & Grant, A. (2004). Password eorablty and securty: Eprcal results. IEEE Securty & Prvacy, 2(5), Zhang, J., Luo, X., Akkaladev, S., & Zegelayer, J. (2009). Iprovng ultplepassword recall: An eprcal study. European Journal of Inforaton Systes, 18(2), Youngsok Bang s a postdoctoral fellow at McGll Unversty. He receved hs BS, MS, and Ph.D. degrees n Manageent Engneerng fro KAIST. Hs current research nterests focus on nforaton systes econocs and onlne securty and prvacy. Hs work has appeared n MIS Quarterly. Dong-Joo Lee s an assstant professor at the Dvson of Manageent, Hansung Unversty, n Seoul, Korea. He holds a Ph.D. n Manageent Engneerng fro the Graduate School of Manageent, KAIST. Hs research nterests nclude nforaton securty and prvacy, personalzaton, and nforaton systes econocs. Hs work has appeared n several journals, ncludng MIS Quarterly, European Journal of Operatonal Research, Long Range Plannng, Technovaton, and Knowledge Manageent Research and Practce. Yoon-Soo Bae s a doctoral canddate at the Graduate School of Manageent, KAIST. He receved both hs BS and MS degrees n Manageent Engneerng fro KAIST. Hs current research nterests focus on consuer searchng behavor and neuroarketng. Jae-Hyeon Ahn s a professor at KAIST Busness School n Seoul, Korea. He receved both hs BS and MS degrees fro Seoul Natonal Unversty, Seoul, Korea, n 1984 and 1986, respectvely, and hs Ph.D. degree n decson scences fro Stanford Unversty n After graduaton, he worked as a senor researcher at AT&T Bell Labs fro 1993 to Hs current research nterests are focused on, aong other thngs, nvestent strateges for nforaton syste securty, neuro-arketng approaches for Internet busness, and behavoral decson akng. He has publshed papers n MIS Quarterly, Manageent Scence, Decson Support Systes, and Journal of Inforaton Technology, aong others.