maintain their security and privacy. As shown in Table 5.2, many of the participants use a variety of online services.
Table 5.2: Participants using online services N=117
Online Service Count Percentage
Facebook 106 90.60%
Gmail 104 88.89%
LinkedIn 77 8.55%
E-commerce Websites (Kalahari, Amazon etc) 76 64.96%
Youtube 72 61.54%
Twitter 70 59.83%
Google Plus 58 49.57%
Online Auction/Classifieds websites 55 47.01%
The respondents are made up of mostly students (20.51%) and currently employed people (64.96%). The student respondents are mostly under the age of 25, while the employed respondents are predominantly between the ages of 26 and 46. The student group has grown up in an era defined by technology and computers. The older group, on the contrary, grew up with much less exposure to computers and almost certainly very little or no online internet experience.
Usernames and passwords are the primary access control mechanism deployed in academic institutions and businesses (Ives et al., 2004) (Furnell et al., 2000). The respondents that use the computer facilities at these institutions and organisations will need to man- age a number of usernames and passwords in order to continue having access to digital information and resources.
The respondents will also need to manage the username and passwords to their private internet services in conjunction with their employment or student credentials. The manner of how they manage each of these sets of credentials will be detailed in the sections that follow.
5.3
Online behaviour and perceived security posture
The participants of the survey were presented with a number of questions regarding their opinions about the need for credential enforcement policies and whether or not they
5.3. ONLINE BEHAVIOUR AND PERCEIVED SECURITY POSTURE 60 believed their own user accounts and password management practices were secure enough. (See Appendix A (Questions 13, 31,32,55 and 60))
5.3.1
Findings
The overwhelming majority were divided approximately in half in terms of level of concern towards their online user accounts and the extent to which they ensure that their creden- tials remain safe and secure, with 45.3% stating that they have genuine concerns about the security of their accounts and protecting them to the best of their ability. The other half of the respondents, comprising 44.44%, indicated an extreme consciousness towards the security of their account credentials and trying to employ their utmost protection for them.
Many organisations employ password policies that enforce the best practices of password management (Wood and Shield, 2008). These password policies include, among others, the regular changing of passwords, minimum number of characters and the use of di↵er- ent types of characters. The respondents were questioned as to whether or not they felt it necessary for their organisations or institutions to institute these controls. The over- whelming majority (93.16%) agreed that it was necessary to implement these measures. The remaining 6.84% that did not think it was prudent to implement password policies responded with statements such as ‘remembering complicated passwords is difficult’, or ‘changing passwords on a regular basis is annoying’, or that ‘it would just be simpler to use the same password on all accounts’.
The questions about the strength and secureness of their personal accounts’ passwords again demonstrated that the majority of respondents (86.32%) were confident that their personal passwords were strong and secure.
There are a number of other access control technologies that can be used in conjunction with usernames and passwords (Bhargav-Spantzel, Squicciarini, Modi, Young, Bertino, and Elliott, 2007) (O’Gorman, 2003). These other access control technologies include, among others, security tokens, one-time passwords and biometrics. The respondents were asked whether or not usernames and passwords were sufficient protection for their user accounts. The results were divided very closely with 52.14% indicating that usernames and passwords alone were not adequate enough protection for their user accounts.
5.3. ONLINE BEHAVIOUR AND PERCEIVED SECURITY POSTURE 61 50 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 Information Technology Other Banking/Investment and Finance Academic/Education Engineering Sales and Marketing Legal Government Safety And Security Manufacturing Insurance Health & Fitness
Percentage of Respondents In d u str y
Figure 5.1: Industries of respondents indicating passwords are not enough security
5.3.2
Analysis
The preponderance of respondents are aware of the necessity of securing and protecting their user account credentials. These opinions range from being consciously concerned to extremely concerned about the protection of their usernames and passwords. These concerns are expressed both in a personal capacity as well as in work and study environ- ments.
The use of password policies in the organisations and/or institutions was acknowledged and supported by the majority of the respondents. The use of password policies has become common amongst most organisations and institutions. Many internet websites also employ password policies, and while they may not be as stringent as organisational policies, they still force the user to create seemingly more complex and hence more secure passwords for their accounts.
Opinions on the e↵ectiveness of password authentication were split, with 52.14% indicat- ing that passwords were not enough protection for their authentication processes. User- name and passwords have been the primary access control technology for a number of years; however, the theft and cracking of passwords has become a relatively trivial task in recent years (Marechal, 2008). There are a number of other access control technologies that can be implemented to augment the strength and security of users’ credentials.
5.4. ORGANISATION PASSWORD MANAGEMENT AND POLICIES 62