A1 Journal article (refereed)
Can Individuals’ Neutralization Techniques Be Overcome? : A Field Experiment on Password Policy (2020)

Siponen, M., Puhakainen, P., & Vance, A. (2020). Can Individuals’ Neutralization Techniques Be Overcome? : A Field Experiment on Password Policy. Computers and Security, 88, Article 101617. https://doi.org/10.1016/j.cose.2019.101617

JYU authors or editors

Siponen, Mikko

Publication details

All authors or editors: Siponen, Mikko; Puhakainen, Petri; Vance, Anthony

Journal or series: Computers and Security

ISSN: 0167-4048

eISSN: 1872-6208

Publication year: 2020

Volume: 88

Article number: 101617

Publisher: Elsevier Advanced Technology

Publication country: United Kingdom

Publication language: English

DOI: https://doi.org/10.1016/j.cose.2019.101617

Publication open access: Not open

Publication channel open access:

Publication is parallel published (JYX): https://jyx.jyu.fi/handle/123456789/65920

Abstract

Individuals’ lack of adherence to password security policy is a persistent problem for organizations. This problem is especially worrisome because passwords remain the primary authentication mechanism for information systems, and the number of passwords has been increasing. For these reasons, determining methods to improve individuals’ adherence to password-security policies constitutes an important issue for organizations.

Extant research has shown that individuals use neutralization techniques, i.e., types of rationalizations, to disregard organizational information-security policies. What has not been determined from extant information security research is whether these neutralizations can be changed through educational training interventions. We argue that training based on principles of cognitive dissonance theory is a promising method for reducing individuals’ use of neutralization techniques. We contribute by showing empirically that training based on cognitive dissonance theory can reduce the use of neutralization techniques when such training is designed to counter such techniques.

Using a quasi-experimental design at an organization, individuals received training on neutralization techniques in the context of password security. Using a quasi-experimental design, we found that individuals who received our training treatment exhibited substantially less intent to use neutralization techniques and were significantly more likely to use secure passwords. Additionally, a follow-up measurement three weeks after the training session showed that the experimental treatment retained its effectiveness, i.e., the experimental group exhibited substantially less intent to use neutralization techniques and a greater likelihood of using strong passwords in the future. Additionally, intent was significantly greater in the experimental group. Implications for practice and future research are discussed.

Keywords: data security; data security policy; passwords; personnel training

Free keywords: information security policy; passwords; neutralization; information security

Fields of science:

113 Computer and information sciences (Natural sciences)

Contributing organizations

JYU units:

Faculty of Information Technology

Related projects

New Methods For the Development of Information Security Policies
- - Siponen, Mikko
- TEKES
01/06/2015-31/05/2017

Ministry reporting: Yes

Reporting Year: 2020

JUFO rating: 2

Follow-up groups: