Background
Anecdotal evidence suggests that workplace password sharing is an endemic problem. However, despite password sharing appearing to be a common risk, incidents arising from password sharing do not feature strongly in industry breach reports.
This project aims to resolve the apparent contradiction. A significant level of effort is invested in instructing people not to share passwords and it is one of the most common topics of security awareness campaigns. The effectiveness of these communications is uncertain since it is unknown how prevalent password sharing is, who is doing it, why and how often it results or contributes to a security incident.
Project Contributors
- Geordie Stewart – Principle Consultant, Risk Intelligence
- Thom Langford – Security Director at a leading international digital agency and technology consultancy
- Bernadette Palmer – Head of Communications, The Security Company (International) Limited (TSC)
- David Lacey – Author and Independent Director, DL Consulting
- Dr Lizzie Coles-Kemp – Senior Lecturer and researcher, Royal Holloway University Information Security Group (ISG)
- Joel Williams – Senior Consultant, Risk Intelligence
Objective
To improve the level of understanding about password sharing by surveying several thousand people in multiple countries. The project aims to publish a paper which improves the Information Security Community’s understanding of:
- How often passwords are being shared
- Who typically is sharing their passwords
- Who passwords are being shared with
- Why passwords are being shared and who is benefiting
- How often password sharing results in a security incident
Method
It is intended that a web survey tool such as SurveyMonkey will be used to gather results which can then be analysed, shared with any organisations that helped contribute to the results.
Stages
- Qualitative Interviews – complete
- Construction of mental models – in progress
- Formulation of survey questions
- Distribution of survey
- Analysis
- Presentation of results
If you’re interested in running the survey to understand more about password sharing at your organisation email [email protected] for more details.