Presentation
Usage of an AI-Based Password Tool: Impacts of Security Fatigue, Age, and Individual Differences
DescriptionThe potential for human-AI teams to enhance cybersecurity is widely recognized. AI tools can detect and characterize various threats including anomalies/intrusions, phishing attempts, and deepfakes. However, it is unclear whether users will trust these new AI-based tools and if they will use them appropriately and effectively in the long term. The current study aimed to investigate the factors that influenced the extent of usage and engagement with a specific AI tool, a probabilistic password strength meter.
Users notoriously tend to create weak passwords. Many users choose convenience over password strength in order to minimize effort and find an easy “satisficing” solution that is considered “good enough” for the problem at hand. The DeepPasswd tool (Pasquini, Ateniese & Bernaschi, 2020) aims to support the user by helping them modify a memorable password to increase its strength, e.g., “Iluvdogs” might become “Iluvd0g$”. Based on deep learning, it estimates the strength of each password character and provides feedback to the user as they tweak the weakest characters.
A major threat to user motivation is security fatigue. When users feel burdened by security messages, advice, and demands for compliance, they reach a cognitive saturation point and become desensitized against security recommendations. The challenge for use of AI-powered systems such as DeepPasswd is to motivate the user to accept the additional mental workload cost of using the web interface for password generation in return for the security benefits.
Users’ management of the effort-security tradeoff is likely to depend on multiple factors:
• Trust in AI. User’s cognitive and emotional reactions to AI systems are critical. Multiple factors influence trust in AI including perceptions of its performance and reliability; design features such as transparency; operator expertise, personality, and demographics; and contextual factors such as organizational climate and work structure. Most cyber operations cannot be fully automated, so trust optimization is critical. Under-trust is the primary vulnerability in AI-supported password selection, given users’ preferences for simple, low-effort passwords.
• Workload, stress and fatigue. Typically, humans perform best with moderate workloads that provide engaging cognitive challenges. However, cyber operations overload the user, especially when the combined workload of primary tasking and maintaining security induces stress and fatigue. These factors may erode the user’s willingness to apply effort to password management.
• Individual differences and demographic factors. Various user characteristics may impact willingness to engage with cybersecurity tools. People differ considerably in their attitudes towards advanced technology, attitudes that can impact trust in AI tools Relevant demographic factors include age, especially as a marker for generational differences in attitudes towards technology. Other relevant factors are related to the person’s experiences with technology, including computer experience and literacy, as well as being a victim of cybercrime.
The present study aimed to investigate usage of DeepPsswd during simulated routine office work. We tested effects of two experimental manipulations: (1) cognitive demands of the primary office work task, and (2) an induction designed to enhance user motivation. We also investigated the role of a range of individual difference and demographic factors.
Users notoriously tend to create weak passwords. Many users choose convenience over password strength in order to minimize effort and find an easy “satisficing” solution that is considered “good enough” for the problem at hand. The DeepPasswd tool (Pasquini, Ateniese & Bernaschi, 2020) aims to support the user by helping them modify a memorable password to increase its strength, e.g., “Iluvdogs” might become “Iluvd0g$”. Based on deep learning, it estimates the strength of each password character and provides feedback to the user as they tweak the weakest characters.
A major threat to user motivation is security fatigue. When users feel burdened by security messages, advice, and demands for compliance, they reach a cognitive saturation point and become desensitized against security recommendations. The challenge for use of AI-powered systems such as DeepPasswd is to motivate the user to accept the additional mental workload cost of using the web interface for password generation in return for the security benefits.
Users’ management of the effort-security tradeoff is likely to depend on multiple factors:
• Trust in AI. User’s cognitive and emotional reactions to AI systems are critical. Multiple factors influence trust in AI including perceptions of its performance and reliability; design features such as transparency; operator expertise, personality, and demographics; and contextual factors such as organizational climate and work structure. Most cyber operations cannot be fully automated, so trust optimization is critical. Under-trust is the primary vulnerability in AI-supported password selection, given users’ preferences for simple, low-effort passwords.
• Workload, stress and fatigue. Typically, humans perform best with moderate workloads that provide engaging cognitive challenges. However, cyber operations overload the user, especially when the combined workload of primary tasking and maintaining security induces stress and fatigue. These factors may erode the user’s willingness to apply effort to password management.
• Individual differences and demographic factors. Various user characteristics may impact willingness to engage with cybersecurity tools. People differ considerably in their attitudes towards advanced technology, attitudes that can impact trust in AI tools Relevant demographic factors include age, especially as a marker for generational differences in attitudes towards technology. Other relevant factors are related to the person’s experiences with technology, including computer experience and literacy, as well as being a victim of cybercrime.
The present study aimed to investigate usage of DeepPsswd during simulated routine office work. We tested effects of two experimental manipulations: (1) cognitive demands of the primary office work task, and (2) an induction designed to enhance user motivation. We also investigated the role of a range of individual difference and demographic factors.
Event Type
Lecture
TimeWednesday, September 11th2:10pm - 2:30pm MST
LocationFLW Salon I
Aging
Cybersecurity