Assignment 2

Submission dates:

• Week 13
• Written submission Sunday Week 14

Worth: This project is worth 30% of your final grade

Submission instructions: You should submit your assignment from the ICT615 LMS site. You can receive email notification that your assignment has been received. Late submissions will be penalised at the rate of 5 marks per day late or part thereof unless an extension has been obtained.

You should submit your assignment as one word-processed document. So your work doesn’t get mixed up with others’, ensure that your name is on your assignment and use a filename that clearly identifies it. If you are working in pairs put both surnames in the filename, but submit a copy of the assessment each, so that it is easier to provide feedback. You must keep a copy of the final version of your assignment as submitted and be prepared to provide it on request.

The University treats plagiarism, collusion, theft of other students’ work and other forms of dishonesty in assessment seriously. For guidelines on honesty in assessment including avoiding plagiarism see http://our.murdoch.edu.au/Educational-technologies/Academic-integrity/

Behavioural Security Research Project

This assignment is intended to provide you with the experience of undertaking and writing up a complete research project. As you know from Assignment 1, whilst much has been written about behavioural security, there is still more research needed. Many previous findings have been inconclusive, and IT security continues to be a problem.

For this project you are provided with a set of data relating to users’ passwords and their perceptions of security threats. It has been collected from users of the Internet who have web accounts. The study was designed as an experiment where the treatment group were exposed to password security information and training.

Your first task is to formulate a research question or several related research questions that relate to this topic and can be answered using the set of data. You will be helped to analyse the data in order to answer your research question(s). You will give a brief presentation to the class outlining your proposed research (in class Week 13) this will allow you to get feedback on your research questions, hypotheses and preliminary results. You will also write up your results in the format of a conference paper (to be submitted Week 14).

Possible research questions might include:

• Does exposure to password security information and exercises improve intention to comply with password guidelines?
• Does exposure to password security information and exercises improve password strength?
• Does gender influence password security?
• What factors influence intention to comply with password guidelines?
• What factors influence password strength?

You need to work in the same groups where you finish assignment 1.

You will be given:

1. Information about how the data was collected (Appendix 1 in this document)
2. A list of all the variables included in the dataset (Appendix 2 in this document)
3. A data set containing the raw data (in both SPSS (.sav) and Excel format (.xls)) –download from the ICT615 LMS site
4. A copy of the survey used to collect the data – can be download from the ICT615 LMS site

If you find that you need more information about the way in which the data was collected just ask me.

You need to:

1. Undertake background reading to review the relevant literature. You can use studies you find for assignment 1, but you cannot just copy and paste the literature review from assignment 1 to assignment 2. You need to rewrite and restructure the writing based upon your work in assignment 2.
2. Decide exactly what research questions you want to answer (and generate hypotheses if appropriate)
3. Consider how the data should be analysed in order to enable your research questions to be answered
4. Get the data analysed (if the results you need aren’t included in the Topic 9 Data Analysis Session, I can do it for you, or I can help you do it)
5. Present a brief outline of your research/paper in class
6. Write up your research in the form of a paper suitable for publication at a conference.

Note: Stages 2 to 4 can be done in collaboration with the rest of the class, but the presentation and research paper should be created in group.

Presentation:

The presentations should be approximately 5 minutes in length (with a maximum of 10 minutes) and given during the Week 13 class. The presentation will be worth 10% of the mark for the Project.

The presentation should include:

1. Background literature
2. Justification for the research
3. Research questions (and hypotheses if appropriate)
4. Any preliminary results you have
5. Discussions (e.g., implications for research and practice) (highly recommended if you have any results, though not listed in the rating sheet)

The tutor will evaluate the presentation in the lab tutorial.

Research Paper:

The research paper you submit should include the following sections:

1. Title
2. Abstract
3. Introduction

• Provide enough background
• including a brief statement of the problem you are investigating

4. Literature Review – brief review of the literature relevant to the problem
5. Research hypotheses – include your hypotheses in this section (and make sure that you provide a justification for each of them)
6. Research design – you can copy as much as you like from Appendix 1.
7. Results – create your own tables – don’t just cut and paste the SPSS output, clearly state what you found and whether each hypothesis is supported or not
8. Discussion (Implications for theory, practice, limitations and opportunities for future studies)
9. Conclusion
10. References (referencing should be in APA style)

Make sure that you cite previous work properly!

Length: Approximately 2500 – 3000 words

	HD (99%-80%)	D (79%-70%)	C (69%-60%)	P (59%-50%)	N (49%-1%)
Title and abstract (5%)	Have a clear title The abstract clearly describes the background, the overall aim, and the results of the study.	Has a clear title The abstract includes some background, the overall aim, and the results of the study.	Has a clear title The abstract includes some background, and the brief description of the study.	Has a title The abstract includes the brief description of the study.	No title The abstract is confusing or no abstract.
Introduction, literature Review (20%) (Please do not simply copy assignment 1 to here; otherwise, at best 50% will be received. )	Excellent introduction: has external sources to strongly support the importance of user security behaviours; clearly state the objective of the essay Identified appropriate material and synthesised the research findings well. Critically evaluate the study, and identify the gaps (the gap links to their study)	Good introduction: Discuss the importance of user security behaviours; clearly state the objective of the essay Identified appropriate material and synthesised the research findings well.	Reasonable introduction: Discuss some background; clearly state the objective of the essay Starting to synthesise research results, but some sections still read like reporting the results of one study after another	Has introduction: state the objective of the essay Simply reporting the results of one study after another	No introduction Reporting some studies; hard to follow
Hypotheses (20%)	Provide strong justification (using literature) to support their hypotheses	Provide some justification (using literature) to support their hypotheses	Provide some justification (no literature) to support their hypotheses	Provide very simple justification (no literature) to support their hypotheses	Just listing hypotheses but no justification
Methods (5%)	All necessary information needs to be included.
Results (20%)	Include both descriptive statistics about the sample, and correct inferential statistics. Create own tables; report results in a correct format (refer to tut 10)	Include correct inferential statistics. Create own table; report results in a correct format (refer to tut 10)	Include correct inferential statistics. Create own table; report results but miss some information	Include correct inferential statistics. Copy table from SPSS; report results but miss some information	Include incorrect statistics. Copy table from SPSS; no or little explanations.
Discussion (20%)	Provide clear discussion of the results Discuss the implication for theory, practice, limitations and recommendations for future studies. Use some references to support their arguments.	Provide clear discussion of the results Discuss the implication for theory, practice, limitations and recommendations for future studies.	Provide some discussion of the results Discuss the implication of their study.	Provide some discussion of the results	No or little discussions.
Presentation (10%)	Clear structure Has no grammar /spelling errors Perfectly follow APA format	Clear structure Has few grammar/ spelling errors Mainly follow APA format, not fully consistent but acceptable	Clear structure Has a few grammar/ spelling errors but does not impact reading Follow APA format, have a few errors but acceptable	Have structure but not quite clear Has quite a few grammar / spelling errors, hard to follow sometime. Follow APA format a bit but has many inconsistencies (or the format of reference is not consistent themselves)	Structure is confusing Has many grammar / spelling errors, hard to follow Cannot identify the format

APPENDIX 1 – Information about how the data was collected

The target population for this study was Internet users who hold at least one online email account. To obtain a sample with a wide range of backgrounds a third party recruiting company, Authentic Response Inc., was used and participants were recruited through email invitations to their panel. A total of 3830 email invitations were distributed.

Participants were randomly allocated to two groups: a control group, and a treatment group that received password security information and training. Each group undertook a separate data collection session administered online using SurveyGizmo. The control group session took approximately 15 minutes and collected the following information:

• A typical password (later analysed for password length and password strength)
• Longest password ever voluntarily used
• Number of email accounts currently held
• Whether have voluntarily changed email passwords
• Whether have previously shared email passwords
• Self-rated computer skill
• Self-rated security knowledge
• Whether have previously been hacked
• Gender
• Age
• Highest level of education
• Perceived Severity
• Perceived Self-efficacy
• Perceived Effectiveness
• Perceived Cost
• Perceived Vulnerability
• Perceived Threat
• Intention to Comply (with password guidelines).
• New Password (later analysed for password length and password strength)

The treatment group data collection session, completed in approximately 25 minutes, consisted of the same measures of the same variables, plus a password security information and exercise segment that was completed after the background information about participants and their practices was collected and before the main constructs were measured. The password security information and exercise were developed using material from NIST , US-CERT and Certified Information Systems Security Professional (CISSP) .

In order to ensure validity and reliability of the items, previously validated items were adopted where possible. The sample survey shows the items used (note: not all items in the sample survey are included in the data set). With the exception of Intention to Comply, all the main constructs were measured on a 7-point Likert-type scale. The items to measure Perceived Severity and Perceived Vulnerability were adapted from Boss and Zhang and McDowell . The items to measure Perceived Threat and Perceived Cost were adapted from Milne, Orbell and Sheeran . Perceived Effectiveness was measured using items adapted from Zhang and McDowell and Perceived Self-efficacy with items from Compeau and Higgins . The items to measure Intention to Comply were adapted from Bulgurcu, Cavusoglu and Benbasat and measured on a 7-point scale where (1) was labeled ‘not at all likely’ and (7) was labeled ‘very’.

Password strengths were analysed using an approach based on Shannon adapted to meet NIST guidelines . Summary variables for each construct were calculated as the average of the items used to measure the construct (see sample survey). All constructs had Cronbach alphas of over 0.80 indicating acceptable reliability.

APPENDIX 2 – Variable definitions

Variable name	Description	Values
ParticipantID	Unique ID to identify participants
Training	Received security information and training (determines if participant it in treatment or control group)	1= no 2 = yes
PasswordLength	Longest password ever voluntarily used	Number of characters
NumberEmailAccounts	Number of email accounts currently held
VoluntaryChange	Have voluntarily changed email passwords	1=no 2=yes
SharedPasswords	Have previously shared email passwords	1=no 2=yes
ComputerSkill	Self-rated computer skill	1 – 7 scale where 1 = poor and 7 = excellent
SecurityKnowledge	Self-rated security knowledge	1 – 7 scale where 1 = poor and 7 = excellent
PrevHacked	Previously been hacked	0 = no, 1 = yes
Gender	Gender	1 = male, 2 = female
Age	Age	Number of years
Education	Highest level of education	5 point scale from 1=‘Less than high school’ to 5 = ‘Post-graduate’
PREPW_STR	Pre-test password strength
PREPW_LEN	Pre-test password length
POSTPW_STR	Post-test password strength
POSTPW_LEN	Post-test password length
PerceivedSeverity	Degree to which a user believes that the consequence of password related threats would be severe	1 – 7. Calculated as average of scores on items to measure construct
PerceivedSelfEfficacy	Degree to which a user is confident in their ability to create a strong password
PerceivedEffectiveness	Degree to which a user believes that recommended password guidelines will prevent password threats
PerceivedCost	Degree to which a user believes that remembering passwords would be difficult if password guidelines were followed
PerceivedVulnerability	Degree to which a user believes that they are likely to experience password related threats
PerceivedThreat	Degree to which a user is worried about password related threats
IntentionComply	Intention to comply with password guidelines