We are creatures of habit. At least, I know that I am, even though my working life as a user experience consultant provides me with more than sufficient variety at times. Nonetheless there are many times when I find myself falling into a familiar pattern of behaviour. One of these areas, where I know that I stick to a limited number of different routines, concerns security passwords. I know that we are supposed to make them so complicated that they are difficult for others to guess, but of course that runs the risk that we cannot remember them either. I also know that we should change them frequently, and be very cautious about any information we submit when buying online. I know all that, yet I also know that if I do not keep things simple, I will be the one who forgets, who tries too many times before remembering the right combination and who then has to go through all the hassle of getting things reinstated.
So I temper security with usability. And I am not alone. I understand that recent surveys have shown that there are a very few passwords which millions of people share – typically, such obvious combinations as ‘123456’ and ‘password’. So obvious, in fact, that it doesn't take unpleasant people very long to break in and do what they do to your account or details.
One security measure, which I have taken, is to have all my credit and other cards registered with a company so that they can all be stopped with one phone call – a feature I was particularly pleased about when I had my wallet pick-pocketed in Beijing, when attending the International Ergonomics Association Congress in August 2009. When I later checked back in the UK, one of my credit cards did have a fraudulent transaction. When I challenged it, they claimed that I must have let someone know my PIN, as ‘that was the only way it could have been used’. I explained that I did not know my PIN for that card, but they said that I had probably written it on a piece of paper in my wallet, as ‘lots of people do that’. However, when I pointed out that chip and PIN was not common in China and that my card had been reported stolen to them 40 min before the transaction, they accepted their mistake.
That reminds me of a common sight in offices a few years ago – the password on a sticky note on the screen, because no-one could remember it – actually worse than useless in terms of security. Nowadays, systems use all manner of biometric and other devices to provide security to save us having to remember secure passwords. But we still have ambivalent attitudes to security – we rightly object if our information is stolen but we resent being asked for endless PINs, passwords, thumbprints and eyeball scans.
The first two papers in this issue of Behaviour & Information Technology deal with our attitudes and behaviours associated with information security.
Information security
Ding-Long Huang, Pei-Luen Patrick Rau and Gavriel Salvendy from the Department of Industrial Engineering, Tsinghua University, Beijing, China, report a study on the perception of Chinese students of information security and the factors that influence people's perception of different threats to information security. The survey's 602 respondents were asked to rank 21 common threats to information security. Factor analysis yielded six factor structures – knowledge, impact, severity, controllability, possibility and awareness. The researchers then used these factors to identify the five most dangerous threats (hackers, worms, viruses, Trojan horses and backdoor programs) and the five least dangerous threats (spam, piratical software, operation accidents, users' online behaviour being recorded and deviation in quality of service).
As I discussed earlier, the psychology of password management is an interesting field of study and in the next paper L. Tam and M. Glassman from the Marketing Department, Old Dominion University, and M. Vandenwauver from Software Sales, IBM, (all in Norfolk, VA) explore the trade-off between security and convenience. They studied five password-management behaviours. Interestingly, they found that users know what constitutes a good/bad password, and know which common password-management practices are inappropriate, but they do not see any immediate negative consequences to themselves and prefer convenience. The authors applied construal level theory and found that this trade-off can be positively influenced by imposing a time frame factor, i.e. whether the password change will take place immediately (which results in weaker passwords) or in the future (which results in stronger passwords). However, this time frame effect only applied where security was obviously more important, for example in online banking.
So, paradoxically, systems which harangue you to change your password immediately may actually be encouraging weaker passwords. Such unintended consequences are all too common when real people are involved. The next set of papers look further into the complex relationship between systems and user behaviour.
User behaviour
I have always had a sneaking feeling that the better a project manager can describe exactly the status of a current project, the less likely it is that this corresponds to reality. I do have some anecdotal evidence for this, where following a concise and apparently accurate description of the project, I have interviewed team members and uncovered a somewhat messier reality. Now I am not suggesting that such projects are inevitably going to fail (although a surprising number of all IT projects fail to deliver real business benefit) or even that they are always badly managed.
What I think my observation reveals is the discomfort of the project manager when admitting that real life systems development is characterised by ad hoc behaviour and unforeseen improvisation. M. Magni, B. Provera and L. Proserpio from the Department of Management, Institute of Organisation and Information Systems, Bocconi University, Milano, Italy, explore this relationship further and argue that traditional top-down, meticulously planned procedures are not effective ways of dealing with the emergent and continuously evolving needs of users. This theoretical article investigates the role of improvisation in addressing the shortcomings of traditional approaches.
Innovation is also the topic of the next paper. Mohammad Hossein Jarrahi from the College of Information Science and Technology, Pennsylvania State University, USA, presents a case study on the introduction of a course management system in a higher education institution. The case study illustrates how this system is employed in disparate manners by different groups of academics and the reasons behind these differences. The author draws on structuration theory and the concept of the ‘practice lens’ for studying technology in organisations.
One behaviour, which is widespread but of great concern to many commercial organisations, particularly software vendors, concerns the use of pirated software. Nikos I. Konstantakis, Panos D. Siozos and Ioannis A. Tsoukalas from the Department of Informatics, Multimedia Laboratory, Aristotle University of Thessaloniki, and George E. Palaigeorgiou from the Department of Computer and Communication Engineering, University of Thessaly, also in Greece, report a survey of computer science students on their attitudes to software piracy. As they point out, computer science students are the future information and communication technologies professionals. Just as Ding-Long Huang and colleagues found in China, students in Greece regard software piracy as a very minor security risk and appear to make intensive use of pirated software. Even though they ‘acknowledge the immoral character of their actions, as well as the fact that others are affected by software piracy, … they pay little attention to this action and they practically don't care’. A worrying trend for the future is that even when asked to imagine their future roles in software development companies, they ‘fail to understand the significance of intellectual property rights for mere digital products, such as software’.
In the last paper in this section of Behaviour & Information Technology, Yen-Ku Kuo and Kung-Don Ye from the Department of Shipping and Transportation Management, National Taiwan Ocean University, Taipei, Taiwan, report a study on how much workers' gender, work experience, designated division, and appointment affected their perception of information technology within the organisation. They also explore what impact this behaviour has on the overall performance of the organisation.
Learning
Gender is also a topic investigated by the next paper from Yujong Hwang from the School of Accountancy and Management Information Systems, DePaul University, Chicago, USA. The author points out that although online education and technology-mediated learning are growing, they very much depend on the motivation of the students. Several hundred students took part in the test and among the detailed results, the author found that the males showed stronger effects of self-identity whilst the females showed stronger effects of social identity.
Finally, Jianfeng Wang, David Solan and Abe Ghods from the Department of Business and Economics, Mansfield University of Pennsylvania, Mansfield, USA, apply a socio-technical systems theory perspective to computer-based distance education. Their proposed systems model evaluates distance learning success from the instructor's perspective and was tested on data collected from 548 instructors in seven universities in the Midwest region of the USA. The results suggest that their proposed multi-dimensional system flexibility scale is reliable and useful for evaluating both course quality and faculty perceived impacts.