We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.
|Title of host publication||Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.|
|Number of pages||12|
|Publication status||Published - 2012|
|Event||QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS - Pisa, Italy|
Duration: 14 Sep 2012 → …
|Conference||QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS|
|Period||14/09/12 → …|