Username and password have long been used as a form of authentication, and despite all the known issues with passwords, they are still the primary option. Cybersecurity experts advise users to create passwords that are difficult to guess and not to reuse them across different accounts. Other recommendations include changing passwords at regular intervals and not writing them down or storing them on users’ phones or computers.
These tips, when recommended together, put users in a sticky situation. Passwords that are hard for attackers to guess can also be hard for users to remember. As the number of accounts grows, as is the case today, users must create and remember many more passwords than ever before. The situation is made even more difficult when users are required to change their passwords at regular intervals and not write them down anywhere.
Together, all of this creates a huge cognitive load for users. This can lead users to create weaker passwords that are easy to remember and reuse them across different accounts, creating problems in terms of cybersecurity.
Password Managers and Trust: Improving Cybersecurity Habits
A password manager is a tool or piece of software that eases the cognitive load on users of creating and remembering many unique credentials, such as usernames and passwords, by automatically creating, storing, and completing required credentials when needed. Password managers create unique and strong passwords based on desired rules, such as length, type of characters, and any other special attributes, for each account. Password managers are actually one of the most popular measures among cybersecurity experts. However, they have not achieved the same popularity among regular end users.
For example, in 2015, when password managers were one of the top 5 measures applied by cybersecurity experts, it was found that only 24% of regular users used a password manager. The situation seems even worse today, as recent studies comparing the security practices of cybersecurity experts and users show that only 3% of respondents use a password manager.
To understand the reasons for the unpopularity of password managers among users, studies have been conducted to identify the factors that prevent users from using a password manager. Trust has been found to be one of the main reasons why people don’t use password management apps. This is based on the few studies that have been done on regular end users.
Cybersecurity researchers determined the factors that drive the adoption of password managers and found that trust has a positive impact on the intention to adopt password managers. Studies found that people do not adopt a password manager due to a lack of trust. Therefore, trust has been suggested as the first step to increasing the adoption of password managers.
While trust has been found to be an important factor in password manager adoption, how trust can be established has not yet been investigated. For this, it is crucial to understand the factors that improve trust and favor their relationships with adoption. This leads to the conclusion that the basis for stimulating trust is to work on what is called “Initial Trust”.
Trust as a Consequence of Security: The Importance of Initial Trust in Password Manager Adoption
Trust is not decreed, it is built, and in order to establish trust between an individual and an artifact, it is crucial to understand how trust is initiated, built, and improved. If security results in trust, then it can be inferred that cybersecurity results in cybertrust. Cybersecurity experts have shown that trust is built in phases, and the trust-building process begins when people come across an unknown artifact. This initial phase is called Initial Trust, which is affected by institutional, personal, and environmental factors.
Once initial trust is established, people go through a personal experience, try the artifact, and then decide to accept or reject it. Therefore, the trust that is established after the use of an artifact is different from the initial trust that is established before the use of an artifact. That is, initial trust plays a crucial role in building trust between a user and an artifact, which can be a service, an application, or a piece of software. Therefore, we argue that initial trust formation is more relevant to understand in the context of password managers. The analytical understanding of this phenomenon contributes to the fact that the phrase that says “The first impression must be good for there to be acceptance by the receiver” is a universal rule.
The scientific community of cybersecurity has now recognized that any manufacturer of a password manager must consider the Initial Confidence Model (ITM). In their work, they described the three forces that affect initial trust: 1) Personal, 2) Institutional, and 3) Environmental.
The Personal is related to the user, among which the personal propensity to trust significantly affects the initial trust. Regarding the Institutional, it refers to the size, capacity, integrity, role in the market, benevolence, reputation, and/or brand, which can also affect the perception of the services or products of an institution by the user. And in terms of the Environment, they highlight structural safety and improved reliability of the service. The structural guarantees include the availability of service guarantees, privacy policies, recognition, and endorsement of third parties.
Based on the above, all companies that manufacture a password manager must base it on the ITM philosophy.
The ICM Philosophy and the Factors That Affect Initial Trust in Password Managers
The Initial Confidence Model (ICM) philosophy is a framework for understanding the factors that affect initial trust in an artifact. In the case of password managers, the ICM philosophy highlights two major factors that influence initial trust: personal propensity to trust and structural guarantees.
The personal propensity to trust reflects an individual’s tendency to trust others in various situations. This tendency is part of a person’s personality and develops during the early stage of a person’s life. The propensity to trust takes two forms: faith in humanity and trust posture. In the first form, a person believes that people are trustworthy, and the second form describes a person’s belief that they will be better off considering people to be trustworthy. It is suggested that the personal propensity to trust managers of passwords will represent the degree to which people have a trustworthy posture towards password managers. That is, the personal propensity to trust will affect the initial trust in the password manager.
Structural guarantees, in general, are the guarantees, for example, promises, contracts, regulations, or guarantees, provided by the institutions to their clients. In a technological context, these safeguards are encryption, secure processes and procedures, third-party certifications, and the feedback mechanism. In the case of password managers, users care about their data and look for guarantees like the ones mentioned above. The structural guarantees will affect the initial trust in the password manager through the quality of service that cannot be determined without previous experience. In this situation, when an individual has no prior experience, referrals and word of mouth are the channels that influence an individual’s perceptions.
Individual perceptions are also affected by institutional signals. A good reputation is a guarantee of a company’s integrity and goodwill, increasing the trust of potential customers even when they have no prior experience with the service provider and reducing uncertainty and risks associated with the application. The reputation of the company of the password managers will have a significant influence on the initial trust related to the password managers. So, the reputation of the company will positively affect the initial trust in the password managers. The initial trust reduces uncertainty and the risk and establishes a connection that leads to the use of a new application.
Both perceived usefulness and initial trust affect behavioral intention. Therefore, the environmental factors and institutions that generate password manager products are closely related and are entirely dependent on the service provider and not the user.
Current conception of initial trust for cybersecurity
In 2021, a prestigious group of cybersecurity experts from Finland’s Turku University conducted a study on initial trust formation in the context of password managers and how initial trust relates to password manager adoption intention. Data was collected from 289 young adults in Europe (18-35 years old). The analysis was mainly carried out using Structural Structure Models (SEM) in SmartPLS 3.2 and with the support of SPSS v25.0. The results showed that the structural security and the reputation of the company play an important role in the initial formation of trust, but not the Personal Propensity. In conclusion, it is the last two factors, institutional and environmental, that affect initial trust, that is, the intention of users to adopt a password manager.
The experts from Turku University together with other researchers, philosophers and cybersecurity experts indicate that there are still factors in the initial trust in password managers, so much remains to be studied in this regard, for example, it would be interesting to see the role of passwords. social norms in the background of adoption and initial trust of the password manager. In addition, the studies may also consider other factors that may play an important role in the initial formation of trust, one of those factors being the knowledge of password managers. Awareness has been found to be a driving force in learning the skills necessary to execute a certain type of behavior, as well as gender, as the female gender has been found to be more demanding in adopting initial confidence than the male gender. , and younger women are even more demanding than younger women. So, in this area, there is still a lot to study.
The Current Conception of Initial Trust for Cybersecurity in the Context of Password Managers
In 2021, a prestigious group of cybersecurity experts from Finland’s Turku University conducted a study on initial trust formation in the context of password managers and how initial trust relates to password manager adoption intention. The study collected data from 289 young adults in Europe between 18-35 years old, and the analysis was mainly carried out using Structural Structure Models (SEM) in SmartPLS3.2 and with the support of SPSS v25.0.
The results showed that the structural security and the reputation of the company play an important role in the initial formation of trust, but not the Personal Propensity. In conclusion, it is the last two factors – Institutional and Environmental – that affect initial trust, that is, the intention of users to adopt a password manager.
The experts from Turku University, together with other researchers, philosophers, and cybersecurity experts, indicate that there are still factors in the initial trust in password managers, so much remains to be studied in this regard. For example, it would be interesting to see the role of social norms in the background of adoption and initial trust of the password manager. In addition, studies may also consider other factors that may play an important role in the initial formation of trust, such as knowledge of password managers.
Awareness has been found to be a driving force in learning the skills necessary to execute a certain type of behavior, as well as gender. The female gender has been found to be more demanding in adopting initial confidence than the male gender, and younger women are even more demanding than younger men. So, in this area, there is still a lot to study.
The evidence shows that relying solely on password protection is not enough to ensure secure online activity. Cybersecurity experts recommend creating difficult-to-guess passwords and changing them regularly to protect information from potential hackers. Although it can be a painstaking process, using distinct passwords for each account is necessary to protect oneself and the community. Fortunately, there are ways to manage passwords effectively and securely, without admitting defeat in the never-ending cyberbattle. However, if users are not vigilant when creating passwords, they risk becoming victims of cybertheft and fraud.
For more information on safeguarding data while browsing the internet, refer to our other articles on this topic.