CIOs Deal With The Problem Of How People Create Passwords

CIOs have to deal with the fact that people are attached to how they create passwords
CIOs have to deal with the fact that people are attached to how they create passwords
Image Credit: Christiaan Colen

If you take a look at the long list of things that a modern CIO is responsible for, securing the company’s network is right there at the top. What this actually means is many different things. The importance of information technology requires that firewalls have to be deployed, encryption schemes have to be put in place, and end user training that has to be delivered. However, it turns out that this is all an uphill battle for CIOs. We are struggling with our end users. It turns out that they do a really bad job of coming up with passwords to secure their company network assets. What’s going on here and just exactly how hard could this be to do correctly?


Why People Do A Bad Job Of Picking Passwords

If you’ve had a chance to take a look at any of those reports that have come out over the past few years regarding the passwords that people use, the information has not been good. Every once in a while a massive trove of passwords will be leaked and the researchers can take a look and find out what the most popular password that people are using is. The answer is always the same: “123456”. The person with the CIO job needs to understand that people tend to pick weak passwords. This makes securing the company’s network that much harder and provides motivation to the people who are trying to break in.

All of these bad passwords have prompted additional research into just exactly how people go about creating their passwords. This is information that the person in the CIO position needs to know. Currently, when we are trying to teach people how to create strong passwords what we do is to yell at them when they create weak passwords and show them how valuable creating a strong password is. It turns out that doing this just might backfire on us. The problem is that when we tell people that they are doing it wrong, what happens is that they will probably become defensive and they will then show very little willingness to change their password creating ways.

What CIOs need to do is to take the time to understand how the people that they are responsible for choose their passwords. What we need to realize is that people don’t just have to remember one password, instead we generally ask them to remember a lot of passwords at the same time. Since we are asking them to remember more passwords than any one person can keep straight in their head, what happens is that people come up with a scheme for creating their passwords. Once this has been established, they become resistant to making changes to it. CIOs can tell them about the advantages of creating stronger passwords or warn them about creating weak passwords – it will no longer matter, people have set their minds.


How People Can Do A Better Job Of Picking Passwords

What CIOs need to understand is that there is something called the “Endowment Effect” happening here. When we own things, we become attached to them. The result of this is that we attach too much value to the thing that we own. We will then be unwilling to swap what we have for something of the same functionality even if the other thing is better than what we have. There is another factor at work here. It has been called the “IKEA Effect” and it happens when we create something and we become attached to it and, yes, you guessed it, we tend to overvalue it. Value is in the eye of the creator.

So what can CIOs learn from all of this? It turns out that the people that the CIO are responsible for are not going to pick a stronger password just because we tell them to do so. They are not going to pick a stronger password just because it is something that they know that they really should do. Instead, what’s important for the CIO to understand is that if your people believe that how they go about choosing a password is being treated with disdain or derision then things are going to go badly. They may view being seen this way as being some sort of personal attack. Once this happens, there is a very good chance that they will be less likely to change their ways to adopt more secure password selection processes.

So what’s a CIO to do? It turns out that when we are delivering cybersecurity training programs we need to not only tell our people about how they can choose more secure passwords, but we also have to acknowledge that they may feel a sense of loss when thinking about a password change. We have to understand that they could become defensive if their existing routine is criticized. CIOs need to show empathy for the effort that people put into coming up with and remembering passwords. We need to understand that people are not choosing weak passwords out of laziness and ignorance. We need to understand that our people care more about how they go about choosing their passwords than we can imagine and we need to make it easier for them to let it go.


What All Of This Means For You

CIOs are facing a real challenge when it comes to securing their company’s networks. It turns out that because their users are creating weak passwords, the network is being left unsecure. It turns out that no matter how much cybersecurity training is provided, people will be resistant to creating passwords that are more secure. What needs to change?

People do a poor job of choosing strong passwords. In fact, one of the most common passwords is “123456”. Traditional cybersecurity training consists of teaching people how to create strong passwords and then yelling at them when they create weak passwords. CIOs need to understand that we are asking people to remember multiple passwords and this can be difficult to do. If we criticize the passwords that people create, this may cause them to become defensive and resistant to changing how they create their passwords. The endowment effect and the IKEA effect teach us that people feel a sense of ownership for the process that they use to create passwords and they tend to value it too much. CIOs have to be careful to not show disdain for how people create their passwords or we’ll never be able to get them to change their ways. What CIOs need to do is to show empathy and appreciate how hard it is to create passwords and then remember them. By doing this we can get people to change how they create their passwords.

CIOs need to secure the company’s networks and they can’t do it alone. We need everyone to help us do this and they can help us by creating and using secure passwords. We have an obligation to teach them how to create secure passwords and then we need to be willing to work with them to help them change the process that they use to create a password. If we can do this successfully, then we’ll be able to secure our networks and perhaps the bad guys will go somewhere else.


– Dr. Jim Anderson Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™


Question For You: How often do you think that CIOs should have people change their passwords?


Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time