Improving information security management: An analysis of ID–password usage and a new login vulnerability measure

Statistics show that the number of identity theft victims in the US increased by 12% in 2009, to 11.1 million adults, while the total annual fraud amount increased by 12.5%, to $54 billion. As the e-commerce volume is increasing and various online services are becoming more popular, the number of sites to which an average Internet user subscribes is increasing rapidly. Given the limited memory capacity of human beings, an Internet userʹs login credentials (in the form of a combination of a user ID and a password) are usually reused over multiple accounts, which can cause significant security problems. In this study, we address the vulnerability of login credentials. First, based on a unique Internet user data set, we analyze the behavioral characteristics of login credentials usage. We find that the same login credentials are used for many more accounts and reused much more often than previously expected. Furthermore, usage patterns are found to be quite skewed. Second, building on a network perspective of login credentials usage, we suggest a vulnerability measure of an individualʹs login credentials and analyze the vulnerability of current Internet users. The resulting information is valuable not only to the research community but also to managers and policy makers striving to reduce security vulnerability.