Search for: All records

Multifactor authentication (MFA) is one of the most important security controls, topping most lists of cyber hygiene activities advocated by experts. While the security benefits may be substantial, less attention has been paid to the impact on users by the added friction introduced by the more stringent precautions. In this paper, we construct and analyze a dataset of authentication logs from a University population spanning two years. We focus on opportunity costs experienced by users: (1) log-in failures and (2) the time spent away from IT applications following a failed authentication before attempting to re-authenticate. The second measure captures how user frustration can manifest by avoiding or delaying future engagement after experiencing failures. Following an exogenous change in MFA policy from a deny/approve mobile notification to a more cumbersome two-digit code mobile notification confirmation, we show that there are significant increases in the number of log-in failures and in time spent away following failures when using mobile MFA. We also briefly examine which types of users had the greatest difficulty adjusting to the more secure mobile MFA procedure. 

Cybersecurity risk presents a significant and growing challenge for firms. Understanding better how firms are defending themselves can help answer important questions about which controls are more effective and whether firms are investing enough in their defenses. Unfortunately, data on firm-level cybersecurity investments have been difficult for researchers to obtain at large scale. This paper describes a method for constructing firm-level cybersecurity posture metrics by aggregating a selection of data on security products tracked in the SWZD Company Information database. Our exploratory analysis demonstrates this dataset's value in enriching cybersecurity research, offering novel perspectives that could shape sector-specific best practices and enable empirical evaluation of security controls.