| Information assurance (IA) is about protecting key attributes of information and the data systems. Treating IA as a system, it is appropriate to consider the three major elements of any system: people, processes, and tools. While IA tools exist in the form of hardware and software, tools alone cannot assure key information attributes. IA procedures and the people that must follow those procedures are also part of the system. There is no argument that people do not follow IA procedures. A review of the literature showed that not only is there no general consensus on why people do not follow IA procedures, no discovered studies simply asked people their reasons. Published studies addressed reasons for non-compliance, but always within a framework of any one of several assumed theories of human performance. The study described here took a first small step by asking a sample from an under-studied population, users of U.S. federal government information systems, why they have failed to comply with two IA procedures related to password management, and how often. The results may lay the groundwork for extending the same methodology across a range of IA procedures, eventually suggesting new approaches to motivating people, modifying procedures, or developing tools to better meet IA goals. In the course of the described study, an unexpected result occurred. The study plan had included comparing the data for workers with and without IA duties. However, almost all of the respondents in the survey declared having IA duties. Consideration of a comment by a pilot study participant brought the realization that IA awareness programs emphasizing universal responsibility for information security may have caused the unexpected responses. The study conclusions address suggestions for refining the question in future studies.;Keywords: information assurance, cyber security, compliance, systems engineering, self-efficacy, password. |
