The trust in Password manager adoption intention among young adults

By César Barreto

Username and password have long been used as a form of authentication, and
despite all the known issues with passwords, it's still the primary option.
Cybersecurity experts advise users to create passwords that are difficult to
guess and not be reused across different accounts. Other recommendations
include changing passwords at regular intervals and not writing down or storing
them on users' phones or computers. These tips, when recommended together,
put users in a sticky situation. Passwords that are hard for attackers to guess
can also be hard for users to remember. As the number of accounts grows, as
is the case today, users must create and remember many more passwords than
ever before. The situation is made even more difficult when users are required
to change their passwords at regular intervals of time and not write them down
anywhere. Together, all of this creates a huge cognitive load for users. This can
lead users to create weaker passwords that are easy to remember and reuse
them across different accounts, creating problems in terms of cybersecurity.

Cybersecurity and trust

In practical and operational terms the cybersecurity experts recommend

password managers as a solution to the aforementioned problems. A password
manager is a tool or software that eases the cognitive load on users of creating
and remembering many unique credentials, such as usernames and
passwords, by automatically creating, storing, and completing required
credentials when needed. Create unique and strong passwords based on
desired rules, such as length, type of characters, and any other special
attributes, for each account. Password managers are actually one of the most
applied measures among cybersecurity experts, however, password managers
have not achieved the same popularity among regular end users. For example,
in 2015, when password managers were one of the top 5 measures applied by
cybersecurity experts, it was found that only 24% of regular users used a
password manager. The situation seems even worse today, as recent studies
comparing the security practices of cybersecurity experts and users show that
only 3% of respondents use a password manager.

To understand the reasons for the unpopularity of password managers among

users, studies have been conducted to identify the factors that prevent users
from using a password manager. Among the handful of available studies
focused on regular end users, trust has been found to be one of the top reasons
password management apps are not adopted. Cybersecurity researchers
determined the factors that drive the adoption of password managers and found
that trust has a positive impact on the intention to adopt password managers, as
studies found that people do not adopt a password manager due to lack trusted.
Therefore, trust has been suggested as the first step to increase the adoption of
password managers. While trust has been found to be an important factor in
password manager adoption, how trust can be established has not yet been
investigated. For this, it is crucial to understand the factors that improve trust
and favor their relationships with adoption, this came to the conclusion that the
basis to stimulate trust is to work on what is called "Initial Trust".

Trust as a consequence of security

Trust is not decreed, it is built, therefore it is a complex phenomenon, and in

order to establish trust between an individual and an artifact, it is crucial to
understand how trust is initiated and therefore how it is built and how it can be
improved. . If security results in trust, then it can be inferred that cybersecurity
results in cybertrust. Cybersecurity experts have shown that trust is built in
phases. the trust-building process begins when people come across an
unknown artifact. This initial phase is called Initial Trust, which is affected by
institutional, personal and environmental factors. Once initial trust is
established, people go through a personal experience, try the artifact, and then
decide to accept or reject it. Therefore, the trust that is established after the use
of an artifact is different from the initial trust that is established before the use of
an artifact. That is, initial trust plays a crucial role in building trust between a
user and an artifact, which can be a service, an application, or a piece of
software. Therefore, we argue that initial trust formation is more relevant to
understand in the context of password managers. The analytical understanding
of this phenomenon contributes to the fact that the phrase that says "The first
impression must be good for there to be acceptance by the receiver" is a
universal rule.

The scientific community of cybersecurity has now reconigzed that any

manufacturer of a password manager must consider the following: Initial
Confidence Model; ITM. In their work they described the three forces that affect
initial trust: 1) Personal, 2) Institutional and 3) Environmental. The Personal is
related to the user, among which the personal propensity to trust significantly
affects the initial trust. Regarding the Institutional, it refers to the size, capacity,
integrity, role in the market, benevolence, reputation and/or the brand can also
affect the perception of the services or products of an institution by the user.
And in terms of the Environment, they highlight structural safety and improve
the reliability of the service. The structural guarantees include the availability of
service guarantees, privacy policies, recognition and endorsement of third
parties. Based on the above, all companies that manufacture a password
manager must base it on the ICM philosophy.

ICM Philosophy

1) Personal propensity to trust reflects an individual's tendency to trust others in

various situations. This tendency is part of a person's personality and develops
during the early stage of a person's life. The propensity to trust takes two forms:
faith in humanity and trust posture. In the first form, a person believes that
people are trustworthy, and the second form describes a person's belief that
they will be better off considering people to be trustworthy, so it is suggested
that the personal propensity to trust managers of passwords will represent the
degree to which people have a trustworthy posture towards password
managers, that is, the personal propensity to trust will affect the initial trust in
the password manager and the structural guarantees, in general, are the
guarantees, for example, promises, contracts, regulations or guarantees,
provided by the institutions to their clients. In a technological context, these
safeguards are encryption, secure processes and procedures, third-party
certifications, and the feedback mechanism. In the case of password managers,
users care about their data and look for guarantees like the ones mentioned
above.

2) As for the structural guarantees, these will affect the initial trust in the
password manager through the quality of service that cannot be determined
without previous experience. In this situation, when an individual has no prior
experience, referrals and word of mouth are the channels that influence an
individual's perceptions. Individual perceptions are also affected by institutional
signals. A good reputation is a guarantee of a company's integrity and goodwill,
increasing the trust of potential customers even when they have no prior
experience with the service provider and reducing uncertainty and risks
associated with the application. The reputation of the company of the password
managers will have a significant influence on the initial trust related to the
password managers, so the reputation of the company will positively affect the
initial trust in the password managers; the initial trust reduces uncertainty and
the risk and establishes a connection that leads to the use of a new application.
Both perceived usefulness and initial trust affect behavioral intention. Therefore,
the environmental factors and institutions that generate password manager
products are closely related, and are entirely dependent on the service provider
and not the user.

Current conception of initial trust for cybersecurity

In 2021, a prestigious group of cybersecurity experts from Finland's Turku

University conducted a study on initial trust formation in the context of password
managers and how initial trust relates to password manager adoption
intention. . Data collected from 289 young adults in Europe (18-35 years old).
The analysis was mainly carried out using Structural Structure Models (SEM) in
SmartPLS3.2 and with the support of SPSS v25.0. The results showed that the
structural security and the reputation of the company play an important role in
the initial formation of trust, but not the Personal Propensity. In conclusion, it is
the last two factors: Institutional and Environmental that affects initial trust, that
is, the intention of users to adopt a password manager.

The experts from Turku University together with other researchers, philosophers
and cybersecurity experts indicate that there are still factors in the initial trust in
password managers, so much remains to be studied in this regard, for example,
it would be interesting to see the role of passwords. social norms in the
background of adoption and initial trust of the password manager. In addition,
the studies may also consider other factors that may play an important role in
the initial formation of trust, one of those factors being the knowledge of
password managers. Awareness has been found to be a driving force in
learning the skills necessary to execute a certain type of behavior, as well as
gender, as the female gender has been found to be more demanding in
adopting initial confidence than the male gender. , and younger women are
even more demanding than younger women. So, in this area, there is still a lot
to study.

Conclusion

Stimulating the initial trust in Users with respect to password managers is

related to the adoption intention of the password manager and the acceptance
of Technology. For this, password manager developers must have a solid
reputation and guarantee users structural assurance of software, both of which
play an important role in the initial formation of trust. If both aspects are
considered by the manufacturer, the intention of adopting password managers
by users will guarantee.