Conference PaperPDF Available

Cultural and Psychological Factors in Cyber-Security

Abstract and Figures

Increasing cyber-security presents an ongoing challenge to security professionals. Research continuously suggests that online users are a weak link in information security. This research explores the relationship between cyber-security and cultural, personality and demographic variables. This study was conducted in four different countries and presents a multi-cultural view of cyber-security. In particular, it looks at how behavior, self-efficacy and privacy attitude are affected by culture compared to other psychological and demographics variables (such as gender and computer expertise). It also examines what kind of data people tend to share online and how culture affects these choices. This work supports the idea of developing personality based UI design to increase users' cyber-security. Its results show that certain personality traits affect the user cyber-security related behavior across different cultures, which further reinforces their contribution compared to cultural effects.
Content may be subject to copyright.
Journal of Mobile Multimedia, Vol. 13, No.1&2 (2017) 043-056
© Rinton Press
CULTURAL AND PSYCHOLOGICAL FACTORS IN CYBER-SECURITY
TZIPORA HALEVI, NASIR MEMON, JAMES LEWIS
New York University, Brooklyn, NY, USA
thalevi@nyu.edu, memon@nyu.edu, jpl366@nyu.edu
PONNURANGAM KUMARAGURU, SUMIT ARORA, NIKITA DAGAR
Indraprastha Institute of Information Technology, New Delhi, India
pk@iiitd.ac.in, sumitaror@gmail.com, nikita09030@iiitd.ac.in
FADI ALOUL
American University of Sharjah, Sharjah, UAE
faloul@aus.edu
JAY CHEN
New York University, Abu Dhabi, UAE
jay.chen@nyu.edu
Increasing cyber-security presents an ongoing challenge to security professionals. Research continuously
suggests that online users are a weak link in information security. This research explores the relationship
between cyber-security and cultural, personality and demographic variables.
This study was conducted in four different countries and presents a multi-cultural view of cyber-security.
In particular, it looks at how behaviour, self-efficacy and privacy attitude are affected by culture compared
to other psychological and demographics variables (such as gender and computer expertise). It also
examines what kind of data people tend to share online and how culture affects these choices.
This work supports the idea of developing personality based UI design to increase users’ cyber-security.
Its results show that certain personality traits affect the user cyber-security related behaviour across
different cultures, which further reinforces their contribution compared to cultural effects.
Key words: Cyber-Security, Culture, Personality Traits, Privacy, Human Factors
1 Introduction
Online threats continue to be a growing concern. Current systems are designed for the general
audience, without regard to differences in its users’ personalities. This work suggests approaching
applications and system design from user targeted perspective. In particular, understanding the factors
44
Cu
ltural and Psychological Factors in Cyber
-
Security
that contribute to secure on- line behaviour is an important step towards creating such tailored defences
systems. This research looks at cyber-security behaviour, users’ self-efficacy (confidence in their
ability to mitigate cyber- security risks) and privacy attitude. It examines the relationship be- tween
these variables, culture, personality traits and demographic variables (such as gender and computer
expertise). It includes participants recruited from four countries and provides a diversified view into
the predictors of the examined cyber-security related variables.
The questions this study attempts to answer are the following:
Is it possible to create a model for participants’ secure behaviour, self-efficacy and
privacy attitude that is based on the users’ culture as well as personality?
How do other factors, such as gender, risk perception and computer expertise affects
those parameters?
How much does culture affect online privacy, sharing of personal information and trust?
1.1 Motivation
Cyber-security threats have been expanding, resulting in a growing number of successful attacks. A
recent analysis by Verizon has shown that roughly 90% of successful data breaches were due to users
choosing weak or default passwords [14]. The number of at- tacks from infected websites have also
grown significantly in the last few years (< 1 million attacks according to Kaspersky Lab data [13]).
Social engineering scams are based on targeting and manipulating potential victims by appealing
to specific human weaknesses. A similar approach also exists for cyber-attacks, ranging from phishing
emails [10] to malware attacks [16]. This work makes the argument that the next step in improving
overall cyber-security needs to take into account the personality attributes of online users that
contribute to the users’ decision making under uncertainty. Another factor that may be considered for
improving cyber-defences is system and software localization. Cultural differences have been shown to
affect decision making [4], and examining how these factors affect cyber-security may help improve
the future design of cyber-security defences.
The remainder of the paper is organized as follows: The proposed approach, paper contributions
and an overview of related work are presented in Sections 2, 3, and 4. The experiments are defined in
Section 5, followed by the results (Sections 6, 7, and 8). The paper concludes with Section 9.
2 Related Work
Recently, studies began to look at the relationship between decision making, user behaviour and
personality traits.
Studies by Nov et al. [17, 18] examined the relationship between certain personality traits and the
participant’s response to UI technical cues. The studies make the case that a personality driven UI
design can be more effective than a standard design that targets equally the entire user population. In
[12], Kajzer et al. examined the effectiveness of security awareness message themes on participants
with different levels of personality traits, finding that certain traits make individuals more receptive to
security awareness messages.
Another study by Chen et al. [3], looked at how users make decisions involving computer security
and risks. It also looked at the contribution of culture, and found that both computer skills and culture
T. Halevi, N. Memon, J. Levis, P. Kumaraguru, S. Arora, N. Dagar, F. Aloul, and J. Chen
have an effect on decision making when asked to assess taking computer security risks vs. monetary
rewards.
Slovic et al. [20] considered the perception of risk and how it affects the individual’s fear and
reaction to certain events. They show that different parts of the population perceive the risks for
specific events differently, based on their familiarity with the events and their overall education. In
[24], Sleeper et al. studied how users’ desire for behaviour change on social networks can help design
tools for helping users achieve these goals.
Hofstede [1] conducted research into the role of culture across different facets, including
uncertainty avoidance in the workplace. While India and USA rank in the lower half, Ghana and the
UAE rank in the upper half for this model. People with high uncertainty avoidance may put a higher
value on maintaining good security practices and avoid behaviour that may seem risky.
Other studies that compared attitudes in different cultures include a study by Shea [11], that
compared the attitude towards right to privacy in India and US. As the study pointed out, India is a
collective society, and therefore Indians tend to be more trusting of one another. As a result, a
significantly larger percent of US respondents were concerned with ID theft relatively to a much
smaller percentage of Indian respondents. In addition, [22] and [19] studied different aspects of privacy
attitudes in India and US and found that USA and Indian participants have different views and
concerns. These studies indicate that while multiple cultures may exist in a single country, the
differences between those countries are still worth exploring as a whole. In particular, it may result in
valuable findings that can be used for future deployment of intercultural systems.
Gender has been studied as a factor in privacy attitude by Face- book users by Mathiyalakan et al.
[21], who found differences between their perception of Facebook privacy and overall internet privacy.
In [9], differences were also found related to phishing responses. These studies show that gender may
indeed play a factor toward both cyber-attitude as well as online behaviour. In [8], differences between
CS professionals and other study participants were also found to be related to willingness to share
fingerprints with online entities, suggesting this may also be a contributing factor in cyber-security
related decisions.
3 Overview of Contributions
This research examines the factors that affect different security and privacy-related variables: attitude,
behaviour and self-efficacy. It took place in a few different countries: US, India, UAE and Ghana. This
study shows that while culture is a predictor of privacy attitude, it does not significantly predict self-
efficacy and computer secure behaviour. It detected a limited correlation between security behaviour,
self-efficacy and privacy attitude, and found that personality and demographics variables (including
gender and computer expertise) affect differently each of those parameters. These findings support the
notion that cyber-design should consider the user personality when designing defence system, as
personality traits were found to be a significant factor in predicting the user behaviour across the
different cultures. This work also explores cultural and gender-based differences in online activities,
showing that certain activities are more common in certain cultures. One of its findings is that different
levels of gender-based self-efficacy exist in different countries.
46
Cu
ltural and Psychological Factors in Cyber
-
Security
4 The Proposed Approach
The main challenge in defining a new framework for researching human-behaviour is creating a model
that can be used to assess the relevant aspects. This research starts by defining a few variables. These
variables are related to both handling cyber-security threats as well as ‘routine’ security behaviour.
Another aspect that is of interest is the attitude towards privacy. Since the internet poses a large risk to
the personal privacy of its users, examining how their attitude relates to their behaviour is an important
factor.
To assess the variables that affect human behaviour, this research adopts the Big-Five Framework,
which has been shown to provide a sturdy model of human response and attitude towards encountered
events. Another factor that is examined is risk perception, measured through the availability heuristics,
which was shown by Tversky & Kahneman [25] to influence decision making under un- certainty.
Lately, Schneier [23] has further pointed to the fact that the availability heuristic leads to allocating
resources for dealing with specific threats that are not proportional to the consequences (and level of
damage) of those threats. General computer expertise was also added as a variable - as it was shown to
neutralize the influence of other effects in experts [6]. This variable is measured through examining
participants who major in computer science vs. the other participants. The approach can be viewed in
Figure 1.
Figure 1: The proposed approach: The input parameters are the personality traits, gender and culture. The output parameters are
cyber-security behaviour, self-efficacy and privacy attitude.
4.1 Cybersecurity and Privacy Framework
Three variables were chosen to match the study objectives. Following are their conceptual definitions:
Secure Behaviour: This parameter measures the secure behavior of users online.
Self-Efficacy: This parameter measures the user’s confidence in his ability to mitigate
cyber-security risks.
Privacy Attitude: This parameter measures how dangerous the users feel it is to share
information online.
T. Halevi, N. Memon, J. Levis, P. Kumaraguru, S. Arora, N. Dagar, F. Aloul, and J. Chen
4.2 Big Five Framework
Personality is a consistent pattern of how people respond to stimuli in their environment and their
attitude towards different events. The five factor model of personality assessment is currently one of
the most widely used multidimensional measures of personality [15]. Its goal is to encapsulate
personality into five distinct factors which allow a theoretical conceptualization of people’s
personality. These dimensions are Neuroticism, Extroversion, Openness, Agreeableness, and
Conscientiousness. Following is a short description of the five traits:
Neuroticism: Neuroticism indicates a tendency to experience negative feelings that
include guilt, disgust, anger, fear and sadness.
Extroversion: Extrovert people are more friendly and out- going and interact more with
the people around them.
Openness: Openness indicates the willingness to try new experiences. Openness is also
sometimes referred to as ‘intellect’ and is indicative of general intelligence.
Agreeableness: Agreeable people are co-operative, kind, eager to help other people and
believe in reciprocity. They tend to trust other people and believe they are honest and
decent.
Conscientiousness: Conscientious people have high self- control and are more organized.
They are typically purposeful, strong-minded and tend to be dependable and
hardworking.
One of the most widely used measures of this five factor model is the NEO-PI FFM test [5]. This
is a short 60-questions survey developed by Costa and McCrae that allows for relatively quick,
reliable, and accurate measurement of participants personality across these five major dimensions. The
framework has been identified as a robust model for understanding the relationship between
personality and various academic behaviours. This research sets to examine if this relationship extends
to online security and privacy-related behaviour.
5 Overview of the Surveys
5.1 Methodology
This study took place in four countries: United States, India, UAE (Sharjah) and Ghana. There were
154 participants in the states, 100 participants in India (3 were removed due to partial responses so
only 97 results were used), 325 from the UAE and 42 from Ghana. The participants were asked to fill
out a survey. In the states, a $10 gift certificate was promised to participants who completed the
survey. In India and Ghana, a small compensation was also provided to participants. In the UAE, all
the participants were entered in a raffle to win an iPad.
The survey was hosted on the SurveyGizmo site. Participants were provided the link to the
questionnaire. The questionnaire al- lowed users to stop and go back to the study at a later date.
48
Cu
ltural and Psychological Factors in Cyber
-
Security
5.2 Survey
The survey included a demographics questionnaire (such as age, gender, ethnic background, study
major etc.). The survey also included the 60-questions NEO-FFM five-factor personality traits survey.
Survey instruments were created for this study to measure the risk perception variable
(Availability) and the cyber-security variables. The study constructs are provided in [2]. For the self-
efficacy and the cyber-secure behaviour, the overall variable was calculated as the sum of all the
response values in each construct.
5.2.1 Cyber-Security Constructs - Reliability Test
The constructs created for the cyber-security behaviour and the self-efficacy included multiple
questions. To measure the self-efficacy the survey asked a series of questions that relate to different
risks online, such as viruses, social engineering attacks, internet attacks and fraudulent requests for
money. A reliability analysis was per- formed on the questionnaire results, which produced a
Cronbach’s value of 0.956, indicating a very high level of internal consistency for this construct.
To measure cyber-security behaviour, the survey included questions related to types of data
disclosed online, download practices (how often do users download data from unknown sites),
password changing frequency, choices of passwords (hard passwords vs. regular passwords) and
downloading practices. A reliability analysis was performed oh this construct as well, producing a
Cronbach‘s value of 0.611, which indicates a medium-high level of internal consistency for this
construct.
The self-efficacy and the cyber-security behaviour were the only constructs that included multiple
questions created especially for this study and therefore were tested for reliability (see [2] for the full
study). Their relatively high value suggests that these studies indeed were able to measure the intended
facets, while providing stable and consistent results.
5.3 Pre-Processing
The goal of this study is to look at the relationship between overall levels of human behaviour in
cyber-security, self-efficacy, privacy attitude and the different input variables. To achieve this, and
reduce the effect of noise on the output parameters – the cyber-security self-efficacy, behaviour and
privacy attitude variables – the participants were divided into two groups for each variable. Each group
included participants with either a high or a low level of the corresponding traits (the groups were
divided using the mean of each parameter).
As part of the input variables a ‘CS major’ variable was created (to mark if the study major was
CS). This included participants that studied both computer science as well as computer engineering
(the responses did not include any participants who stated their major as ‘information system’ or
‘MIS’, nor any other participants who were computer professionals, who would have also qualified to
be considered to be in this group). For the countries, nominal values were defined. All of the input
parameters were normalized between 0 and 1. The calculations were carried using the SPSS software.
T. Halevi, N. Memon, J. Levis, P. Kumaraguru, S. Arora, N. Dagar, F. Aloul, and J. Chen
6 Factors that Influence Security and Privacy
6.1 Relationship Between the Variables
Security Parameters:
Examining the correlation between the variables, this study finds that while secure behaviour and self-
efficacy are correlated, the correlation is only moderate. It also finds that privacy attitude has low
correlation to the other two variables. This suggests that different factors contribute to the ability to
predict behaviour of subjects, ability to handle security-related activities and the user’s privacy
attitude.
** - Correlation is significant at the 0.001 level (2-tailed).
Table 1: Correlation between Cyber-security variables. There is a medium correlation between self-efficacy and secure
behaviour. There is no significant correlation between privacy attitude and the other tested variables.
Gender and Major:
The statistics for this study showed that (for its participants) there was no correlation between being a
CS major and gender. Overall, 23% of the participants were CS major (24% of the men and 21% of the
women). When calculating the correlation, these variables were found to be statistically independent.
Major and Personality Traits:
The only correlation found between those variables was a low negative correlation (-0.093) between
conscientiousness and computer science major (with p < 0.05). Overall, this study suggests that being
computer science major students is not significantly correlated to conscientiousness.
6.2 What Contributes to Secure Behaviour, Self-efficacy and Privacy Attitude?
To examine the contribution of the different factors, a binary logistic regression was performed on the
normalized variables. The impact of each of the independent variables was tested on each of the three
security-defined parameters.
The personality traits of extraversion and agreeableness were not found to be significantly
correlated to any of the variables and were removed. The results appear in Tables 2, 3 and 4 (all of the
three models are statistically significant at p < 0.001).
Following are observations for the study findings:
Culture: Culture was found to be a significant predictor of privacy attitude. It had a low
effect on behaviour (at p < 0.1), and was not a predictor of self-efficacy. This shows that
while culture does affect privacy attitude, global factors may contribute more to
behaviour and self-efficacy.
50
Cu
ltural and Psychological Factors in Cyber
-
Security
Personality Traits: Conscientiousness was found to be a significant predictor of
behaviour. This indicates that hard-working and detailed-oriented participants also tend
to be more secure in their online behaviour. Openness to experiences, which also
indicates intelligence, was found to be a strong predictor of self-efficacy. On the other
hand Neuroticism was found to be inversely correlated to self-efficacy (at p < 0.1). This
shows that emotional stability (the inverse of Neuroticism) can predict a positive self-
efficacy. Personality traits were not found to significantly predict privacy attitude,
showing that culture, demographics and risk perception tend to predict user’s privacy
attitude.
Risk Perception: Risk perception predicts both secure behaviour as well as self-efficacy.
This suggests that people who have higher risk perception and are familiarity with
previous attacks may be likely to practice secure behaviour and develop a higher
confidence in their ability to mitigate security risks. Participants with higher risk
perception were also found to have higher privacy attitude.
Gender: Gender was found to be a strong predictor of self- efficacy, with men feeling
more confident in their ability to mitigate cyber-security risks. However, it was not found
to be a strong predictor of behaviour. Gender was also found to be an inverse predictor of
privacy attitude, which indicated that men perceived having a higher privacy attitude
online.
CS Major: Studying CS was found to be a significant predictor of both secure behaviour
and self-efficacy, with a higher effect on self-efficacy. However, it was not found to be
correlated to privacy attitude.
* p ≤ 0.05, * * p ≤ 0.01, * * * p ≤ 0.001
Table 2: Logistic Regression of Secure Behaviour Variable. Conscientiousness is the major factors for predicting secure
behaviour. Other predictors to secure behaviour are previous exposure to vulnerabilities and being a CS major.
6.2.1 Discussion
Culture was found to be a predictor of privacy attitude, but only had low effect on behaviour and was
not found to predict self-efficacy. This supports the idea that cyber-security-defences can be developed
T. Halevi, N. Memon, J. Levis, P. Kumaraguru, S. Arora, N. Dagar, F. Aloul, and J. Chen
globally and may consider to a large extent other variables, such as personality and demographics
variables.
* p ≤ 0.05, * * p ≤ 0.01, * * * p ≤ 0.001
Table 3: Logistic Regression of Cyber-security self-efficacy. Openness is the major factor. Other factors that affect self-efficacy
are gender as well as being a CS major.
* p ≤ 0.05, * * p ≤ 0.01, * * * p ≤ 0.001
Table 4: Logistic Regression of Privacy Attitude Variable. Culture is the largest predictor of privacy attitude, as well as gender
and risk perception (knowledge of previous cases of internet misuses). Personality parameters were not found to be significant
predictors of this variable.
When examining the contribution of the personality traits to predicting the cyber-security related
variables, openness was found to be a higher predictor of self-efficacy related to handling security than
for secure behaviour. However, it is a significant factor for both (at p < 0.1). While openness has been
previously shown to be a major contributor to academic achievement [26], this study showed it may
also contribute to secure behaviour and confidence. Another personality factor, conscientiousness, is
shown to be a strong predictor of behaviour but not of self-efficacy. On the other hand, emotional
stability (the inverse of neuroticism) was found to be a predictor of self-efficacy (at p < 0.1), but did
not significantly predict the participant’s behaviour. These differences may suggest potential reasons
for the limited correlation between behaviour and self- efficacy.
Major and gender also had different effects on those variables, with men found to be more
confident about their abilities to solve security-related issues. Being a CS major is also a major
52
Cu
ltural and Psychological Factors in Cyber
-
Security
contributor to self-efficacy. However, the major has a much smaller contribution to the behaviour of
the participants, while the gender does not have significant contribution. This shows that while
education affects significantly the self-efficacy related to handling different vulnerabilities and events,
it may affect less the daily overall online users’ behaviour. Also, while women are less confident of
their abilities, there is no significant difference in their actual cyber-security behaviour.
One of the study limitations is due to the fact that most of the participants in it were students (90%
of the participants). Therefore future studies are recommended that will use different demographics,
which may be able to detect additional factors relating to profession and security attitude.
Risk perception was found to be a significant factor for all the parameters. This shows that
computer users who are familiar with previous attacks tend to be risk averse and will put a higher
priority on security and privacy.
Overall, these results suggest that personality and risk perception are important factors in
behaviour and therefore understanding them can help improve system design targeted at increasing the
secure behaviour of online users.
7 Cultural Differences – Self-Efficacy and Gender
This study further examines the relationship between culture, self-efficacy and gender. To study those,
self-efficacy was examined as a function of both culture and gender simultaneously.
While culture was not found to be a significant predictor of cyber- security-related self-efficacy in
this study, gender-based differences related to self-efficacy were found between the countries. Since
the Ghana study only included six women (and thirty six men), the Ghana data was excluded for this
part of the study, and only the US, UAE and India data was used. This study found that in the states,
self-efficacy difference is larger between the genders compared to participants from UAE and India.
The results can be seen in Table 5 and Figure 2. These findings show that cyber-security risks are
perceived similarly to other offline risks. In [7], Finucane et al. state that ‘risks tend to be judged lower
by men than women and by white people than by people of colour’. This study finds that self-efficacy,
which is the perceived ability to handle those risks, is higher on average for US men relatively to all
the other participants. This is a preliminary finding (due to the relatively limited number of participants
from each country) and would be interesting to study in a larger diversified population in the future.
Table 5: Comparison of the mean values of self-efficacy as related to gender and culture. This study showed that in the USA, the
difference was the largest as a factor of gender, followed by UAE and India
T. Halevi, N. Memon, J. Levis, P. Kumaraguru, S. Arora, N. Dagar, F. Aloul, and J. Chen
8 Online Information Sharing Across Different Cultures
This study further examined different online activities across cultures. To that end, the participants
were asked about the type of personal information that they tend to share online. Overall, US
participants were found to share more information online than participants from other countries (See
Table 6). This study also shows that while online banking is popular in the US, it is still less popular in
other cultures. As the trend of online banking grows, this may also raise the potential for online attacks
in new regions.
Figure 2: Security-related self-efficacy as a function of culture and gender. This study shows that gender has a higher effect on
the self-efficacy level in the United States (represented by the red line) and a lower effect in India (green line) and UAE (blue
line)
Table 6: Comparison of the mean values of online information sharing parameters across the different locations. People in USA
are the most trusting, while people in Ghana are the least trusting, with the other countries in between.
Surprisingly, the participants from the states were found to be more comfortable sharing their
mother’s maiden name online than the participants from the other countries, even though this data is
often used as a form of identification when contacting US banks and financial institutions. Another
54
Cu
ltural and Psychological Factors in Cyber
-
Security
finding is that birth-date was not viewed as very sensitive data. This is especially true in UAE, where
participants indicated most would be willing to share it online.
Birth-date, address and workplace variables were found not to be statistically correlated to culture.
Sharing credit card and medical information were found to be correlated with culture, as well as online
banking (at p < 0.05). The highest correlation to culture was storing credit card information (r = 0.42),
followed by sharing credit card information (r = 0.39). Mother’s maiden name, medical information
and online banking had lower significant correlation, with (r = 0.2, p < 0.01). It was interesting to see
that USA participants were less private than their counter parts regarding sharing of credit card
information. This is likely due to the insurance that US credit card companies provide to their users.
However, the fact that those people on average share their mother’s maiden name more than their
credit card information was unexpected, as this data can be used for authentication. Similarly, the
general high level of sharing of birth-date (which was higher than credit card information sharing in all
countries) is also surprising and may lead to identity theft. This implies that participants do not
distinguish between data that can be changed (such as credit card information, which can be changed
by cancelling the card) and permanent data (such as birth date and mother’s maiden name). These
findings suggest it may be beneficial to educate customers about the risks in revealing different types
of data, emphasizing the potential dangers in sharing permanent data online, raising participants’
sensitivity to this behaviour.
9 Conclusions and Future Research
This research presents the idea of creating a framework for characterizing participants’ cyber-security
behaviour that takes into account the culture and user personality. To explore this idea, it develops
instruments to measure the participants’ routine cyber-security behaviour and their self-efficacy in
handling security-related threats online and examines the factors that affect those measured
parameters.
This is the first study that the authors are aware of that looks at the contribution of culture vs.
personality on users’ cyber-security behaviour, self-efficacy and privacy attitude. It shows security
trends in different countries.
This study found that while culture significantly predicts privacy attitude, security-related
behaviour and self-efficacy were not affected significantly by this variable. While there are differences
in online behaviour, other factors, such as specific personality traits, demographics and education are
better predictors of security behaviour and self-efficacy. Another observation was that gender affects
participants’ self-efficacy, with men having higher confidence in their abilities. The largest difference
based on gender was found in the US. However, gender was not found to affect significantly the
security-related behaviour of the participants.
The findings suggest certain trends in security behaviour and perception, which support taking a
global approach for developing security-related systems, geared towards the personality characteristics
and demographic information of the users. It further suggests that cross-cultural research may be
beneficial as different countries share similar concerns regarding cyber-security. Future work should
concentrate on presenting specific design interventions based on the users’ personality traits and their
risk perception and explore how those may help increase users’ secure behaviour online.
T. Halevi, N. Memon, J. Levis, P. Kumaraguru, S. Arora, N. Dagar, F. Aloul, and J. Chen
Acknowledgements
This work was supported in part by the NSF (under grant 0966187). The views and conclusions
contained in this document are those of the authors and should not be interpreted as necessarily
representing the official policies, either expressed or implied, of any of the sponsors. The authors
would also like to express their thanks to all members of Precog research group at IIIT - Delhi.
References
1. Strategy-culture-change. Available at: https://geert-hofstede.com/countries.html.
2. Survey Instrument. Available at: http://bit.ly/1Y3jDpc.
3. L. Chen and D. Farkas, “An Investigation of Decision-Making and the Trade-offs involving
Computer Security Risk,” Proc. of the Americas Conference on Information Systems, 2009.
4. P. Chua, E. Spiresa, and T. Sueyoshi, “Cross-Cultural Differences in Choice Behaviour and Use of
Decision Aids: A Comparison of Japan and the United States,” Organizational Behaviour and
Human Decision Processes, pp147–170, 1999.
5. P. Costa and R. McCrae, “NEO PI-R professional manual,” Psychological Assessment Resources,
FL, 1992.
6. B. Englich and K. Soder, “Moody experts - How mood and expertise influence judgmental
anchoring,” Judgment and Decision Making, 4(1), pp41 – 50, February 2009.
7. M. Finucane, P. Slovic, C. Mertz, J. Flynn, and T. Satterfield, “Gender, Race, and Perceived Risk:
The ’white male’ Effect,” Health, Risk & Society, 2(2), pp159–172, 2000.
8. T. Halevi, T. Kuppusamy, M. Caiazzo, and N. Memon, “Investigating users’ readiness to trade-off
biometric fingerprint data,” IEEE Intl. Conf. on Identity, Security and Behaviour Analysis, 2015.
9. T. Halevi, J. Lewis, and N. Memon, “A pilot study of cyber security and privacy related behaviour
and personality traits,” Proc. of the Int. Conf. on World Wide Web Companion, pp737–744, 2013.
10. M. Jakobsson and S. Myers, “Phishing and Countermeasures: Understanding the Increasing
Problem of Electronic Identity Theft,” Wiley-Interscience, 2006.
11. Jane Hill Shea, “Attitudes Toward Privacy: A Comparison of India and the United States,” 2007.
Available at: http://www.frostbrowntodd.com/resources-214.html.
12. M. Kajzer, J. Darcy, C. Crowel, and D. Bruggen. “An exploratory investigation of message-person
congruence in information security awareness campaigns,” Computers and Security, 43, pp64 –
76, 2014.
13. R. Lemos, “Kaspersky Security Bulletin, Overall statistics for 2013.” 2013. Available at:
https://www.securelist.com/en/analysis/204792318/Kaspersky_Security_Bulletin_2013_Overall_st
atistics_for_2013#07.
56
Cu
ltural and Psychological Factors in Cyber
-
Security
14. R. Lemos, “Targeted Attacks, Weak Passwords Top IT Security Risks in 2013”. Available at:
http://www.eweek.com/security/targeted-attacks-weakpasswords-top-it-security-risks-in-2013/.
15. R. McCrae and O. John, “An Introduction to the Five-Factor Model and Its Applications,” Journal
of Personality, 60(2), pp175 – 215, 1992.
16. Microsoft, “Zeroing In on Malware Propagation Methods,” Microsoft Security Intelligence
Report, 2011.
17. O. Nov and O. Arazy, “An Investigation of Decision-Making and the Trade-offs involving
Computer Security Risk,” Proc. of Conf. on Computer Supported Cooperative Work, pp977–984,
2013.
18. O. Nov, O. Arazy, C. Lopez, and P. Brusilovsky, “Exploring personality-targeted UI design in
online social participation systems,” Proc. of SIGCHI Conf. on Human Factors in Computing
Systems, pp. 361–370, 2013.
19. P. Kumaraguru, L. Cranor, and E. Newton, “Privacy Perceptions in India and the United States:
An Interview Study,” 2005. Available at:
attp://precog.iiitd.edu.in/Publications_files/tprc_2005_pk_lc_en.pdf.
20. P. Slovic and E. Weber, “Perception of Risk Posed by Extreme Events,” Risk Management
Strategies in an Uncertain World, 2002.
21. S. Mathiyalakan, G. Heilman and S. White, “Gender Differences in Student Attitude toward
Privacy in Facebook,” Communications of the IIMA, 13(4), pp34 – 42, 2013.
22. S. Paril, A. Kosba, A. John, and D. Seligmann, “Comparing privacy attitudes of knowledge
workers in U.S. and India,” Proc. of Int. Conf. on Intercultural Collaboration, pp141–150, 2010.
23. B. Schneier, “Fear and the Availability Heuristic,” 2009. Available at:
https://www.schneier.com/blog/archives/2009/03/fear_and_the_av.html.
24. M. Sleeper, A. Acquisti, L. Cranor, P. Kelley, S. Munsonz, and N. Sadeh. “I Would Like To..., I
Shouldn‘t..., I Wish I...: Exploring Behaviour-Change Goals for Social Networking Sites,” Proc.
of ACM Conf. on Computer Supported Cooperative Work and Social Computing, pp1058–1069,
2015.
25. A. Tversky and D. Kahneman, “Judgment under Uncertainty: Heuristics and Biases,” Science
New Series, pp1124–1131, 1974.
26. A. Zuffiano, G. Alessandri, M. Gerbino, B. Kanacri, L. Giunta, M. Milioni, and G. Caprara,
“Academic achievement: The unique contribution of self-efficacy beliefs in self-regulated learning
beyond intelligence, personality traits, and self-esteem,” Learning and Individual Differences,
2012.
... This could be the case because healthcare staff with a high score of agreeableness characteristics tend to easily agree with cyber security education and training, enabling them to have low risk in ISK and ISA. This finding is in line with previous studies [73,74]. Conversely, the healthcare workers with a high risk score of conscientiousness showed higher ISCCB risk, which contrasts our hypothesis and previous studies [73,74]. ...
... This finding is in line with previous studies [73,74]. Conversely, the healthcare workers with a high risk score of conscientiousness showed higher ISCCB risk, which contrasts our hypothesis and previous studies [73,74]. Our assumption was that a higher score of conscientiousness would have translated into less risk of ISCCB. ...
... For instance, healthcare workers are social beings [76], who work with friends, family members, and other relations, which can have an impact on security measures. This expresses the need to consider social factors in an effort to estimate the security behavior of a hospital [13,20,41,73,74]. ...
Article
Full-text available
Recent reports indicate that over 85% of data breaches are still caused by a human element, of which healthcare is one of the organizations that cyber criminals target. As healthcare IT infrastructure is characterized by a human element, this study comprehensively examined the effect of psycho-socio-cultural and work factors on security behavior in a typical hospital. A quantitative approach was adopted where we collected responses from 212 healthcare staff through an online questionnaire survey. A broad range of constructs was selected from psychological, social, cultural perception, and work factors based on earlier review work. These were related with some security practices to assess the information security (IS) knowledge, attitude and behavior gaps among healthcare staff in a comprehensive way. The study revealed that work emergency (WE) has a positive correlation with IS conscious care behavior (ISCCB) risk. Conscientiousness also had a positive correlation with ISCCB risk, but agreeableness was negatively correlated with information security knowledge (ISK) risk and information security attitude (ISA) risk. Based on these findings, intrinsic and extrinsic motivation methods combined with cutting-edge technologies can be explored to discourage IS risks behaviors while enhancing conscious care security practice.
... This could be the case because healthcare staff with a high score of agreeableness characteristics tend to easily agree with cyber security education and training, enabling them to have low risk in ISK and ISA. This finding is in line with previous studies [73,74]. Conversely, the healthcare workers with a high risk score of conscientiousness showed higher ISCCB risk, which contrasts our hypothesis and previous studies [73,74]. ...
... This finding is in line with previous studies [73,74]. Conversely, the healthcare workers with a high risk score of conscientiousness showed higher ISCCB risk, which contrasts our hypothesis and previous studies [73,74]. Our assumption was that a higher score of conscientiousness would have translated into less risk of ISCCB. ...
... For instance, healthcare workers are social beings [76], who work with friends, family members, and other relations, which can have an impact on security measures. This expresses the need to consider social factors in an effort to estimate the security behavior of a hospital [13,20,41,73,74]. ...
Preprint
Full-text available
Recent reports have it that over 85\% of data breaches are still caused by the human element, of which healthcare is one of the suitable organizations mostly targeted by cybercriminals. The work of healthcare staff is often associated with high workloads, high emergency cases, and a broad range of psychological, social, and cultural factors. The significance of these factors could undermine conscious care information security (IS) practice leading to serious violations. This study comprehensively examined the correlation between the psycho-social-cultural factors, work factors with IS and privacy behaviour in a hospital that has fully adopted electronic health records (EHR) management system. The findings are to facilitate the decision-making process towards improving the cyber-security practice in healthcare. A quantitative approach was adopted where we collected responses from 212 healthcare staff through an online questionnaire survey. A broad range of constructs was selected from psychological, social, cultural perception and work factors based on earlier review work. These were therefore related to some security practices, to assess the IS knowledge, attitude and behaviour gaps among healthcare staff in a comprehensive way. From the study, IS self-reported conscious care behaviour (ISCCB) risk was relatively higher as compared to information security knowledge (ISK) risks and information security attitude (ISA) risk. Furthermore, the study revealed that work emergency has a positive correlation with ISCCB (r=1.95, p-value =0.001) risk. Conscientiousness also had positive correlation with ISCCB risk (r=0.157, p-value=0.05) however agreeableness negatively correlated with ISK risk (r=-0.166, p-value =0.05), and ISA risk (r=-0.140, p-value =0.05). Based on these findings, intrinsic and extrinsic motivation methods combined with cutting-edge technologies can be explored to discourage IS risks behaviours while enhancing conscious care security practice.
... We revise the state-of-the-art understanding about their relationships to social engineering attacks. (i) In terms of neuroticism, two studies suggest that a high neuroticism is associated with lower self-efficacy (i.e., user confidence to manage a cyber risk) [60] and increase one's susceptibility to phishing [58], but a study on phishing [29] suggests that a high neuroticism decreases one's susceptibility to phishing attacks. (ii) In terms of openness, one study [58] suggests that a high openness increases one's susceptibility to privacy attacks, but other studies [60,109] suggest a high openness reduces one's susceptibility to phishing attacks. ...
... (i) In terms of neuroticism, two studies suggest that a high neuroticism is associated with lower self-efficacy (i.e., user confidence to manage a cyber risk) [60] and increase one's susceptibility to phishing [58], but a study on phishing [29] suggests that a high neuroticism decreases one's susceptibility to phishing attacks. (ii) In terms of openness, one study [58] suggests that a high openness increases one's susceptibility to privacy attacks, but other studies [60,109] suggest a high openness reduces one's susceptibility to phishing attacks. (iii) In terms of extroversion, one study [89] suggests that a high extroversion increases one's susceptibility to phishing attacks, but another study [109] suggests that a high extroversion decreases one's susceptibility to phishing attacks. ...
... (iii) In terms of extroversion, one study [89] suggests that a high extroversion increases one's susceptibility to phishing attacks, but another study [109] suggests that a high extroversion decreases one's susceptibility to phishing attacks. (iv) In terms of consciousness, two studies [60,89] suggest that a high consciousness reduces one's susceptibility to phishing, but another study [59] suggests that a high consciousness increases one's susceptibility to targeted social engineering attacks. (v) In terms of agreeableness, two studies [29,34] show that a high agreeableness increases one's susceptibility to phishing attacks. ...
Preprint
Full-text available
Social engineering attacks are phenomena that are equally applicable to both the physical world and cyberspace. These attacks in the physical world have been studied for a much longer time than their counterpart in cyberspace. This motivates us to investigate how social engineering attacks in the physical world and cyberspace relate to each other, including their common characteristics and unique features. For this purpose, we propose a methodology to unify social engineering attacks and defenses in the physical world and cyberspace into a single framework, including: (i) a systematic model based on psychological principles for describing these attacks; (ii) a systematization of these attacks; and (iii) a systematization of defenses against them. Our study leads to several insights, which shed light on future research directions towards adequately defending against social engineering attacks in cyberspace.
... Traits such as neuroticism have been shown to negatively influence cyber security knowledge and self-efficacy, which may hinder proactive CSB (Halevi et al., 2016;Kelley, 2018;Semsek, 2011). Kelley's (2018) study found that neuroticism negatively correlated with semantic knowledge. ...
... The previously mentioned studies support the idea that neurotic users may push cyber security alerts to the side or give up all together in an effort to reduce their anxiety. This seems like a plausible explanation, as Halevi et al. (2016) found neuroticism to be inversely related to selfefficacy. Similarly, Semsek (2011) found a negative correlation between computer anxiety and computer self-efficacy. ...
... Multiple studies have shown that lower levels of self-efficacy correlate with increased levels of anxiety in users which may impede their ability to effectively identify and execute correct CSB as technology continues to grow (Halevi et al., 2016;Liang & Xue, 2010;Semsek, 2011;Thatcher & Perrewé, 2002). A possible explanation for this is Bandura's (1986Bandura's ( , 1997 theory which states that self-efficacy reduces a user's anxiety levels. ...
... Wiederhold,2014 Sabillon et al., 2021,Saadatdoost et al.,2015,Lee Aloul et al.,2017 ( , Halevi et al.,2016, Zwilling et al.,2022Shappie,et al.,2020 al.,2020 , (Hadlington et al.,2020Thorne,2020-Alqahtani, H., & Kavakli ( ) Shappie,et al.,2020Halevi et al., 2016Shropshire et al., 2015) ...
... Wiederhold,2014 Sabillon et al., 2021,Saadatdoost et al.,2015,Lee Aloul et al.,2017 ( , Halevi et al.,2016, Zwilling et al.,2022Shappie,et al.,2020 al.,2020 , (Hadlington et al.,2020Thorne,2020-Alqahtani, H., & Kavakli ( ) Shappie,et al.,2020Halevi et al., 2016Shropshire et al., 2015) ...
... This supports the view that outgoing people have a good attitude towards security practices in which the indirect effect can be translated into good security behaviour. But in contrast to our findings, a study [8] showed that conscientiousness rather predicted cyber security behaviour but not extroversion. This suggests that these findings need to be contextualised within the study scope. ...
Article
This study explores the psychological aspects of social engineering by analyzing personality traits in the context of spear-phishing attacks. Phishing emails were constructed by leveraging multiple vulnerable personality traits to maximize the success of an attack. The emails were then used to test several hypotheses regarding phishing susceptibility by simulating a series of spear-phishing campaigns inside a software development company. The company’s employees underwent a standard Big Five personality test, four different phishing emails over four weeks, and cybersecurity training. The results were aggregated before and after the cybersecurity course, and binary logistic regression analyses were performed at each phase of the phishing attack. The results show that personality traits correlate with phishing susceptibility under certain circumstances and pave the way for new methods of protecting individuals from phishing attacks.
Article
Full-text available
Digitalization has become part and parcel of the modern-day human activities. Nowadays it is going into every field of business and personal life. To develop and prosper, most organizations need IT systems, and hence to take the safeguarding of their informational assets seriously. Many of the processes which are essential for securing their IT assets, largely depend on human interaction. This study has attempted to address the culture of cyber-security in the light of psychology and law. The results of the research showed that from the psychological standpoint, the culture of cyber-security involves the willingness on the part of a modern human to overcome the digital expansion by mastering the tools for countering the negative IT factors. In its turn, from the legal standpoint, the culture of cyber-security is based on the legislative framework which regulates the legal relations in the field of cyber-security.
Thesis
Full-text available
Over the last few years, with an increase in the adoption of mobile phones amongst older adults - especially in Singapore - their limited knowledge of the digital world and products not designed with older adults in mind, put them at higher risk of cyberattacks and giving away unintended private information. Designing in this area requires the knowledge of the day-today experience of older adults. To address this multi-disciplinary issue, the author embarked on a three-phase design research inspired by the British Design council’s Double Diamond Design Methodology. In the first phase the author interviewed 10 older adults and 10 adults who have supported older adults with mobile privacy and security (PS) and identifies various socio-cultural factors which affect how older adults experience and navigate PS online. In the subsequent phase, the issues are further refined and 18 stakeholders from the Design, HCI and security disciplines are invited to co-design ideas via participatory design sessions. Next, these ideas are embedded to design a hypothetical application design - SociAI (Social + CrowdSourcing + AI) - which aims to solve the problem of phishing links through a multi-modal approach. 30 older adults and adults assessed the usability of SociAI and rated it as having significantly higher usability as compared to current trust mechanisms in Android mobile browsers.
Conference Paper
Full-text available
Recent research has begun to focus on the factors that cause people to respond to phishing attacks as well as affect user behavior on social networks. This study examines the correlation between the Big Five personality traits and email phishing response. Another aspect examined is how these factors relate to users' tendency to share information and protect their privacy on Facebook (which is one of the most popular social networking sites). This research shows that when using a prize phishing email, neuroticism is the factor most correlated to responding to this email, in addition to a gender-based difference in the response. This study also found that people who score high on the openness factor tend to both post more information on Facebook as well as have less strict privacy settings, which may cause them to be susceptible to privacy attacks. In addition, this work detected no correlation between the participants estimate of being vulnerable to phishing attacks and actually being phished, which suggests susceptibility to phishing is not due to lack of awareness of the phishing risks and that real-time response to phishing is hard to predict in advance by online users. The goal of this study is to better understand the traits that contribute to online vulnerability, for the purpose of developing customized user interfaces and secure awareness education, designed to increase users' privacy and security in the future.
Article
Full-text available
Biometric-based authentication is a growing trend. While this trend is enabled by the introduction of supporting technology, the use of biometrics introduces new privacy and ethical concerns about the direction of authentication. This paper explores willingness of users to share biometric information and therefore take advantage of these technological advances. Specifically, it examines, by means of an experiment, the factors that affect users' decision making when considering providing their fingerprints for a financial incentive. The study surveyed 100 participants and found that most were not willing to share their fingerprints with an ecommerce for any feasible reward. It found that while the financial incentive was a factor, perception of risk (influenced by being exposed to previous cyber-attacks) as well as the participants' self-efficacy had significant effect on the participants' decision making. The study also found that participants make context-based decision about sharing different types of personal data with different entities. The results of the study indicate that many users have concerns sharing their fingerprints with commercial companies. As new systems are being deployed, a better understanding is needed about user perceptions regarding fingerprint data sharing, so they can be better addressed by system designers in the future.
Conference Paper
Full-text available
Despite benefits and uses of social networking sites (SNSs) users are not always satisfied with their behaviors on the sites. These desires for behavior change both provide insight into users' perceptions of how SNSs impact their lives (positively or negatively) and can inform tools for helping users achieve desired behavior changes. We use a 604-participant online survey to explore SNS users' behavior-change goals for Face-book, Instagram, and Twitter. While some participants want to reduce site use, others want to improve their use or in-crease a range of behaviors. These desired changes differ by SNS, and, for Twitter, by participants' levels of site use. Participants also expect a range of benefits from these goals, including increased time, contact with others, intrinsic ben-efits, better security/privacy, and improved self presentation. Based on these results we provide insights both into how par-ticipants perceive different SNSs, as well as potential designs for behavior-change mechanisms to target SNS behaviors.
Conference Paper
Full-text available
We introduce a framework for personality-targeted design. Much like a medical treatment applied to a person based on his specific genetic profile, we make the case for theory-driven personalized UI design, and argue that it can be more effective than design applied equally to the entire population. In particular, we show that users' conscientiousness levels determine their reactions to UI indicators of critical mass. We created a simulated social recommender system in which participants answer a short personality questionnaire and are subsequently presented with a picture of a pet that purports to be the "best match" for their personality. We then manipulated the UI by providing indicators of the existence and the lack of critical mass. We tested whether the interaction between personality and UI design affects users' participation. The findings validate our hypothesis, showing that manipulation of the critical mass indicators affect high-conscientiousness and low-conscientiousness participants in opposite directions.
Conference Paper
Full-text available
We present a theoretical foundation and empirical findings demonstrating the effectiveness of personality-targeted design. Much like a medical treatment applied to a person based on his specific genetic profile, we argue that theory- driven, personality-targeted UI design can be more effective than design applied to the entire population. The empirical exploration focused on two settings, two populations and two personality traits: Study 1 shows that users’ extroversion level moderates the relationship between the UI cue of audience size and users’ contribution. Study 2 demonstrates that the effectiveness of social anchors in encouraging online contributions depends on users’ level of emotional stability. Taken together, the findings demonstrate the potential and robustness of the interactionist approach to UI design. The findings contribute to the HCI community, and in particular to designers of social systems, by providing guidelines to targeted design that can increase online participation.
Book
Phishing and Counter-Measures discusses how and why phishing is a threat, and presents effective countermeasures. Showing you how phishing attacks have been mounting over the years, how to detect and prevent current as well as future attacks, this text focuses on corporations who supply the resources used by attackers. The authors subsequently deliberate on what action the government can take to respond to this situation and compare adequate versus inadequate countermeasures.
Article
Many decisions are based on beliefs concerning the likelihood of uncertain events such as the outcome of an election, the guilt of a defendant, or the future value of the dollar. Occasionally, beliefs concerning uncertain events are expressed in numerical form as odds or subjective probabilities. In general, the heuristics are quite useful, but sometimes they lead to severe and systematic errors. The subjective assessment of probability resembles the subjective assessment of physical quantities such as distance or size. These judgments are all based on data of limited validity, which are processed according to heuristic rules. However, the reliance on this rule leads to systematic errors in the estimation of distance. This chapter describes three heuristics that are employed in making judgments under uncertainty. The first is representativeness, which is usually employed when people are asked to judge the probability that an object or event belongs to a class or event. The second is the availability of instances or scenarios, which is often employed when people are asked to assess the frequency of a class or the plausibility of a particular development, and the third is adjustment from an anchor, which is usually employed in numerical prediction when a relevant value is available.
Conference Paper
Recent research has begun to focus on the factors that cause people to respond to phishing attacks as well as affect user behavior on social networks. This study examines the correlation between the Big Five personality traits and email phishing response. Another aspect examined is how these factors relate to users' tendency to share information and protect their privacy on Facebook (which is one of the most popular social networking sites). This research shows that when using a prize phishing email, neuroticism is the factor most correlated to responding to this email, in addition to a gender-based difference in the response. This study also found that people who score high on the openness factor tend to both post more information on Facebook as well as have less strict privacy settings, which may cause them to be susceptible to privacy attacks. In addition, this work detected no correlation between the participants estimate of being vulnerable to phishing attacks and actually being phished, which suggests susceptibility to phishing is not due to lack of awareness of the phishing risks and that real-time response to phishing is hard to predict in advance by online users. The goal of this study is to better understand the traits that contribute to online vulnerability, for the purpose of developing customized user interfaces and secure awareness education, designed to increase users' privacy and security in the future.
Article
In this study, we sought to answer the question of whether certain information security awareness message themes are more or less effective for different types of individuals based on their personality traits. We considered five message themes (deterrence, morality, regret, feedback, and incentive) as they relate to seven personality traits (the Big Five, Machiavellianism, and social desirability). Our survey analysis of 293 users provides evidence that security awareness message effectiveness does vary based on personality, but not always as one would expect. Depending on certain personality traits, some security messages appear beneficial to security efforts, whereas other personality traits make the individual less receptive to certain message types and therefore security messages may backfire in terms of achieving their intended effect. Our exploratory results can assist practitioners in identifying a best fit between security awareness themes and individual users based on their personality profile.