Content uploaded by Ganna Pogrebna
Author content
All content in this area was uploaded by Ganna Pogrebna on Aug 23, 2018
Content may be subject to copyright.
1
A CYBER DOMAIN-SPECIFIC RISK ATTITUDES SCALE TO
ADDRESS SECURITY ISSUES IN THE DIGITAL SPAC E
Alexander Kharlamov† Aakanksha Jaiswal#
Glenn Parry‡ Ganna Pogrebna§
August 2018
Abstract
This paper proposes a new Cyber Domain-Specific Risk Taking (CyberDoSpeRT) scale
which aims to measure individual risk taking and risk perception towards cyber risks
across 5 different dimensions. To test and validate the scale, we recruit representative
samples of populations from two countries (US and UK). We show that the US
population tends to exhibit higher levels of risk taking in cyberspace than the UK
population. Using the CyberDoSpeRT scale, we identify 4 behavioral types in each
population: Relaxed (high risk taking – low risk perception); Anxious (low risk taking
– high risk perception); Opportunistic (high risk taking – high risk perception); and
Ignorant (low risk taking – low risk perception). We show that cross-cultural
differences between the US and the UK can be explained by higher relative
concentration of Relaxed types in the US and higher relative concentration of Anxious
types of the UK. Identified types are highly correlated with individuals’ ability to
accurately recognize cyber threats suggesting that information about cybersecurity
risks should be tailored to different behavioral types when businesses design
cybersecurity awareness campaigns.
Keywords: domain-specific risk attitudes, DoSpeRT, multi-dimensional cyber risk
attitudes, CyberDoSpeRT, cybersecurity, regulation
† University of the West of England, Frenchay Campus, Coldharbour Lane, Bristol BS16 1QY, UK, e-
mail: alex.kharlamov@uwe.ac.uk
# Genpact, Hyderabad, Telangana 500019, India
‡ University of the West of England, Frenchay Campus, Coldharbour Lane, Bristol BS16 1QY, UK, e-
mail: glenn.parry@uwe.ac.uk
§ Corresponding author: Ganna Pogrebna, The Alan Turing Institute, 96 Euston Rd, Kings Cross,
London NW1 2DB and Department of Economics, Birmingham Business School, University of
Birmingham, JG Smith Building, Birmingham, B15 2TT and, e-mail: gpogrebna@turing.ac.uk
2
A CYBER DOMAIN-SPECIFIC RISK ATTITUDES SCALE TO ADDRESS
SECURITY ISSUES IN THE DIGITAL SPACE
1. Introduction
Cybersecurity is one of the major problems faced by businesses in the digital age. On a daily
basis, the overwhelming majority of businesses around the globe face hacking, cyber theft,
malware, cyber fraud, as well as many other problems. It is estimated that American
companies pay an average of $15.4 million a year to tackle issues related to hacking attacks
alone while companies globally pay on average $7.7 million a year.1
With over 90% of all attacks2 starting with a phishing email, individual consumers
often become targets for theft and fraud techniques of cybercriminals costing businesses large
amounts of money. In the Finance sector, cybersecurity is becoming not only a matter of
significant cost, the future trends in the sector suggest that consumers of the future will choose
a trusted institution based on its ability to protect the customer as well as customer personal
data. According to the IBM Cost of Data Breach Study (2016), identity data (data which
allows a cybercriminal mascaraed as a victim) is the most targeted personal data with 64% of
data breaches targeting identity information.3 Financial data (bank, credit card, or other
financial account details) is the second most targeted data – 16% of data breaches target
Financial data (IBM, 2016).
Many companies (especially in the Finance and Fintech industry) conduct large-scale
marketing campaigns to inform their customers of potential online risks associated with
cybersecurity. However, these campaigns are rooted in social marketing theory, i.e., all
consumers usually receive exactly the same information (Dann, 2010; Saunders et al., 2015).
Yet, there should exist a considerable individual heterogeneity with regard to risk taking
behavior in cyber space. Therefore, information about cyber risks should be communicated
differently to different audiences.
1 See https://money.cnn.com/2015/10/08/technology/cybercrime-cost-business/ for more detail.
2 See https://cofense.com/enterprise-phishing-susceptibility-report for more detail.
3 The report from Javelin Strategy and Research “2018 Identity Fraud: Fraud Enters a New Era of
Complexity” reveals that there were 16.7 million victims of identity fraud in 2017 in the US alone. See
https://www.javelinstrategy.com/coverage-area/2018-identity-fraud-fraud-enters-new-era-complexity#
for more detail.
3
In this paper we argue that cybersecurity issues need to be addressed using targeted
information campaigns where different audiences are identified by means of behavioral
segmentation. We propose a new scale for measuring cybersecurity risk attitudes to understand
human preferences in cyberspace across several dimensions (domains). Using the latest version
of the Domain-Specific Risk Tolerance (DoSpeRT) scale (Blais and Weber, 2006) which
captures risk attitudes in Social, Financial, Recreational, Health and Safety, as well as Ethics
domains, we develop CyberDoSpeRT which allows us to measure risk taking behavior and
attitudes in the cyberspace across 5 domains: Security, Personal Data, Privacy, Negligence,
and Cybercrime. We then conduct an empirical test of our new scale using representative
samples of populations the US and the UK. To validate the scale, we not only measure risk
taking and risk perception of individuals, but also validate the scale results by looking at how
well the scale results can predict individual propensity to detect and identify cyber threats.
We find that 4 behavioral types emerge from the CyberDoSpeRT scale analysis in both
the American and the British population: Relaxed type with high level of risk taking
(propensity to engage in risky activity) and low level of risk perception (sensitivity to risk);
Anxious type with low level of risk taking and high level of risk perception; Opportunistic type
with high level of risk taking and high level of risk perception; and Ignorant type with low
level of risk taking and low level of risk perception. The US has a relatively higher number of
Relaxed types while the UK has a relatively higher number of Anxious types, which explains a
generally higher level of risk taking and lower level of risk perception in cyberspace in the US
compared to the UK. Our scale validation exercise reveals that Anxious types tend to falsely
identify cyber threats more than any other type, while Relaxed types tend to underestimate
cyber threats more than any other type. Our analysis also reveals that segmentation based on
demographic characteristics is inferior to behavioral segmentation as demographic
characteristics of the participants cannot capture the complexity and variability of risk
attitudes in the cyberspace.
This paper is organized as follows. Section 2 provides a review of existing literature
related to this research. Section 3 describes the development of the CyberDoSpeRT scale and
presents basic results using the US and the UK sample. Section 4 explains the methodology for
the behavioral segmentation exercise and reports empirical results of the exercise. In Section 5,
4
we validate the CyberDoSpeRT-based behavioral segmentation to see how well the segments
can explain and predict individual propensity to accurately identify cyber threats. Section 6
explores whether the same segmentation could be obtained by looking at demographic
characteristics instead of the CyberDoSpeRT scale results. Finally, the paper concludes with a
general discussion in Section 7.
2. Related Literature
2.1 Measures of risk attitudes in non-cyber spaces
Behavioral segmentation which allowed scientists and practitioners to split people into risk
taking, risk averse, and well-calibrated types have long been studied in the literature and used
by businesses. For many years, researchers in behavioral science, experimental economics and
social psychology have grappled with the phenomenon of risk attitudes (e.g., Bernoulli, 1738;
Pratt, 1964; Arrow, 1965). In the early behavioral science literature, the assumption is that
risk attitude is an individual characteristic which does not depend on the context of decision
making. Based on this assumption, a number of context-free or domain-free measures of risk
attitude have emerged. The majority of these measures quantify individual risk attitudes over
financial outcomes by asking decision makers to make a series of choices either between a risky
lottery which is kept fixed and a list of progressively increasing or progressively declining sure
amounts of money (e.g., Cohen et al., 1987; Tversky and Kahneman, 1992); or between two
lotteries where one lottery is relatively safe and the other one is relatively risky, the outcomes
are held constant but the probabilities are changing in such a way that one lottery becomes
progressively more attractive than the other (e.g., Holt and Laury, 2002). These measures look
for points where decision makers switch from one option to the other and then estimate a risk
attitude parameter using a particular form of utility function. One of the most widely used
functions is the Constant Relative Risk Aversion (CRRA) function of the form
,
where is a (monetary) outcome and is a CRRA coefficient (1). The CRRA coefficient
depicts risk averse behavior when 0, risk taking behavior - when 0, and well-calibrated
behavior when 0 (see, e.g., Holt and Laury, 2002).
Information systems literature takes a different approach to risk attitudes. Hillson and
Murray-Webster (2012) define risk attitude as ‘chosen response to uncertainty that matters,
5
driven by perception’ (Hillson and Murray-Webster, 2012, p. 39). Notably, the role of risk
perception in the formation of risk attitudes has been well documented (e.g., Weber and
Johnson, 2009). The inclusion of perception in the definition by Hillson and Murray-Webster
(2012) implies subjectivity in risk attitudes which contradicts the context-free view. Yet, there
has been considerable debate around risk attitude as a stable personality trait. If risk attitudes
are indeed stable, what causes contextual differences observed in risk taking behavior? Weber
and Milliman (1997) claim that these differences arise from differences in an individual’s risk
perception.
Weber and Milliman (1997) make two key observations regarding the difference
between risk preferences and risk perception. First, they hypothesize that if there are
contextual factors that affect the underlying utility function of an individual in the decision-
making process, there should also be a detectable difference in risk perception of the choice
alternatives in the different contexts. Since situational variables such as framing affect risk
perception rather than risk preference, it must be possible to isolate a stable cross-situational
risk preference by factoring out risk perception (Weber and Milliman, 1997). Second, Weber
and Milliman (1997) claim that distinguishing between decision making driven by risk
preferences and decision making driven by risk perception is essential for interventionist
regulation or policy. In both cases, regulation or policy should focus on emotional responses
rather than cognitive processes. From a regulatory point of view, understanding what drives
individual decisions in cyberspace is necessary.
Traditionally, behavioral science models such as expected utility theory (EUT) and
cumulative prospect theory (CPT) treat risk attitudes as a description of the shape of the
utility function (concave, convex, etc.). There have been two main problems with calculating
risk attitudes using the EUT framework (such as CRRA coefficient calculations described
above). First, risk attitudes are not found to be consistent across methodologies. Second,
individuals are not consistent in their risk taking behavior in different situations even when the
same methodology is used (see, e.g., Loomes and Pogrebna, 2014 who provide a detailed review
of this literature). While CPT does not attempt to explain domain differences directly, it
suggests two reasons as to why risk preferences may be unstable. First, framing may change
individual reference points, thus affecting risk attitude. Second, an explanation for domain
6
differences may lie in the difference between the degrees of loss aversion in different domains.
Weber and Johnson (2009) argue that studies measuring risk perception directly or indirectly
are unanimous in the result that variance or standard deviation of outcomes fails to account
for perceived risk. Finally, affective responses to risky situations may also explain risk
perception and decisions individuals are making under risk and uncertainty (Slovic and Peters,
2006). Thus it is necessary to decompose risk attitude into its components (risk taking and
risk perceptions).
An alternative approach to fitting various functional forms of utility to decision making
data in an attempt to measure risk attitudes is to use a domain-specific measure. The Domain-
Specific Risk Taking (DoSpeRT) methodology is a well-established approach in social
psychology and decision science which allows to measure domain-specific risk attitudes for
Ethical risks (E); Financial risks (F); Health/Safety risks (H/S); Recreational risks (R), and
Social risks (S). Originally developed by Weber et al. (2002), it was then revised and modified
by Blais and Weber (2006). The latest 2006 version of DoSpeRT consists of 30 statements.
Each statement represents a potentially risky activity such as, e.g., “Walking home alone at
night in an unsafe area of town”.4 Individuals are invited to reveal (i) how likely they are to
engage in each activity on a scale from 1 (Extremely Unlikely) to 7 (Extremely Likely) and (ii)
how risky they perceive each activity from 1 (Not at all Risky) to 7 (Extremely Risky).5
Summing up an individual’s scores from all risk taking questions, DoSpeRT allows us to obtain
this individual’s overall risk taking measure; and a sum of scores from all risk perception
questions represents this individual’s overall risk perceptions measure. Combined
understanding of risk taking and risk perceptions yields a snapshot of an individual’s risk
attitudes. The antonymic nature of the risk taking and the risk perception measures in
DoSpeRT implies that they should be negatively correlated, i.e., the riskier an individual
believes a particular activity/situation to be (the higher a risk perception score is), the less
likely this individual should be willing to engage in that activity (the lower a risk taking score
should be).
4 Complete list of the DoSpeRT scale statements is provided in Table A1 as a part of Appendix A.
5 See Appendix A for detailed description of the DoSpeRT scale.
7
DoSpeRT is one of the most used measures of risk attitudes in behavioral science and
the most popular scale when it comes to the measurement of context-specific risk attitudes
(e.g., Hanoch et al., 2006). According to Google Scholar, between 2006 and 2018, the DoSpeRT
scale was used in 711 scholar articles.6 Since it was developed, DoSpeRT has been modified to
account for different languages and has been applied to many different fields. For example,
Wilke et al., (2014) develop an evolutionary DoSpeRT, Einav et al., (2012) use DoSpeRT to
study the relationship between insurance and 401K returns while Harris et al. (2006) use the
DoSpeRT to study gender differences. However, to date, DoSpeRT has not been applied to
measure risk attitudes in cyberspace. Using the basic structure of DoSpeRT, we construct
CyberDoSpeRT to measure cybersecurity risk taking and risk perception.
There are 3 main reasons why we use DoSpeRT in order to develop a new measure of
individual risk attitudes in cyberspace: (1) DoSpeRT is a well-established and widely cited
scale; (2) it gives an opportunity to measure not only the overall risk attitude for a particular
individual but also domain-specific risk attitudes; and (3) DoSpeRT also allows to map risk
taking versus risk perception which could be used to split study participants into types for
behavioral segmentation.
2.2 Measures of human preferences in cyberspace
As explained above, risk attitudes in cyberspace have not been studied using a custom-
made domain-specific scale before. Nevertheless, there is a growing literature on measuring
individual preferences in cyberspace mostly relating to personal data concerns, trust, and
privacy, where alternative methodology is used to obtain proxies of human preferences.
Particular, the literature in this area has focused on trade-offs between expected benefits from
disclosure of personal information and cost of revelation. This has taken the form of two main
phenomena, the privacy paradox and the privacy calculus.
A research report published by Jupiter Research using the US sample of data in 2002
stated that while 70% of online consumers claimed to be concerned about online privacy, only
6 See http://www.sjdm.org/dmidi/Domain_Specific_Risk_Attitude.html#History for major articles
citing DoSpeRT and https://scholar.google.com/citations?user=Vp8nPGkAAAAJ&hl=en for the
total number of citations. The number of citations is reported based on the Google Scholar data as of
August, 2018.
8
40% read website privacy statements and 82% were willing to share personal information with
shopping websites to enter a $100 sweepstakes (Tedeschi, 2002). Since then, research on
information privacy has documented that individuals who expressed a high level of concern
about online privacy were also willing to disclose personal data for small gains (e.g., Acquisti
and Grossklags, 2004; Acquisti, 2010). This inconsistency between privacy attitude and privacy
behavior was labelled the privacy paradox.
A Willingness to Accept (WTA) - Willingness to Pay (WTP) methodology was also
used to show the discrepancy between how individuals valued their information and the steps
they were willing to take to protect their information. Particularly, Carrascal et al. (2011)
applied WTA-WTP methodology to ask individuals (i) how much they were willing to accept
to “sell” their personal data and (ii) how much they were willing to pay to “protect” their
personal data. Carrascal et al., (2011) generated valuations for different types of data by using
a web browser plug that asked subjects to evaluate data as and when it was generated. This
approach showed significant differences between WTA-WTP for different data types.
Specifically, Carrascal et al., (2011) established that individuals valued interactions on social
media and financial websites as well as age, address and economic status higher than they did
browsing history, search and shopping data.
Hann et al., (2007) conducted a study where subjects faced a trade-off between
incomplete privacy protection and advantages of disclosure, such as convenience and
promotions. They estimated a WTP between $30.49 and $44.62 for protecting personal data
against various types of improper treatment. Huberman et al., (2005) conducted reverse second
price auctions for personal data about an individual’s weight and age. Average demand price
was $57.56 for age and $74.06 for weight. Egelman et al., (2013) asked subjects to choose
between two smart phone applications offering similar functionality, with one offering higher
privacy than the other. They found that privacy-conscious study participants paid a premium
of $1.50 over the initial price of $0.49. Acquisti et al. (2013) conducted a field experiment
using gift cards to verify whether privacy valuations were influenced by endowment and order
effects and found that both were prevalent in decision-making. Valuations for personal data
vary significantly across these different studies, highlighting the contextual dependence of the
privacy paradox. For example, in the Egelman et al. (2013) study, while the numbers
9
themselves could be interpreted as low in absolute terms, the premium was three times the
initial price offered, which might be considered as a high valuation in relative terms (Kokolakis
2017). In a recent paper, Adjerid et al. (2018) further extend the privacy paradox literature by
considering relative versus objective privacy risks and find that both may influence individual
decision making further highlighting the importance of understanding the context of decision
making under risk and uncertainty in cyberspace.
Another way to understand human preferences in cyberspace is to approach them
through the privacy calculus (e.g., Dinev and Hart, 2006). It refers to a set of contrary factors
in making a decision about whether or not to engage in an online transaction that involves the
disclosure of personal information. The privacy calculus is a complex construct which includes
behavioral intention (willingness to disclose), risk beliefs and confidence as well as enticement
belief. One of the most well-known applications of the privacy calculus was offered by
Ackerman (2004) who implemented this construct to recommend a labelling protocol to make
individual users more aware of data capture and usage in order to raise their awareness about
privacy and trust issues.
This paper aims to contribute to the literature on human preferences in cyberspace by
offering an alternative (multi-dimensional) scale of risk attitudes over risks typically faced by
individual users. We also show how this scale can be used to produce a behavioral
segmentation and how this segmentation can be used by organizations to tackle cybersecurity
problems through custom-made and diversified information campaigns.
3. Scale Development
3.1 Measure of domain-specific risk attitudes in cyberspace
The main challenge for designing the new domain-specific scale was to identify major risky
activities as well as main domains to include into our new CyberDoSpeRT scale. In order to
solve this problem, we have employed a 3-step procedure depicted on Figure 1.
In Step 1, we recruited 121 experts in digital economy, cyberspace, cybersecurity, human-
computer, and human-data interactions using the LinkedIn platform. The experts were invited
to anonymously answer 2 questions programmed in Qualtrics:
1. “Please, identify behaviors which you would consider risky in cyberspace.” and
10
2. “If you were to group your suggested behaviors into categories, which categories would
you identify?”
Figure 1 Determining Activities for CyberDoSpeRT
Results of this survey were then coded and analyzed in Step 2. As a result, we formulated 30
activities partitioned into 5 broad categories (6 activities per category): behaviors related to
(Cyber) Security (SE) risks, Personal Data (PD) risks, Privacy (PR) risks, Cybercrime (CR)
risks, and Negligence (NE) risks. The categories for activities were also identified by analyzing
expert answers. Specifically, the (Cyber) Security (SE) category incorporated potentially risky
activities which related to general security in cyberspace such as “Not using anti-virus or anti-
malware protection”. The Personal Data (PD) category included such risky activities as
“Providing private information (such as your email address) to obtain free WiFi in public
places such as coffee shops, airports, train stations, etc.” and reflected potential risks related
to the loss of personal data. The Privacy (PR) category included activities which could
potentially lead to privacy infringement for an individual or a group of people such as “Linking
multiple social media websites (e.g., linking Twitter, Facebook, and Instagram accounts, etc.)”.
Risky activities susceptible to Cybercrime (CR) included “Using insecure connection or free
WiFi”, where cybercrime was defined as an action which caused harm and employed digital
technology constituting an offense.7 Finally, in the Negligence (NE) category risky activities
incorporated “Letting web browser remember your passwords” and depicted risks resulting
from lack of knowledge, understanding, or care about the consequences of actions in
cyberspace from an individual’s perspective.
7 Complete CyberDoSpeRT scale is provided in Appendix B.
11
In Step 3, we further validated the scale activities by conducting a comprehensive review
of literature sources as well as related blogs. Blog results were included to capture the vibrant
and dynamic nature of cybersecurity field which undergoes rapid and serious changes creating
a potential lag between the academic literature and practical risks. Results of this exercise
along with activities listed by domain are reported on Figure 2.8
Figure 2 Results of the Reference-validation of the CyberDoSpeRT Scale
8
Note that in our survey, CyberDoSpeRT activities were presented to participants in a random order.
The order number for each activity is shown on Figure 2 before each dash (“-”). Appendix B presents
the scale exactly as it was shown to the study participants.
12
Of the identified activities, the most frequently mentioned was “Not using a private server”
(1,150,000 mentions) and least frequently mentioned was “Using the same password on
multiple devices/websites” (102 mentions). Therefore, identified activities allowed us to look at
a broad spectrum of behaviors in cyberspace and focus on risks relevant and known to the
majority of population as well as on less understood and anticipated risks.
The 3-step procedure described above has led to the development of the 30-item
CyberDoSpeRT scale. The resulting scale allows us to measure individual risk taking and risk
perception across 5 domains. We pooled and randomized activities from different domain to
avoid potential order effects (order number for each question is shown on Figure 2).9 As in
DoSpeRT, the Risk Taking measure (RT) question asks the study participants to indicate how
likely they are to engage in each activity on a scale from 1 to 7 (the higher the more likely);
and the Risk Perception measure (RP) asks the study participants to indicate how risky they
perceive each activity to be on a scale from 1 to 7 (the higher the more risky). Since each
activity can receive a score between 1 and 7, each of the 5 categories can accumulate scores
from 6 to 42, and a total score for each individual can be between 30 and 210.
3.2 Basic results and scale reliability
To test the scale, we recruited representative samples from two nations – the US and the
UK. Specifically, we recruited 500 American and 523 British participants to take part in our
study. The choice of these two countries is justified due to the following reasons. First, the US
and the UK allow us to conduct a good test of our hypotheses as these nations have a
commonality of language; commonality of judicial system; and some commonality of culture
(specifically, Schwartz, 2006 places English-speaking countries including US and UK into a
special common cultural type). Second, despite the similarities, the US tends to attract more
cybercrime than the UK. According to Symantec, 143.7 million people in the US (44% of the
American population) and 17.4 in the UK (26% of the British population) either experienced
9 The exact order of statements is given in Appendix B, Table B1.
13
cybercrime personally or knew someone who experienced cybercrime in 2017(Noton Cyber
Security Insights Report, 2017).10
A representative sample of population was recruited from each country. In order to
ensure that samples in our study were representative of the relevant populations, both samples
were obtained through the Qualtrics online panels (https://www.qualtrics.com/online-sample/)
who have overseen the data collection. In both cases, our requirement was that the
demographics of the sample was reminiscent of the demographic characteristics of the relevant
country population.
We have programmed the study using the Qualtrics platform. The study offered
participants 4 scale blocks: Risk Taking DoSpeRT measure (30 items); Risk Perception
DoSpeRT measure (30 items); Risk Taking CyberDoSpeRT measure (30 items); and Risk
Perceptions CyberDoSpeRT measure (30 items). DoSpeRT and CyberDoSpeRT blocks were
presented to participants in a random order, i.e., approximately ½ of participants started with
DoSpeRT and then switched to CyberDoSpeRT, whereas the rest completed the tasks in
reverse order. The titles for domains were not shown to participants. In both DoSpeRT and
CyberDoSpeRT scales activities were presented to participants in a random order.11
Participants were also asked to complete a brief questionnaire with the demographic questions
as well as several control questions about their behavior online. These additional questions
were used for scale validation as described below.
We used DoSpeRT in conjunction with the new CyberDoSpeRT scale as a reliability
marker: DoSpeRT scores allowed us (i) to understand whether the Cronbach’s alpha estimates
were compatible between the two scales and (ii) to have a reference point for comparing our
results with the previously obtained cross-cultural results on measuring domain-specific risk
attitudes.
First, we calculated the sum of scores for each study participant from all 30 activities.
As a result, we obtained individual CyberDoSpeRT risk taking score (CyberRT∈ 30,210)
and risk perception score (CyberRP∈ 30,210) as well as DoSpeRT risk taking (RT∈
10See https://www.symantec.com/content/dam/symantec/docs/about/2017-ncsir-global-results-en.pdf
for more detail.
11 See Appendix A and Appendix B for details.
14
30,210) and risk perception (RP∈ 30,210) score. We then calculated the average scores
for US and UK and conducted non-parametric comparison between the two countries using a
series of Mann-Whitney-Wilcoxon tests (see Figure 3).
Figure 3 Average Overall Risk Taking and Risk Perception According to
CyberDoSpeRT and DoSpeRT in the US and the UK
The CyberDoSpeRT comparison reveals that American population is more risk seeking
in terms of CyberRT measure and less risk sensitive in terms of CyberRP measure compared
to the British population. Specifically, in terms of risk taking, the US population has an
average score of 111.89 with a standard deviation of 30.17 while the UK population has a score
of 101.82 with a standard deviation of 35.20 (Mann-Whitney-Wilcoxon test p<0.001).
Americans with the average CyberRP score of 116.04 (and a standard deviation of 33.39) also
tend to perceive cyber risks to be less severe than British people who have an average
CyberRP score of 128.97 (and a standard deviation of 34.68). This difference is also
statistically significant (Mann-Whitney-Wilcoxon test p<0.001). Results for the DoSpeRT
scores follow a similar pattern. The average overall RT score for the US is 92.29 with a
standard deviation of 24.18; and for the UK is it 86.48 with a standard deviation of 31.76
(Mann-Whitney-Wilcoxon test p<0.001). The average RP score is 132.25 with a standard
deviation of 25.00 in the US and 138.96 with a standard deviation of 30.54 in the UK (Mann-
Whitney-Wilcoxon test p<0.001).12 Generally, results from Figure 3 lead to three intermediate
conclusions: (a) US population appears to be more risk taking compared to the UK population
12 Detailed Mann-Whitney-Wilcoxon test results for cross-country comparisons for the overall scores
as well as by domain are reported in subsequent sections.
020050 100 150
Risk Taking/Risk Perception
US UK
Risk Taking - DoSpeRT Risk Perception - DoSpeRT
Risk Taking - CyberDoSpeRT Risk Perception - CyberDoSpeRT
15
and British people are more sensitive to cyber and non-cyber risks than the American people
according to both CyberDoSpeRT and DoSpeRT measures; (b) the relative spread between
RT and RP as well as between CyberRT and Cyber RP is lower in the US compared to UK
according to both measures (see Figure 3); (c) our DoSpeRT results are generally compatible
with results previously reported in the literature (e.g., Blais and Weber, 2006) suggesting that
our sample is similar to those studied in the literature before.
Since results differ for the US and the UK, we cannot pool data for our analysis and,
therefore, consider each country separately in our empirical analysis. Now that we have
obtained basic results, we need to understand how reliable our new CyberDoSpeRT scale is
(especially in comparison with DoSpeRT).
Results of the reliability analysis for both the CyberDoSpeRT and the DoSpeRT scale
are provided in Table 1. The reliability analysis shows that all general constructs and the
overwhelming majority of individual constructs are associated with high values of Cronbach’s
alpha (above the generally acceptable rate of 0.70). Also, our results show that the reliability
of CyberDoSpeRT is better than that of DoSpeRT scale in terms of both RT and RP
measures. This allows us to proceed with our analysis.
Table 1 Reliability Analysis (Cronbach’s alpha) of the CyberDoSpeRT Scale
Construct Country
US UK
RT 0.866 0.932
RP 0.911 0.933
CyberRT 0.895 0.934
CyberRP 0.956 0.954
Notes: RT- Risk Taking according to DoSpeRT; RP – Risk Perceptions
according to DoSpeRT; CyberRT- Risk Taking according to
CyberDoSpeRT; CyberRP- Risk Perception according to
CyberDoSpeRT.
The obtained data shows that in our sample in both the UK and the US population, the
correspondence between the CyberRT measure and the CyberRP measure is going in the
correct (inverse) direction: the higher is the risk perception, the lower is the risk taking for the
16
total CyberDoSpeRT scores. This relationship is captured on Figure 4.13 Results of the linear
(Ordinary List Squares) regression of the form , where refers to CyberRT
(dependent variable) and depicts CyberRP (explanatory variable) conducted using the US
and the UK data separately, show that the negative correlation between Risk Taking and Risk
Perception according to CyberDoSpeRT is highly significant (p<0.001). Specifically, the
coefficient for the CyberRP explanatory variable is equal to -0.370 with a standard error of
0.037 and p=0.0000 for the US data and equal to -0.340 with a standard error of 0.042 and
p=0.0000 for the UK data.
US UK
Figure 4 CyberDoSpeRT Risk Attitude versus Risk Perception: Total Scores
Notes: Each graph on Error! Reference source not found. plots a distribution
of CyberRT versus CyberRP measures in the UK and the US according to the
CyberDoSpeRT overall scores (each scatter point represents a CyberRT-CyberRP
mapping of one individual respondent).14 Regression line and a confidence interval
on each graph reveal an inverse relationship between risk taking and risk
perception in both countries.
3.3 Domain-specific Risk Attitudes in Cyber Space
Table 2 summarizes the results of a series of non-parametric tests which show that for all
domains of the CyberDoSpeRT scale, US population is more risk taking compared to the UK
population. We also see that American population is less concerned about risk in terms of risk
perceptions compared with the British population according to each elicited domain.15
13 In order to show the majority of individual data points on Figure 4, noise (a standard “jitter” factor
of 7 in the Stata software package) was added to each scatter point.
14 In order to show the majority of data points on Figure 4, noise (a standard “jitter” factor of 7 in the
Stata software package) was added to each scatter point.
15 Domain-specific results for the DoSpeRT scale are provided in the Appendix C.
50 100 150 200
Risk Taking
50 100 150 200
Risk Perception
95% CI Fitted values
Risk Taking
50 100 150 200
Risk Taking
50 100 150 200
Risk Perception
95% CI Fitted values
Risk Taking
17
We have also conducted a series of OLS regressions exploring the relationship between
CyberRT and CyberRP by domain. Results of these regressions suggest that for each domain
in both US and UK there is an inverse relationship between risk taking and risk perception.
Specifically, for the US sample, regression coefficients for CyberRP predicting Cyber RT for
Security (SE), Personal Data (PD), Privacy (PR), Cybercrime (CR), and Negligence (NE) are
-0.374(standard error=0.038); -0.344 (0.039); -0.384 (0.041); -0.356 (0.042); and -0.467 (0.042),
respectively. Similarly, for the UK sample, CyberRP coefficients for SE, PD, PR, CR, and NE
domains are -0.281(0.041); -0.327(0.044); -0.341(0.044); -0.298(0.044); and -0.387(0.046),
correspondingly. Results of all OLS regressions are highly statistically significant with all
probabilities being less than 0.001.
Table 2 Results of Non-Parametric Tests for CyberDoSpeRT by Domain
RT_SE RT_PD RT_PR RT_CR RT_NE Total
US 23.93 22.00 21.92 22.11 21.92 111.89
UK 21.53 19.24 20.91 19.73 20.40 101.82
MWW test
results
z=5.381
p=0.0000
z=6.279
p=0.0000
z=1.862
p=0.0626
z=4.942
p=0.0000
z=2.724
p=0.0065
z=4.747
p=0.0000
RP_SE RP_PD RP_PR RP_CR RP_NE Total
US 23.35 22.39 22.46 21.92 25.92 116.04
UK 25.99 25.81 24.69 24.93 27.55 128.97
MWW test
results
z=-5.791
p=0.0000
z=-7.286
p=0.0000
z=-4.401
p=0.0000
z=-6.010
p=0.0000
z=-2.972
p=0.0030
z=-5.653
p=0.0000
Notes: RT- Risk Taking according to DoSpeRT (a) and CyberDoSpeRT(b); RP – Risk
Perception according to DoSpeRT (a) and CyberDoSpeRT(b); _SE – (Cyber) Security
domain; _PD – Personal Data domain; _PR – Privacy domain; _CR – Cybercrime domain;
_NE – Negligence domain.
Figure 5 captures the mean risk taking and risk perception for each activity in
CyberDoSpeRT, mapping the relative positioning of risk taking versus risk perception in the
US and the UK for each of the 30 CyberDoSpeRT activities separately.16 Interestingly, the
relative positioning of risk taking versus risk perception attitudes are similar across two
countries except that in the UK all attitudes seems to be shifted towards lower risk taking and
higher risk perception.
16 Raw data for Figure 5 is presented in Appendix D.
18
In both countries, activity 28 “Using a wearable device to collect your private data (e.g.,
FitBit, Apple Watch, etc.).” is associated with the highest level of risk perception (average
CyberRP=5.41 in the US and CyberRP=5.54 in the UK) and the lowest level of risk taking
(average CyberRT=2.34 in the US and CyberRP=2.61 in the UK). Second highest CyberRP
and second lowest CyberRT in both countries is associated with activity 17 “Letting web
browser remember your credit card information”.17 The third highest CyberRP score and third
lowest CyberRT score is associated with activity 25 “Using the same password on multiple
devices/websites.”. Interestingly, activity 3 “Not reading App permissions before uploading an
App on your smart phone.” is the highest in terms of CyberRT and lowest in terms of
CyberRP for both countries.
US UK
Figure 5 Risk Taking and Risk Perception by Activity
In terms of domains, Figure 5 reveals that in both countries, people seem to be mostly
concerned with Negligence (NE) risks and Security (SE) risks (with the only exception of
activity 3) and less likely to take risks in those cyber domains. At the same time, they seem to
be relatively less concerned about cybercrime (CR), privacy (PR), as well as personal data
(PD) risks (with an exception of activity 28) and are more likely to take risks in those cyber
domains.
17 Notice that activity 16 which deals with letting web browser remember password information is
associated with a lot higher levels of risk taking and lower levels of risk perception than CyberRT and
CyberRP of activity 17, respectively.
1
3
8
9
11
20
2
6
10
19
23
28
4
57
12
22 27
13
18
24
26
29
30
14
15
16
17
21
25
2 3 4 5 6
Risk Taking
23456
Risk Perception
SE PD
PR CR
NE
1
3
8
9
11
20
2
6
10
19
23 28
4
5
7
12
22
27
13
18
24
26
29
30
14
15
16
17
21
25
2 3 4 5 6
Risk Taking
3 4 5 62
Risk Perception
SE PD
PR CR
NE
19
4. Behavioral Segmentation according to CyberDoSpeRT
So far, we have shown how the overall as well as domain-specific CyberDoSpeRT scores
could be calculated and analyzed. In this subsection we turn to the practical application of the
scale in terms of its potential to serve as a basis for behavioral segmentation. Notice, that the
CyberDoSpeRT scale allows us not only to map cyber risk attitudes across 5 different domains,
but also to segment population into behavioral types in order to understand whether and how
different types in the population impact on the overall cybersecurity attitudes. In subsequent
sections we will also explore how obtained behavioral types can be used to predict behavior in
cyber space. Notice that both CyberRT and CyberRP scores run between 30 (minimum overall
individual score) and 210 (maximum overall individual score). This means that score 120
represent a mid-point for both CyberRT and CyberRP. Considering this, we apply the
following segmentation rule which allows us to split our population into 4 types depicted on
Figure 6.
Figure 6 CyberDoSpeRT Behavioral Segmentation Rule
This segmentation rule allows us to identify 4 behavioral types according to
CyberDoSpeRT: Relaxed, Anxious, Opportunistic, and Ignorant. Relaxed type is associated
with high risk taking (CyberRT>120) and low risk perception (CyberRP≤120). Anxious type
is the type with low risk taking score (CyberRT≤120) and high risk perception score
(CyberRP>120). Opportunistic type is characterized by high risk taking (CyberRT>120) and
high risk perception (CyberRP≤120). Ignorant type has low risk taking score (CyberRT≤120)
Relaxed:
HighRiskTaking‐
(CyberRT>120)
LowRiskPerception‐
(CyberRP≤120)
Opportunistic:
HighRiskTaking‐
(CyberRT>120)
HighRiskPerception‐
(CyberRP>120)
Ignorant:
LowRiskTaking‐
(CyberRT≤120)
LowRiskPerception‐
(CyberRP≤120)
Anxious:
LowRiskTaking‐
(CyberRT≤120)
HighRiskPerception‐
(CyberRP>120)
20
and low risk perception score (CyberRP≤120).18 The mapping of US and UK population
according to the proposed behavioral types is provided on Figure 7. According to Figure 7,
29% of study participants in the US and 16% in the UK are Relaxed (see orange triangles on
Figure 7). They generally consider cyber risks to be small and often engage in risky activities
in the digital space. Anxious types (see green cubes on Figure 7) represent 34% of our US and
45% of our UK sample. They believe that cyber risks are generally large and rarely engage in
risky activities. Opportunistic (see blue circles on Figure 7) realize that cyber risks are large
but, nonetheless, often engage in risky activities. There are 12% of Opportunistic types in the
US and 17% in the UK. Finally, 25% of US study participants and 23% of UK study
participants are Ignorant (see red diamonds on Figure 7) types. They think that cyber risks
are small but rarely engage in risky activities.19
US UK
Figure 7 Behavioral Segmentation Results according to CyberDoSpeRT
Results of the Fisher’s exact test show that while both countries have similar fractions of
Opportunistic (p>0.05) and Ignorant (p>0.46) types, the US population has more Relaxed
18 The number of people who have CyberRT=120 and CyberRP=120 in our sample is very low.
Specifically, only 6 and 21 people had CyberRT=120 in the US and in the UK, respectively; while 14
American respondents and 11 British respondents had CyberRP=120. For robustness check, we have
conducted an additional analysis by removing these participants from the sample, however, this did
not change our results. Results of this additional analysis are available from the corresponding author
upon request.
19 Notice that proposed behavioural segmentation can also be applied to each domain of
CyberDoSpeRT scale separately.
50 100 150 200
Risk Taking
50 100 150 200
Risk Perception
Opportunistic Ignorant
Anxious Relaxed
50 100 150 200
Risk Taking
50 100 150 200
Risk Perception
Opportunistic Ignorant
Anxious Relaxed
21
types than the UK population (p<0.001) and the UK population has more Anxious types than
the US population (p<0.001).20
Note that behavioural types according to risk attitudes in non-cyber space could be
assigned using DoSpeRT scale using the same mid-point rule. However, we are not aware of
any previous studies which would apply such behavioral segmentation using DoSpeRT. We
have conducted a segmentation according to DoSpeRT to the US and UK population and ran
a series of Wilcoxon signed-rank tests to understand whether being characterized as a
particular behavioral type according to DoSpeRT scale is a good predictor of being of the same
type according to the CyberDoSpeRT scale. Our results suggest that there is no correlation
between Relaxed, Anxious, and Opportunistic types determined by the DoSpeRT scale and the
CyberDoSpeRT scale (all Wilcoxon signed-rank test probabilities are less than 0.001).21 The
only exception is Ignorant type: for the US sample, signed-rank test reveals a test statistic of
z=-0.763 and p=0.445 when DoSpeRT Ignorant types are compared with CyberDoSpeRT
ignorant types; and for the UK sample, signed-rank test shows a test statistic of z=-1.589 and
p=0.112. These results suggest that behavioral types according to the DoSpeRT scale generally
are not very good predictors of behavioral types according to CyberDoSpeRT since 3 of 4
behavioral types are not similar between the two scales. This is consistent with previous
literature on digital identity which suggests that behavior in the digital domain may be
completely different from behavior in cyber space (see, e.g., Belk, 2013).22
5. Scale Validation: Using CyberDoSpeRT Behavioral Segmentation to Predict
Behavior
So far, we have established how CyberDoSpeRT can help provide behavioral segmentation and
split the population into 4 behavioral types according to risk taking and risk perception in
cyber space. We now validate the scale segmentation by analyzing whether and to what extent
20 The prevalence of Anxious types in the UK is especially apparent when we map study observations
by geographical location. The maps are provided in Appendix E.
21 See Appendix F for the detailed results.
22 Notice that, in principle, a similar behavioural segmentation could be done by domain. Since each
domain has 6 questions in risk taking and risk perception parts of the scale, the total scores by
domain may range between 6 and 42 with a mid-point at 24. It this paper we focus only on
segmentation based on the total CyberDoSpeRT score.
22
obtained behavioral types can predict behavior not measured by the scale. In what follows we
test whether CyberDoSpeRT behavioral types allow us to anticipate the propensity of people
to adequately judge their cybersecurity experiences. In addition to demographic questions, our
survey also asked study participants about their actual experiences with regard to 3 types of
cybersecurity threats: (i) bank/credit card fraud; (ii) email hacking; and (iii) advance fee
fraud.
We are not arguing that these 3 types of threats are most important nor do we suggest
that these types represent an exhaustive list of threats faced by individuals. We focus on these
types of threats because they are likely to be most relevant to individuals and their
consequences are easily observable by individual users.
Study participants were asked whether, in their own opinion, they were a victim of (i)-
(iii) in the last 12 months (we used these answers as a proxy of “perceived threat” variable,
henceforth denoted as ∈ 0,1). If a survey participant responded positively to the
“perceived threat” question, they were then asked to provide brief details of their experience.
These details were then coded and used to construct the “false positive” (henceforth,
∈ 0,1) variable: i.e., some of the explanations actually did not constitute correct
descriptions of threats which allowed us to identify falsely reported threats. Finally,
participants were also provided with 9 situations (3 per each (i)-(iii) type of threat) and asked
to indicate if they experienced these situations in the last 12 months. Since each situation was
a concrete description of a specific consequence related to a particular cyber threat, we used
these as proxies of “actual threat” variable (henceforth, ∈ 0,1).23 As a result, we obtained
variable which was equal to 1 if an individual experienced at least one of the tested cyber
threats and 0 otherwise; variable which was equal to 1 if the perceived threat turned out to
be benign (false positive) and 0 otherwise; and variable AT which was equal to 1 if an
individual experienced at least one of the presented 9 threat-related consequences and 0
otherwise.
The CyberDoSpeRT behavioral types allow us to formulate the following hypotheses
summarized in Part (a) of Table 3. We anticipate that since Relaxed types have low risk
perception and high risk taking scores, there should be a negative correlation between as
23 Appendix G provides a detailed description of the method used to calculate , , and .
23
well as and this type and a positive correlation between and this type. Since Anxious
type is characterized by high risk perception and low risk taking, we expect this type to be
positive correlated with as well as and negatively correlated with . We also predict
that Opportunistic type with high risk taking and risk perception will be positively correlated
with all three variables:, , and . In contract, Ignorant type with low risk perception
and low risk taking is expected to be negatively correlated with all three variables.
Results of our validation exercise are presented in Part (b) of Table 3 as well as in Table
4. In our dataset, 155 (31%) people in the US and 156 (30%) in the UK experienced one of the
three cyber threats.24 Anxious (30% in the US sample and 32% in the UK sample) and
Opportunistic (52% in the US sample and 45% in the UK sample) types indeed reported
relatively high levels of perceived threats while Relaxed (15% in both samples) and Ignorant
(14% in the US sample and 17% in the UK sample) revealed low levels of perceived threats.
Generally, 3 of 4 types (Relaxed, Opportunistic, and Ignorant) underestimated the propensity
of actual cyber threats: the number of individuals who reported perceived threats in these 3
types was lower than the number of individuals who actually experienced cyber threats (i.e.,
for these 3 types). For Anxious types the number of individuals reporting perceive
threats was higher than the number of individuals who actually experienced threats but this
was mostly due to a high percentage of false positives. Specifically, 32 of 51 American study
participants and 54 of 76 British participants who had anxious type reported perceived threat
when the threat was actually not real.
24 None of the participants in our dataset experienced more than 1 threat within 12 months but 31% of
American and 30% of British respondents reported being subjected to one of the three tested threats.
This percentage is generally consistent with the overall world statistics on the propensity of being a
victim of cybercrime according to the 2018 Identity Fraud: Fraud Enters a New Era of Complexity
study. See https://www.javelinstrategy.com/coverage-area/2018-identity-fraud-fraud-enters-new-era-
complexity# for more detail.The Symantec report also provides similar numbers with 44% of people
affected by cybersecurity issues in 2017 in the US and 26% of people affected by cybersecurity issues in
the UK. Yet, Symantec figures include not only first-hand experiences, but also capture people who
personally know someone else with cybersecurity issues in 2017. See
https://www.symantec.com/content/dam/symantec/docs/about/2017-ncsir-global-results-en.pdf for
more detail.
24
Table 3 Predicted versus Observed Cyber Threat Experiences by Type
(a) Predicted
Behavioral
type
Perceived threat
(PT)
False Positive
(FP)
Actual threat
(AT)
Relaxed Low (Negative
correlation)
Low (Negative
correlation)
High (Positive
correlation)
Anxious High (Positive
correlation)
High (Positive
correlation)
Low (Negative
correlation)
Opportunistic High (Positive
correlation)
High (Positive
correlation)
High (Positive
correlation)
Ignorant Low (Negative
correlation)
Low (Negative
correlation)
Low (Negative
correlation)
(b) Observed
Behavioral
type
US UK
All PT FP AT All PT FT AT
Relaxed 145
(100%)
22
(15%)
0
(0%)
73
(50%)
82
(100%)
12
(15%)
1
(1%)
40
(49%)
Anxious 170
(100%)
51
(30%)
32
(19%)
27
(16%)
235
(100%)
76
(32%)
54
(23%)
38
(16%)
Opportunistic 62
(100%)
32
(52%)
2
(3%)
30
(48%)
88
(100%)
40
(45%)
1
(1%)
46
(52%)
Ignorant 123
(100%)
17
(14%)
0
(0%)
25
(20%)
118
(100%)
20
(17%)
0
(0%)
32
(27%)
Total 500
(100%)
122
(24%)
34
(7%)
155
(31%)
523
(100%)
148
(28%)
56
(11%)
156
(30%)
Table 4 Probit Regression Results
Explanatory
variable
US (N=500) UK (N=523)
Dependent
variable=
PT
Dependent
variable=
FP
Dependent
variable=
AT
Dependent
variable=
PT
Dependent
variable=
FP
Dependent
variable=
AT
Relaxed -0.451**
(0.145) -0.744***
(0.127)
-0.552**
(0.181)
-1.099**
(0.390)
0.603***
(0.153)
Anxious 0.264*
(0.127)
1.624***
(0.273)
-0.715***
(0.135)
0.216
(0.117)
1.721***
(0.269)
-0.759***
(0.123)
Opportunistic 0.863***
(0.173)
-0.395
(0.323)
0.527**
(0.171)
0.566***
(0.149)
-1.135**
(0.387)
0.722***
(0.149)
Ignorant -0.501***
(0.157) --0.431**
(0.145)
-0.477**
(0.151) - -0.103
(0.140)
Notes: * - significant at 0.05 level; ** significant at 0.01 level; *** - significant at 0.001 level.
Each cell in the table represents results of a separate probit regression with either PT, FP, or
AT as a dependent variable and either Relaxed, Anxious, Opportunistic, and Ignorant as a
dependent variable.
25
Interestingly, even among Anxious participants, several people failed to detect actual
threats. Specifically, while 19 of 51 participants in the US sample correctly identified threats
(their experienced consequences of cybersecurity threats coincided with their perceptions), 8
(27-19=8) participants did not realize that they experience a consequence of cybersecurity
threat (they did not report any perceived threats but actually experienced at least one
consequence). In the UK sample, 22 of 76 who reported a perceived threat actually experienced
it, while 16 (38-22=16) participants did not realize that they experienced a threat.
Results of a series of probit regressions reported in Table 4 generally confirm all of our
hypotheses presented in Part (a) of Table 3 with one exception. While we predicted high level
of false positives reported by the Opportunistic types, they actually reveal low levels of false
positives. Even though it is not within the scope of this study to investigate why people belong
to certain behavioral types, this result may indicate that Opportunistic participants are not
necessarily systematically overestimating cybersecurity risks. Rather, they tend to realistically
judge the amount of risk and, yet, engage in risk taking activities for a different reason. For
example, extensive work on human behavior and authentication systems suggests that people
do not tend to engage in risky behavior with regard to password generation or password
storage because they are irrational or because they do not care. Rather, modern authentication
systems require a lot of sophistication in password-generation demanding users to create more
and more complex passwords which they struggle to remember. Hence, users tend to store
passwords in unsecure Excel sheets, write them down on paper, and use the same passwords
for multiple accounts (see Renaud and De Angeli, 2004; Renaud, 2005;Renaud and
Zimmermann, 2018 for an extensive discussion of these issues).
6. Advantages of Using Behavioral Segmentation
So far, our analysis has demonstrated that behavioral segmentation is a useful tool to analyze
human behavior. However, to what extent this segmentation is advantageous compared to
using the demographic characteristics to produce segments? In other words, can we find a
combination of demographic characteristics which would allow us to construct equally
informative segments? In order to answer these questions, we use replies from the demographic
questionnaire in our survey and try to predict CyberDoSpeRT behavioral types using
demographic characteristics of the study participants. Results of the OLS regression analysis
26
with Relaxed (R), Anxious (A), Opportunistic (O), Ignorant (I) behavioral type as dependent
variables and a range of demographic characteristics as explanatory variables are presented in
Table 5.
Table 5 Predicting CyberDoSpeRT Types Using Demographic Characteristics: OLS
Regression Results
Explanatory
variable
US (N=500) UK (N=523)
R A O I R A O I
Sex -0.095
(0.122)
0.018
(0.119)
0.375*
(0.156)
-0.134
(0.126)
0.367*
(0.157)
-0.051
(0.125)
0.036
(0.151)
-0.210
(0.141)
Age
-0.120***
(0.031)
0.133***
(0.028)
-0.086*
(0.041)
0.005
(0.030)
-0.100***
(0.025)
0.081***
(0.019)
-0.135***
(0.024)
0.061**
(0.021)
Ethnicity 0.438**
(0.159)
-0.189
(0.148)
-0.751***
(0.173)
0.304
(0.164)
-0.035
(0.219)
-0.074
(0.120)
0.143
(0.227)
0.001
(0.228)
Conservative -0.026
(0.173)
-0.021
(0.168)
0.473*
(0.204)
-0.269
(0.183)
0.211
(0.198)
-0.070
(0.151)
0.389*
(0.193)
-0.365*
(0.170)
Liberal -0.023
(0.136)
0.075
(0.133)
-0.267
(0.180)
0.081
(0.138)
0.228
(0.172)
-0.254
(0.139)
0.240
(0.170)
-0.047
(0.151)
Income 0.011
(0.020)
0.016
(0.020)
0.047
(0.025)
-0.059**
(0.022)
0.036
(0.020)
0.013
(0.018)
-0.035
(0.022)
-0.025
(0.022)
Constant -0.456*
(0.205)
-0.862***
(0.193)
-0.695**
(0.234)
-0.678**
(0.211)
-0.970***
(0.294)
-0.406
(0.252)
-0.582*
(0.292)
-0.837**
(0.287)
Pseudo R2 0.037 0.039 0.109 0.029 0.107 0.048 0.094 0.044
Notes: The explanatory variables were constructed as follows: Sex (female=1; male=0); Age
(18-20 years=0; 21-25 years =1; 26-30 years =2; 31-35 years =3; 36-40 years=4; 41-45
years=5; 46-50 years=6; 51-55 years=7; 56-60 years=8; 61-65 years=9; 66-70 years=10; 71-75
years=11; 76-80 years=12; 81-85 years =13; over 86 years=14); Ethnicity (white
background=1; any other background=0); Conservative (conservative political views=1; 0 –
otherwise); Liberal (liberal political views=1; 0 otherwise); Income (for US: $10,000 or less=0,
$10,001-$15,000=1, $15,001-$20,000=2; $20,001-$25,000=3; $25,001-$30,000=4, $30,001-
$35,000=5, $35,001-$40,000=6, $40,001-$45,000=7, $45,001-$50,000=8, $50,001-$55,000=9,
$55,001-$60,000=10, $60,001-$65,000=11; $65,001 or more; for UK: £10,000 or less=0,
£10,001-£15,000=1, £15,001-£20,000=2; £20,001-£25,000=3; £25,001-£30,000=4, £30,001-
£35,000=5, £35,001-£40,000=6, £40,001-£45,000=7, £45,001-£50,000=8, £50,001-
£55,000=9, £55,001-£60,000=10, £60,001-£65,000=11; £65,001 or more).
Our results suggest that demographic characteristics cannot fully capture the
CyberDoSpeRT behavioral types. According to Table 5, older people tend to have lower risk
taking scores than younger people (see Age variable in Table 5). In other words, younger
people are more likely to be assigned a Relaxed or Opportunistic type and older people are
more likely to be of Anxious or Ignorant type. However, In order to fully differentiate between
the 4 types we need to find at least 2 demographic characteristics which systematically and
27
statistically significantly vary between types. Table 5 shows that such a combination of
demographic characteristics cannot be constructed from those elicited in our study.
7. Conclusion
Using information technology, individuals on a daily basis are subjected to a considerable
amount of risk, whether voluntarily or involuntarily. Measurement of risk taking behavior in
cyberspace is of extreme importance as responsible use of technology is one of the most
important problems facing organizations and governments in the modern global community.
This paper develops a new scale to measure risk taking and risk perceptions in
cyberspace. This scale allows us not only to capture to absolute differences in risk attitudes
scores and, by doing so, capture cross-cultural differences in individual cyber risk perceptions,
it also offers a practical path to conducting behavioral segmentation. CyberDoSpeRT allows to
identify 4 behavioral types: Relaxed (high risk taking – low risk perception); Anxious (low risk
taking – high risk perception); Opportunistic (high risk taking – high risk perception) and
Ignorant (low risk taking – low risk perception). Our empirical results suggest that US
population is generally more risk taking in cyberspace compared to the UK population. This
difference can be explained by the relative prevalence of Relaxed types in the US and Anxious
types in the UK. Furthermore, the CyberDoSpeRT behavioral segmentation allows us to
accurately anticipate the individual propensity to detect cybersecurity threats.
Our findings have several important implications. The CyberDoSpeRT scale offers a
simple way for practitioners as well as researchers to measure cyber risk attitudes, segment the
population and use the resulting types to construct custom-made information campaigns for
different users. Ashenden and Lawrence (2013) proposed that social marketing campaigns
should be used to effectively deliver cybersecurity messages to users. Yet, to date, social
marketing campaigns for cybersecurity conducted by organizations provided the same
information to all users. Bloom and Novelli (1981) identified 3 major issues with using market
segmentation for tackling social issues. Specifically, they maintained that social marketers: (i)
face pressure against segmentation, in general, and especially against segmentation that leads
to the ignoring of certain segments; (ii) frequently do not have accurate behavioral data to use
in identifying segmentation; (iii) their target segments must often consist of those consumers
28
who are the most negatively predisposed to their offerings (see Bloom and Novelli, 1981, p.
81). Our approach allows practitioners to address these issues. The CyberDoSpeRT behavioral
segmentation offers a concrete method to identify types in the population. These types are not
based on any demographic characteristics but rely on behavioral constructs. These constructs,
in turn, are a product of detailed data on what people do and how people feel about various
activities in cyberspace. These constructs are also based on preferences elicited for 5 different
domains making sure that the tested issues are relevant to different audiences. Hence, the
CyberDoSpeRT scale represents a useful tool for practice.
While it is outside the scope of this paper to explore why people belong to different
types, much theoretical work is still needed to understand factors which influence the
propensity of a particular individual to belong to a certain type. Such determinants may
include personality traits, experiential factors, socio-psychological characteristics, etc.
Exploring these determinants is an exciting endeavor for the future research.
References
Ackerman, M. S. (2004) ‘Privacy in pervasive environments: Next generation labeling
protocols’, Personal and Ubiquitous Computing, 8(6), pp. 430–439.
Acquisti, A. (2010) ‘The economics of personal data and the economics of privacy’, Research
Showcase @CMU, pp. 1–24.
Acquisti, A. and Grossklags, J. (2004) ‘Privacy attitudes and privacy behavior: losses, gains,
and hyperbolic discounting’, in Camp, L. J. and Lewis, S. (eds) Economics of
Information Security. Advances in Information Security, vol. 12. Boston; Dordrecht
and London: Kluwer Academic, pp. 165–178.
Acquisti, A., John, L. K. and Loewenstein, G. (2013) ‘What is privacy worth?’, Journal of
Legal Studies, 42(2), pp. 249–274.
Adjerid, I., Peer, E., and Acquisti, A. (2018). 'Beyond the privacy paradox: Objective versus
relative risk in privacy decision making.' MIS Quarterly, forthcoming.
Ashenden, D., and Lawrence, D. (2013) 'Can we sell security like soap?: a new approach to
behaviour change.' Proceedings of the 2013 New Security Paradigms Workshop ,pp. 87-
94, ACM.
Arrow, K.J.(1965) Aspects of the Theory of Risk-bearing. Yrjö Jahnssonin Säätiö
Belk, R. W. (2013) 'Extended self in a digital world.' Journal of Consumer Research, 40(3),
477-500.
Bernoulli, D. (1738) Specimen theoriae novae de mensura sortis, Commentarii Academiae
Scientiarum Imperialis Petropolitanae, translated as Bernoulli, D. 'Exposition of a new
theory on the measurement of risk', 1954, Econometrica, pp. 23-36.
Blais, A.-R. and Weber E. U.(2006) ‘A Domain-Specific Risk-Taking ( DOSPERT ) scale for
adult populations’, Judgement and Decision Making, 1(1), pp. 33–47.
Bloom, P. N., and Novelli, W. D. (1981). 'Problems and challenges in social marketing."
29
Journal of Marketing, pp. 79-88.
Carrascal, J. P., Riederer, C., Erramilli, V., Cherubini, M., & de Oliveira, R. (2013) 'Your
browsing behavior for a big mac: Economics of personal information online.'
Proceedings of the 22nd international conference on World Wide Web, pp. 189-200,
ACM.
Dann, S. (2010) 'Redefining social marketing with contemporary commercial marketing
definitions.' Journal of Business Research, 63(2), pp. 147-153.
Dinev, T. and Hart, P. (2006) ‘An extended privacy calculus model for e-commerce
transactions’, Information Systems Research, 17(1), pp. 61–80.
Egelman, S., Felt, A. P. and Wagner, D. (2013) ‘The Economics of Information Security and
Privacy’, in Böhme, Rainer, ed. The Economics of Information Security and Privacy,
Springer Science & Business Media, pp. 211–236.
Einav, L., Finkelstein, A., Pascu, I., and Cullen, M. R. (2012) 'How general are risk
preferences? Choices under uncertainty in different domains.' American Economic
Review, 102(6), 2606-38.
Hann, I. H., Hui, K. L., Lee, S. Y. T., and Png, I. P. (2007) 'Overcoming online information
privacy concerns: An information-processing theory approach' Journal of Management
Information Systems, 24(2), pp. 13-42.
Hanoch, Y., Johnson, J. G. and Wilke, A. (2006) ‘Domain specificity in experimental measures
and participant recruitment : An application to risk-taking behavior’, Psychological
Science, 17(4), pp. 300–304.
Harris, C. R., Jenkins, M. and Glaser, D. (2006) ‘Gender Differences in Risk Assessment : Why
do Women Take Fewer Risks than Men ?’, Judgment and Decision Making, 1(1), pp.
48–63.
Hillson, D. and Murray-Webster, R. (2012) Understanding and Managing Risk Attitude. 2nd
edn. Taylor and Francis.
Huberman, B. A., Adar, E. and Fine, L. R. (2005) ‘Valuating privacy’, IEEE Security and
Privacy, 3(5), pp. 22–25.
Kokolakis, S. (2017) ‘Privacy attitudes and privacy behaviour: A review of current research on
the privacy paradox phenomenon’, Computers & Security, 64, pp. 122–134.
Loomes, G. and Pogrebna, G. (2014) ‘Testing for independence while allowing for probabilistic
choice’, Journal of Risk and Uncertainty, 49(3), pp. 189–211.
Pratt, J. W. (1964) ‘Risk Aversion in the Small and in the Large’, Econometrica, 32(1), pp.
122–136. doi: 10.2307/1913738.
Renaud, K. (2005). 'Evaluating authentication mechanisms', Security and Usability, pp. 103-
128.
Renaud, K., and De Angeli, A. (2004) 'My password is here! An investigation into visuo-
spatial authentication mechanisms.' Interacting with Computers, 16(6), pp. 1017-1041.
Renaud, K., and Zimmermann, V. (2018) 'Nudging folks towards stronger password choices:
providing certainty is the key.' Behavioural Public Policy, pp. 1-31.
Saunders, S. G., Barrington, D. J., and Sridharan, S. (2015) 'Redefining social marketing:
beyond behavioural change.' Journal of Social Marketing, 5(2), pp. 160-168.
Slovic, P. and Peters, E. (2006) ‘Risk perception and affect’, Current Directions in
Psychological Science, 15(6), pp. 322–325.
30
Tedeschi, B. (2002) ‘E- Commerce Report ; Everybody talks about online privacy , but few do
anything about’, The New York Times.
Weber, E. U., Blais, A.-R. and Betz, N. E. (2002) ‘A domain-specific risk-attitude scale:
Measuring risk perception and risk behaviors’, Journal of Behavioral Decision Making,
15(August), pp. 263–290.
Weber, E. U. and Johnson, E. J. (2009) 'Decisions Under Uncertainty: Psychological,
Economic, and Neuroeconomic Explanations of Risk Preference', in Neuroeconomics:
Decision Making and the Brain. Edited by and R. A. P. Paul Glimcher, Ernst Fehr,
Colin Camerer. Academic Press.
Weber, E. U. and Milliman, R. A. (1997) ‘Perceived Risk Attitudes: Relating Risk Perception
to Risky Choice’, Management Science, 43(2), pp. 123–144.
Wilke, A., Sherman, A., Curdt, B., Mondal, S., Fitzgerald, C., & Kruger, D. J. (2014). 'An
evolutionary domain-specific risk scale.' Evolutionary Behavioral Sciences, 8(3), 123-
141.
31
Supplementary Material
(Not Intended for Publication)
Appendix A: Domain-Specific Risk-Taking (DoSpeRT) Scale
The original Domain-Specific Risk-Taking was developed by Weber et al. (2002) and then
revised by Blais and Weber (2006). We use the revised version of DoSpeRT (Blais and Weber,
2006) to develop the CyberDoSpeRT scale. Below, we provide the revised version of the
original DoSpeRT scale from Blais and Weber (2006).
Risk Taking Measure and Scale
For each of the following statements, please indicate the likelihood that you would engage in the described
activity or behavior if you were to find yourself in that situation.
Provide a rating from Extremely Unlikely to Extremely Likely, using the following scale:
1 2 3 4 5 6 7
Extremely
Unlikely
Moderately
Unlikely
Somewhat
Unlikely
Not Sure Somewhat
Likely
Moderately
Likely
Extremely
Likely
Risk Perceptions Measure and Scale
People often see some risk in situations that contain uncertainty about what the outcome or
consequences will be and for which there is the possibility of negative consequences. However,
riskiness is a very personal and intuitive notion, and we are interested in your gut level
assessment of how risky each situation or behavior is.
For each of the following statements, please indicate how risky you perceive each situation.
Provide a rating from Not at all Risky to Extremely Risky, using the following scale:
1 2 3 4 5 6 7
Not at all
Risky
Slightly
Risky
Somewhat
Risky
Moderately
Risky
Risky Very
Risky
Extremely
Risky
32
DoSpeRT scale (Blais and Weber, 2006) invites an individual to answer one Risk Taking
Measure question and one Risk Perceptions measure question for each of the following 30
statements. Each statement reflects a potentially risky activity. The scale measures risk
attitudes across 5 domains (there are 6 statements per each domain): Ethical risks (E);
Financial risks (F); Health/Safety risks (H/S); Recreational risks (R), and Social risks (S). All
statements are presented below in Table A.1.
Table A1 DoSpeRT Scale Statements
# Statement Domain
1 Admitting that your tastes are different from those of a friend. S
2 Going camping in the wilderness. R
3 Betting a day’s income at the horse races. F
4 Investing 10% of your annual income in a moderate growth mutual fund. F
5 Drinking heavily at a social function. H/S
6 Taking some questionable deductions on your income tax return. E
7 Disagreeing with an authority figure on a major issue. S
8 Betting a day’s income at a high-stake poker game. F
9 Having an affair with a married man/woman. E
10 Passing off somebody else’s work as your own. E
11 Going down a ski run that is beyond your ability. R
12 Investing 5% of your annual income in a very speculative stock. F
13 Going whitewater rafting at high water in the spring. R
14 Betting a day’s income on the outcome of a sporting event. F
15 Engaging in unprotected sex. H/S
16 Revealing a friend’s secret to someone else. E
17 Driving a car without wearing a seat belt. H/S
18 Investing 10% of your annual income in a new business venture. F
19 Taking a skydiving class. R
20 Riding a motorcycle without a helmet. (H/S) H/S
21 Choosing a career that you truly enjoy over a more prestigious one. S
22 Speaking your mind about an unpopular issue in a meeting at work. S
23 Sunbathing without sunscreen. H/S
24 Bungee jumping off a tall bridge. R
25 Piloting a small plane. R
26 Walking home alone at night in an unsafe area of town. H/S
27 Moving to a city far away from your extended family. S
28 Starting a new career in your mid-thirties. S
29 Leaving your young children alone at home while running an errand. E
30 Not returning a wallet you found that contains $200. E
Notes: E = Ethical, F = Financial, H/S = Health/Safety, R = Recreational, and S = Social.
33
Appendix B: Cyber Domain-Specific Risk-Taking (CyberDoSpeRT) Scale
We design CyberDoSpeRT scale which measures Risk Taking and Risk Perceptions for
cybersecurity risks. As in Blais and Weber (2006), the following Risk Taking and Risk
Perceptions measures and scales are used.
Risk Taking Measure and Scale
For each of the following statements, please indicate the likelihood that you would engage in the described
activity or behavior if you were to find yourself in that situation.
Provide a rating from Extremely Unlikely to Extremely Likely, using the following scale:
1 2 3 4 5 6 7
Extremely
Unlikely
Moderately
Unlikely
Somewhat
Unlikely
Not Sure Somewhat
Likely
Moderately
Likely
Extremely
Likely
Risk Perceptions Measure and Scale
People often see some risk in situations that contain uncertainty about what the outcome or
consequences will be and for which there is the possibility of negative consequences. However,
riskiness is a very personal and intuitive notion, and we are interested in your gut level
assessment of how risky each situation or behavior is.
For each of the following statements, please indicate how risky you perceive each situation.
Provide a rating from Not at all Risky to Extremely Risky, using the following scale:
1 2 3 4 5 6 7
Not at all
Risky
Slightly
Risky
Somewhat
Risky
Moderately
Risky
Risky Very
Risky
Extremely
Risky
CyberDoSpeRT measures individual Risk Taking and Risk Perceptions across 5 domains:
Security risks (SE); Personal Data risks (PD), Privacy risks (PR); Negligence risks (NE); and
Cybercrime risks (CR). As in Blais and Weber (2006) we develop 30 statements where each
34
statement represents a potentially risky activity in cyberspace (there are 6 statements per
domain). All statements are shown below in Table B1.
Table B1 CyberDoSpeRT Scale Statements
# Statement Domain
1 Carrying around confidential data on a USB stick. SE
2 Keeping Location Services on your smartphone turned on. PD
3 Not reading App permissions before uploading an App on your smart phone. SE
4 Using "free" email and webmail services (e.g. Gmail). PR
5 Using cloud services for storing your data (Dropbox, iCloud, Evernote, etc). PR
6 Not using tools which protect your browsing history (e.g,. Tor Browser). PD
7 Not using a private server. PR
8 Not backing up files on your PC for one month or longer. SE
9 Having Bluetooth switched on by default on your mobile devices. SE
10 Providing private information (such as your email address) to obtain free WiFi
in public places such as coffee shops, airports, train stations, etc. PD
11 Not updating your passwords for 90 days or longer. SE
12 Using password-management apps (e.g., LastPass or 1Password) to store and
generate passwords. PR
13 Not installing software updates as soon as they become available. CR
14 Not knowing what Apps you have on your smartphone/mobile device. NE
15 Not locking your smartphone/mobile device when it is not in use. NE
16 Letting web browser remember your passwords. NE
17 Letting web browser remember your credit card information. NE
18 Using insecure connection or free WiFi. CR
19 Taking part in quizzes and psychological tests and posting results on Social
Media (e.g., Facebook). PD
20 Not using anti-virus or anti-malware protection. SE
21 Not making hard drives unreadable before disposing of the old PC. NE
22 Linking multiple social media websites (e.g., linking Twitter, Facebook, and
Instagram accounts, etc.). PR
23 Signing to commercial websites (retailers) using your social media (e.g.
Facebook) log-in. PD
24 Enable automatic uploading and/or automatic back-ups. CR
25 Using the same password on multiple devices/websites. NE
26 Shopping via a mobile device in public. CR
27 Accepting cookies from unknown websites. PR
28 Using a wearable device to collect your private data (e.g., FitBit, Apple
Watch, etc.). PD
29 Driving a connected vehicle. CR
30 Installing an Internet-connected security system in your home. CR
Notes: SE=Security, PD=Personal Data, PR=Privacy, NE=Negligence, and CR=Cybercrime.
35
Appendix C: DoSpeRT Results
Table C1 DoSpeRT Results by Country
RT_S RT_R RT_F RT_HS RT_E Total
US 30.11 16.81 15.16 17.30 12.91 92.29
UK 26.62 14.53 13.67 17.53 14.14 86.48
MWW
test
z=7.496
p=0.0000
z=5.656
p=0.0000
z=4.723
p=0.0000
z=-0.299
p=0.7651
z=-1.138
p=0.2552
z=4.580
p=0.0000
RP_S RP_R RP_F RP_HS RP_E Total
US 17.69 27.76 29.85 29.23 27.73 132.25
UK 18.26 29.40 31.80 30.18 29.33 138.96
MWW
test
z=-0.613
p=0.5400
z=-4.075
p=0.0000
z=-4.976
p=0.0000
z=-2.776
p=0.0055
z=-4.437
p=0.0000
z=-4.926
p=0.0000
Notes: RT- Risk Taking according to DoSpeRT (a) and CyberDoSpeRT(b); RP – Risk
Perception according to DoSpeRT (a) and CyberDoSpeRT(b);_S – Social domain; _R –
Recreational domain; _F – Financial domain; _HS – Health and Safety domain; E –
Ethics domain.
Results of the “classical” DoSpeRT scale by country show that risk taking estimates for 3 of 5
domains (Social, Recreational, and Financial) show that US study participants are more risk
taking than UK study participants. For Health and Safety domain and Ethics domain the
difference between American and British study participants is not statistically significant. In
terms of risk perceptions, British participants are more sensitive compared to American
participants in 4 of 5 DoSpeRT domains (Recreational, Financial, Health and Safety, and
Ethics). US and UK study participants reveal very similar risk perceptions for Social domain.
36
Appendix D CyberDoSpeRT Individual Question Results
Table D1 Mean Risk Taking and Risk Perception in US and UK according to the
Cyber Domain-Specific Risk-Taking (CyberDoSpeRT) Scale
# Statement
Do-
main
US UK
Cyber
RT
Cyber
RP
Cyber
RT
Cyber
RP
1 Carrying around confidential data on a USB stick. SE 3.15 4.48 2.72 4.89
2 Keeping Location Services on your smartphone turned on. PD 4.12 3.52 3.61 4.19
3
Not reading App permissions before uploading an App on your smart
phone. SE 6.39 2.52 5.49 3.12
4 Using "free" email and webmail services (e.g. Gmail). PR 2.54 3.82 3.05 3.88
5
Using cloud services for storing your data (Dropbox, iCloud,
Evernote, etc). PR 4.12 3.59 3.56 4.11
6
Not using tools which protect your browsing history (e.g,. Tor
Browser). PD 4.77 3.29 4.04 3.58
7 Not using a private server. PR 4.19 4.00 3.84 4.34
8 Not backing up files on your PC for one month or longer. SE 3.10 4.56 3.09 4.77
9 Having Bluetooth switched on by default on your mobile devices. SE 4.05 4.56 3.67 4.72
10
Providing private information (such as your email address) to obtain
free WiFi in public places such as coffee shops, airports, train
stations, etc. PD 4.34 3.70 3.62 4.31
11 Not updating your passwords for 90 days or longer. SE 4.41 4.25 3.74 4.65
12
Using password-management apps (e.g., LastPass or 1Password) to
store and generate passwords. PR 4.12 3.14 3.88 3.71
13 Not installing software updates as soon as they become available. CR 4.22 4.27 3.72 4.36
14 Not knowing what Apps you have on your smartphone/mobile device. NE 3.23 4.48 3.65 4.54
15 Not locking your smartphone/mobile device when it is not in use. NE 4.28 3.75 3.60 4.24
16 Letting web browser remember your passwords. NE 3.73 3.98 3.25 4.22
17 Letting web browser remember your credit card information. NE 2.86 4.98 2.70 5.22
18 Using insecure connection or free WiFi. CR 3.03 3.58 2.88 4.20
19
Taking part in quizzes and psychological tests and posting results on
Social Media (e.g., Facebook). PD 2.91 3.45 2.62 4.22
20 Not using anti-virus or anti-malware protection. SE 2.84 2.98 2.82 3.84
21 Not making hard drives unreadable before disposing of the old PC. NE 4.87 3.99 4.22 4.32
22
Linking multiple social media websites (e.g., linking Twitter,
Facebook, and Instagram accounts, etc.). PR 3.42 3.64 3.11 4.19
23
Signing to commercial websites (retailers) using your social media
(e.g. Facebook) log-in. PD 3.52 3.01 2.74 3.97
24 Enable automatic uploading and/or automatic back-ups. CR 3.65 3.29 2.95 4.11
25 Using the same password on multiple devices/websites. NE 2.95 4.75 2.98 5.02
26 Shopping via a mobile device in public. CR 3.56 2.91 2.88 3.68
27 Accepting cookies from unknown websites. PR 3.52 4.26 3.46 4.46
28
Using a wearable device to collect your private data (e.g., FitBit,
Apple Watch, etc.). PD 2.34 5.41 2.61 5.54
29 Driving a connected vehicle. CR 3.36 3.19 3.23 3.66
30 Installing an Internet-connected security system in your home. CR 4.30 4.68 4.07 4.93
Notes: SE=Security, PD=Personal Data, PR=Privacy, NE=Negligence, and CR=Cybercrime;
RT= Risk Taking; RP= Risk Perception
37
Appendix E Geographical Allocation of CyberDoSpeRT Behavioral Types
Figure F1 CyberDoSpeRT Types in the US
Figure F2 CyberDoSpeRT Types in the UK
Notes: On both Figure F1 and Figure F2, Relaxed types are shown as orange dots, Anxious
types are depicted by green dots, Opportunistic types are captured by blue dots, and Ignorant
types are shown as red dots.
38
Appendix F Behavioral Segmentation
US UK
(a) DoSpeRT (b) CyberDoSpeRT
Figure E1 DoSpeRT and CyberDoSpeRT Behavioral Segmentation Mapping
Table E2 DoSpeRT Segments as Predictors of CyberDoSpeRT Segments
Behavioral
type
DoSpeRT CyberDoSpeRT
Signed-rank Test
Results
US UK US UK US UK
Relaxed 32 (6%) 27 (5%) 145 (29%) 82 (16%) z=-9.654
p=0.0000
z=-5.897
p=0.0000
Anxious 320 (64%) 344 (66%) 170 (34%) 235 (45%) z=10.607
p=0.0000
z=7.766
p=0.0000
Opportunistic 34 (7%) 53 (10%) 62 (12%) 88 (17%) z=-3.347
p=0.0008
z=-4.041
p=0.0001
Ignorant 114 (23%) 99 (19%) 123 (25%) 118 (23%) z=-0.763
p=0.4452
z=-1.589
p=0.1121
Total 500 (100%) 523 (100%) 500 (100%) 523 (100%)
Notes: Results of Wilcoxon signed-rank test show that DoSpeRT behavioral types do not
predict CyberDoSoeRT types well. Opportunistic, Anxious, and Relaxed types according to
CyberDoSpeRT cannot be predicted by Opportunistic, Anxious, and Relaxed types in
DoSpeRT. For Ignorant type the difference is no statistically significant. In the US sample, 49
people were classified as Ignorant according to both DoSpeRT and CyberDoSpeRT. In the UK
sample, 37 people were classified as Ignorant according to both DoSpeRT and CyberDoSpeRT.
50 100 150 200
Risk Taking
50 100 150 200
Risk Perception
Opportunistic Ignorant
Anxious Relaxed
50 100 150 200
Risk Taking
020050 100 150
Risk Perception
Opportunistic Ignorant
Anxious Relaxed
50 100 150 200
Risk Taking
50 100 150 200
Risk Perception
Opportunistic Ignorant
Anxious Relaxed
50 100 150 200
Risk Taking
50 100 150 200
Risk Perception
Opportunistic Ignorant
Anxious Relaxed
39
Appendix G Non-scale Constructs
Table G1 Construction of “Perceived Threat” and “False Positive” Variables
Intermediate
Construct Question
1
(1)
In your opinion, were you a victim of bank/credit card fraud (i.e.,
theft of bank/credit card or the card details or theft of bank/credit
card for money to be taken from your account or used to buy items
in your name.) in the last 12 months?
Yes No
1
(1) If Yes, briefly (in a few words) summarize your experience.
2
(2)
In your opinion, were you a victim of email hacking (unauthorized
access to, or manipulation of, an email account or email
correspondence) in the last 12 months?
Yes No
2
(2)If Yes, briefly (in a few words) summarize your experience.
3
(3)
In your opinion, were you a victim of advance fee fraud (promising
the victim a significant share of a large sum of money, in return for
a small up-front payment, which the fraudster requires in order to
obtain the large sum) in the last 12 months?
Yes No
3
(3)If Yes, briefly (in a few words) summarize your experience.
The perceived threat () variable was calculated as follows:
(1) Each of the constructs 1, 2, 3 was assigned a value of 1 if the answer to the
relevant question was “Yes” and 0 if the answer was “No”.
1 → 1 1∧1 → 1 0
2 → 2 1∧2 → 2 0
3 → 3 1∧3 → 3 0
(2) If at least one of the constructs 1, 2, 3 was greater than 0, construct was
assigned a value of 1 , otherwise it was assigned a value of 025
1 2 3 0 → 1∧1 2 3 0 → 0
In order to calculate the false positive () variable, the answers to 1, 2, and
3 constructs were coded and analyzed. If the description of an experience did not constitute
signs of bank/credit card fraud, email hacking, or fee fraud, respectively, was assigned a
value of 1, otherwise it was assigned a value of 0. For example, the following statement was
assigned a value of 1 1: “For several days I couldn’t log into my email. Then it turned
25 None of the respondents reported a sum of 1, 2, 3 greater than 1.
40
out that I forgot my password so when I remembered it I logged in but I am sure someone
tempered with it.”; and the following statement was assigned a value of 0 0: “I noticed
strange transaction on my bank account statement. When I called the bank, I was told that my
credit card information was stolen and my bank sent me a new card.”
In order to construct the actual threat () variable, 9 additional questions aimed to
verify information provided by study participants about constructs 1, 2, and 3 (3 per
each construct) were used. These verification questions are presented below in Table G2.
Table G2 Construction of “Actual Threat” Variable
Intermediate
Construct Have you experienced any of the following in the last 12 months?26
Actual
threat 1A
(AT1A)
My bank/credit card was rejected when I tried to pay with it or
withdraw money even though I was sure I had enough money in
my account. Upon further examination, I discovered that money
disappeared from my account.
Yes No
Actual
threat 1B
(AT1B)
I spotted unusual activity on my bank statements: purchases I
didn’t make, cash withdrawals from places I didn’t go to, etc. Yes No
Actual
threat 1C
(AT1C)
I gave my bank/credit card PIN to an operator via call, text
message or voicemail. Yes No
Actual
threat 2A
(AT2A)
My email password was rejected as incorrect when I did not
change it. I had to contact the email administrator to recover my
account.
Yes No
Actual
threat 2B
(AT2B)
I noticed unusual activity in my email Inbox (i.e., there were
emails sent from my account which I don’t remember sending). Yes No
Actual
threat 2C
(AT2C)
I noticed that copies of my emails were forwarded to an unknown
email address. Yes No
Actual
threat 3A
(AT3A)
I paid an upfront fee for a loan which I have never received. Yes No
Actual
threat 3B
(AT3B)
I was put under pressure to pay an upfront fee for a loan quickly.
I then have never received the loan. Yes No
Actual
threat 3C
(AT3C)
I was told to pay an upfront refundable fee for a loan. I was told
that it would be used as a deposit/ administrative fee/insurance.
After I paid a fee I never got it back nor did I receive the loan.
Yes No
26 The order of statements presented in Table G2 was randomized for each respondent.
41
The actual threat () variable was calculated as follows:
(1) Each of the constructs AT1A, AT1B, AT1C, AT2A, AT2B, AT2C, AT3A, AT3B, AT3C was
assigned a value of 1 if the answer to the relevant question was “Yes” and 0 if the
answer was “No”.
1 →1
1∧1 →1
0
1 →1
1∧1 →1
0
1 →1
1∧1 →1
0
2 →2
1∧2 →2
0
2 →2
1∧2 →2
0
2 →2
1∧2 →2
0
3 →3
1∧3 →3
0
3 →3
1∧3 →3
0
3 →3
1∧3 →3
0
(2) If at least one of the constructs AT1A, AT1B, AT1C, AT2A, AT2B, AT2C, AT3A, AT3B,
AT3C was greater than 0, construct was assigned a value of 1 , otherwise it was
assigned a value of 027
0→1∧
0→0
27 None of the respondents reported a sum of 1, 2, 3 greater than 1.
