Chapter

Behavioural Issues in Cybersecurity

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

Article
Full-text available
We conducted an online experiment (n = 2024) on a representative sample of internet users in Germany, Sweden, Poland, Spain and the UK to explore the effect of notifications on security behaviour. Inspired by protection motivation theory (PMT), a coping message advised participants on how to minimize their exposure to risk and a threat appeal highlighted the potential negative consequences of not doing so. Both increased secure behavior – but the coping message significantly more so. The coping message was also as effective as both messages combined, but not so the threat appeal. Risk attitudes, age and country had a significant effect on behavior. Initiatives seeking to promote secure behavior should focus more on coping messages, either alone or in combination with fear appeals.
Article
Full-text available
Spending on security in an SME usually has to compete with demands for hardware, infrastructure, and strategic applications. In this paper, the authors seek to explore the reasons why smaller SMEs in particular have consistently failed to see securing information as strategic year-on-year spending, and just regard as part of an overall tight IT budget. The authors scrutinise the typical SMEs reasoning for choosing to see non-spending on security as an acceptable strategic risk. They look particularly at possible reasons why SMEs tend not to take much notice of "scare stories" in the media based on research showing they are increasingly at risk, whilst larger businesses are taking greater precautions and become more difficult to penetrate. The results and their analysis provide useful pointers towards broader business environment changes that would cause SMEs to be more risk-averse and ethical in their approach to securing their own and their clients’ information.
Conference Paper
Full-text available
Despite increased awareness of cybersecurity incidents and consequences, organisations still struggle to convince employees to comply with information security policies and engage in effective cyber prevention. Here we introduce and evaluate The Cybersurvival Task, a ranking task that highlights cybersecurity misconceptions amongst employees and that serves as a reflective exercise for security experts. We describe an initial deployment and refinement of the task in one organisation and a second deployment and evaluation in another. We show how the Cybersurvival Task could be used to detect 'shadow security' cultures within an organisation and illustrate how a group discussion about the importance of different cyber behaviours led to the weakening of staff's cybersecurity positions (i.e. more disagreement with experts). We also discuss its use as a tool to inform organisational policy-making and the design of campaigns and training events, ensuring that they are better tailored to specific staff groups and designed to target problematic behaviours.
Chapter
Full-text available
Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice.
Article
Full-text available
Cybersecurity is a global phenomenon representing a complex socio-technical challenge for governments, but requiring the involvement of individuals. Although cybersecurity is one of the most important challenges faced by governments today, the visibility and public awareness remains limited. Almost everybody has heard of cybersecurity, however, the urgency and behaviour of persons do not reflect high level of awareness. The Internet is all too often considered as a safe environment for sharing information, transactions and controlling the physical world. Yet, cyberwars are already ongoing, and there is an urgent need to be better prepared. The inability to frame cybersecurity has resulted in a failure to develop suitable policies. In this paper, we discuss the challenges in framing policy on cybersecurity and offer strategies for better communicating cybersecurity. Communicating cybersecurity is confronted with paradoxes, which has resulted in society not taking appropriate measures to deal with the threats. The limited visibility, socio-technological complexity, ambiguous impact and the contested nature of fighting cybersecurity complicates policy-making. Framing using utopian or dystopian views might be counterproductive and result in neglecting evidence. Instead, we present evidence-based framing strategies which can help to increase societal and political awareness of cybersecurity and put the issues in perspective.
Article
Full-text available
Despite the promising potential of network risk management services (e.g., cyber-insurance) to improve information security, their deployment is relatively scarce, primarily due to such service companies being unable to guarantee profitability. As a novel approach to making cyber-insurance services more viable, we explore a symbiotic relationship between security vendors (e.g., Symantec) capable of price differentiating their clients, and cyber-insurance agencies having possession of information related to the security investments of their clients. The goal of this relationship is to (i) allow security vendors to price differentiate their clients based on security investment information from insurance agencies, (ii) allow the vendors to make more profit than in homogeneous pricing settings, and (iii) subsequently transfer some of the extra profit to cyber-insurance agencies to make insurance services more viable. \noindent In this paper, we perform a theoretical study of a market for differentiated security product pricing, primarily with a view to ensuring that security vendors (SVs) make more profit in the differentiated pricing case as compared to the case of non-differentiated pricing. In order to practically realize such pricing markets, we propose novel and \emph{computationally efficient} consumer differentiated pricing mechanisms for SVs based on (i) the market structure, (ii) the communication network structure of SV consumers captured via a consumer's \emph{Bonacich centrality} in the network, and (iii) security investment amounts made by SV consumers.
Article
Full-text available
The article has open access status and freely available from the Springer website! Mobile devices offer a common platform for both leisure and work-related tasks, but this has resulted in a blurred boundary between home and work. In this paper, we explore the security implications of this blurred boundary, both for the worker and the employer. Mobile workers may not always make optimal security-related choices when “on the go” and more impulsive individuals may be particularly affected as they are considered more vulnerable to distraction. In this study, we used a task scenario, in which 104 users were asked to choose a wireless network when responding to work demands while out of the office. Eye-tracking data was obtained from a subsample of 40 of these participants in order to explore the effects of impulsivity on attention. Our results suggest that impulsive people are more frequent users of public devices and networks in their day-to-day interactions and are more likely to access their social networks on a regular basis. However, they are also likely to make risky decisions when working on-the-go, processing fewer features before making those decisions. These results suggest that those with high impulsivity may make more use of the mobile Internet options for both work and private purposes, but they also show attentional behavior patterns that suggest they make less considered security-sensitive decisions. The findings are discussed in terms of designs that might support enhanced deliberation, both in the moment and also in relation to longer term behaviors that would contribute to a better work–life balance.
Conference Paper
Full-text available
Organisational security policies are often written without sufficiently taking in to account the goals and capabilities of the employees that must follow them. Effective security management requires that security managers are able to assess the effectiveness of their policies, including their impact on employee behaviour. We present a methodology for gathering large scale data sets on employee behaviour and attitudes via scenario-based surveys. The survey questions are grounded in rich data drawn from interviews, and probe perceptions of security measures and their impact. Here we study employees of a large multinational company, demonstrating that our approach is capable of determining important differences between various population groups. We also report that our work has been used to set policy within the partner organisation, illustrating the real-world impact of our research.
Article
Full-text available
Information security management programs have long included “fear appeals”, managerial communiqués designed to promote secure behaviors among organizational insiders. However, recent research has found a conflict between the predictions of contemporary fear appeal theory for how we expect individuals to experience fear appeals and what actually occurs in IS security situations. Using the opportunity presented by neuroimaging tools to examine cognitive and affective reactions to fear appeals, we take a comparative look at the contentions of fear appeal theory and the realities of what insiders experience neurologically when exposed to ecologically relevant IS security fear appeals. Our fMRI results suggest that fear appeals elicit threat and threat response assessments, which partially supports fear appeal theory but does not support the presence of an actual fear response. Furthermore, appraisals of recommended threat responses had a stronger impact on intentions to enact security behaviors than appraisals of the threat itself, which suggests that a focus on threats might be misplaced. Instead, focusing on ways to make the responses to the threats more appealing to users might work better. These controversial findings suggest future research that should explore how fear appeals play out in IS security and in what ways.
Conference Paper
Full-text available
Trust seals, such as the VeriSign and TRUSTe logos, are widely used to indicate a website is reputable. But how much protection do they offer to online shoppers? We conducted a study in which 60 experienced online shoppers rated 6 websites – with and without trust seals - based on how trustworthy they perceived them to be. Eye tracking data reveals that 38% of participants failed to notice any of the trust seals present. When seals were noticed, the ratings assigned to each website were significantly higher than for the same website without a seal, but qualitative analysis of the interview data revealed significant misconceptions of their meaning (e.g. “presence of seals automatically legitimizes any website”). Participants tended to rely on self-developed – but inaccurate – heuristics for assessing trustworthiness (e.g. perceived investment in website development, or references to other recognizable entities). We conclude that trust seals currently do not offer effective protection against scam websites; and suggest that other mechanisms – such as automatic verification of authenticity are required to support consumers’ trust decisions.
Conference Paper
Full-text available
People make security choices on a daily basis without fully considering the security implications of those choices. In this paper we present a prototype application which promotes the choice of secure wireless network options, specifically when users are unfamiliar with the wireless networks available. The app was developed based on behavioural theory, choice architecture and good practices informed by HCI design. The app includes several options to 'nudge' users towards selecting more secure public wireless networks. This paper outlines the development and the results of an evaluation of some of the potential app nudges (specifically, presentation order and colour coding). Colour coding was found to be a powerful influence, less so with the order in which we listed the Wi-Fi networks, although the colour x order combination was most effective. The paper contributes to the body of evidence on the effectiveness of cyber-security interventions to empower the user to make more informed security decisions.
Article
Full-text available
In this research, we investigate consumers' motivations for disclosing personal information to relationship-seeking marketers. We explore the impact of consumers' relationship perceptions, the nature of benefits offered by marketers in exchange for requested information, and the type of information requested on consumers' disclosure willingness, focusing on consumers' forecasts of 2 types of potential disclosure-related loss (i.e., loss of privacy and loss of face), which are shown to mediate this decision. The results of an experiment revealed that although participants with relatively deep relationship perceptions were more likely to reveal " privacy-related" personal information, they were more reluctant to reveal embarrassing information. The findings also suggest that although loyal customers found the exchange of privacy-related personal information for customized benefit offerings (relative to noncustomized offerings) attractive, the reverse was true for embarrassing information; these participants seemed to find the exchange of customized offerings for this latter type of information unattractive. We discuss the theoretical and practical implications of the findings for consumer researchers and relationship-seeking marketing practitioners.
Article
Full-text available
When investing in cyber security resources, information security managers have to follow effective decisionmaking strategies. We refer to this as the cyber security investment challenge.In this paper, we consider three possible decision support methodologies for security managers to tackle this challenge. We consider methods based on game theory, combinatorial optimisation, and a hybrid of the two. Our modelling starts by building a framework where we can investigate the effectiveness of a cyber security control regarding the protection of different assets seen as targets in presence of commodity threats. As game theory captures the interaction between the endogenous organisation’s and attackers’ decisions, we consider a 2-person control game between the security manager who has to choose among different implementation levels of a cyber security control, and a commodity attacker who chooses among different targets to attack. The pure game theoretical methodology consists of a large game including all controls and all threats. In the hybrid methodology the game solutions of individual control-games along with their direct costs (e.g. financial) are combined with a Knapsack algorithm to derive an optimal investment strategy. The combinatorial optimisation technique consists of a multi-objective multiple choice Knapsack based strategy. To compare these approaches we built a decision support tool and a case study regarding current government guidelines. The endeavour of this work is to highlight the weaknesses and strengths of different investment methodologies for cyber security, the benefit of their interaction, and the impact that indirect costs have on cyber security investment. Going a step further in validating our work, we have shown that our decision support tool provides the same advice with the one advocated by the UK government with regard to the requirements for basic technical protection from cyber attacks in SMEs.
Conference Paper
Full-text available
Over the past decade, security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past re-search has treated compliance as a binary decision: people comply, or they do not. From our analysis of 118 in-depth interviews with individuals (employees in a large multinational organization) about security non-compliance, a 3rd response emerges: shadow security. This describes the instances where security-conscious employees who think they cannot comply with the prescribed security policy create a more fitting alter-native to the policies and mechanisms created by the organization?s official security staff. These workarounds are usually not visible to official security and higher management ? hence ?shadow security?. They may not be as secure as the ?official? policy would be in theory, but they reflect the best compromise staff can find between getting the job done and managing the risks that the assets they understand face. We conclude that rather than trying to ?stamp out? shadow security practices, organizations should learn from them: they provide a starting point ?workable? security: solutions that offer effective security and fit with the organization?s business, rather than impede it.
Article
Full-text available
Fear arousal is widely used in persuasive campaigns and behavioral change interventions. Yet, experimental evidence argues against the use of threatening health information. The authors reviewed the current state of empirical evidence on the effectiveness of fear appeals. Following a brief overview of the use of fear arousal in health education practice and the structure of effective fear appeals according to two main theoretical frameworks-protection motivation theory and the extended parallel process model-the findings of six meta-analytic studies in the effectiveness of fear appeals are summarized. It is concluded that coping information aimed at increasing perceptions of response effectiveness and especially self-efficacy is more important in promoting protective action than presenting threatening health information aimed at increasing risk perceptions and fear arousal. Alternative behavior change methods than fear appeals should be considered.
Article
Full-text available
The National Initiative for Cybersecurity Education (NICE) will be conducting a nationwide awareness and outreach program to effect behavioral change. To be effective, an educational campaign must first understand users' perceptions of computer and online security. The authors' research objective was to understand users' current knowledge base, awareness, and skills. They investigated users' understanding of online security by conducting in-depth interviews with the goal of identifying existing correct perceptions, myths, and potential misperceptions. Their findings indicate that the participants were primarily aware of and concerned with online and computer security. However, they lacked a complete skill set to protect their computer systems, identities, and information online. Providing a skill set that lets them develop complete mental models will help them to correctly anticipate and adapt the appropriate behaviors when approaching online security.
Article
Full-text available
In Study 1, over 200 college students estimated how much their own chance of experiencing 42 events differed from the chances of their classmates. Overall, Ss rated their own chances to be significantly above average for positive events and below average for negative events. Cognitive and motivational considerations led to predictions that degree of desirability, perceived probability, personal experience, perceived controllability, and stereotype salience would influence the amount of optimistic bias evoked by different events. All predictions were supported, although the pattern of effects differed for positive and negative events. Study 2 with 120 female undergraduates from Study 1 tested the idea that people are unrealistically optimistic because they focus on factors that improve their own chances of achieving desirable outcomes and fail to realize that others may have just as many factors in their favor. Ss listed the factors that they thought influenced their own chances of experiencing 8 future events. When such lists were read by a 2nd group of Ss, the amount of unrealistic optimism shown by this 2nd group for the same 8 events decreased significantly, although it was not eliminated. (22 ref) (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Full-text available
In order to mobilise action against a social problem, public service communicators often include normative information in their persuasive appeals. Such messages can be either effective or ineffective because they can normalise either desirable or undesirable conduct. To examine the implications in an environmental context, visitors to Arizona's Petrified Forest National Park were exposed to messages that admonished against the theft of petrified wood. In addition, the messages conveyed information either about descriptive norms (the levels of others' behaviour) or injunctive norms (the levels of others' disapproval) regarding such thievery. Results showed that focusing message recipients on descriptive normative information was most likely to increase theft, whereas focusing them on injunctive normative information was most likely to suppress it. Recommendations are offered for optimising the impact of normative messages in situations characterised by objectionable levels of undesirable conduct. After decades of debate concerning their causal impact, (e.g.
Article
Full-text available
Government and industry organizations have declared information privacy and security to be major obstacles in the development of consumer-related e-commerce. Risk perceptions regarding Internet privacy and security have been identified as issues for both new and experienced users of Internet technology. This paper explores risk perceptions among consumers of varying levels of Internet experience and how these perceptions relate to online shopping activity. Findings provide evidence of hypothesized relationships among consumers’ levels of Internet experience, the use of alternate remote purchasing methods (such as telephone and mail-order shopping), the perceived risks of online shopping, and online purchasing activity. Implications for online commerce and consumer welfare are discussed.
Article
Full-text available
Personalization refers to the tailoring of products and purchase experience to the tastes of individual consumers based upon their personal and preference information. Recent advances in information acquisition and processing technologies have allowed online vendors to offer varieties of web-based personalization that not only increases switching costs, but also serves as important means of acquiring valuable customer information. However, investments in online personalization may be severely undermined if consumers do not use these services due to privacy concerns. In the absence of any empirical evidence that seeks to understand this consumer dilemma, our research develops a parsimonious model to predict consumers usage of online personalization as a result of the tradeoff between their value for personalization and concern for privacy. In addition to this tradeoff, we find that a consumers intent to use personalization services is positively influenced by her trust in the vendor. Our findings suggest that: 1. online vendors can improve their abilities to acquire and use customer information through trust building activities; 2. it is of critical importance that vendors understand and evaluate the different values consumers may place in enjoying various types of personalization.
Conference Paper
Full-text available
The literature agrees that the major threat to IS security is constituted by careless employees who do not comply with organizations' IS security policies and procedures. To address this concern, different approaches for ensuring employees' IS security policy compliance have been proposed. Prior research on IS security compliance has criticized these extant IS security awareness approaches as lacking theoretically and empirically grounded principles to ensure that employees comply with IS security policies. To fill this gap, this study proposes a theoretical model that contains the factors that explain employees' IS security policy compliance. Data (N=245) from a Finnish company provides empirical support for the model. The results suggest that information quality has a significant effect on actual IS security policy compliance. Employees' attitude, normative beliefs and habits have significant effect on intention to comply with IS security policy. Threat appraisal and facilitating conditions have significant impact on attitude towards complying, while coping appraisal does not have a significant effect on employees' attitude towards complying. Sanctions have insignificant effect on intention to comply with IS security policy and awards do not have a significant effect on actual compliance with IS security policy
Article
Full-text available
Many organisations suspect that their internal security threat is more pressing than their external security threat. The internal threat is predominantly the result of poor user security behaviour. Yet, despite that, security awareness programmes often seem more likely to put users to sleep than to improve their behaviour. This article discusses the influences that affect a user's security behaviour and outlines how a well structured approach focused on improving behaviour could be an excellent way to take security slack out of an organisation and to achieve a high return for a modest, low-risk investment.
Article
Full-text available
This research investigated information systems security policy (ISSP) compliance by drawing upon two relevant theories i.e. the theory of planned behavior (TPB) and the protection motivation theory (PMT). A research model that fused constituents of the aforementioned theories was proposed and validated. Relevant hypotheses were developed to test the research conceptualization. Data analysis was performed using the partial least squares (PLS) technique. Using a survey of 124 business managers and IS professionals, this study showed that factors such as self-efficacy, attitude toward compliance, subjective norms, response efficacy and perceived vulnerability positively influence ISSP behavioral compliance intentions of employees. The data analysis did not support perceived severity and response cost as being predictors of ISSP behavioral compliance intentions. The study’s implications for research and practice are discussed.
Article
Full-text available
The use of web to learn about consumer behavior and online privacy is discussed. Consumers are more protective of their personal data than most e-marketers. Consumers are willing to provide their home address, phone number, email address, Social Security number and credit card number to a well-known site as compared to a lesser-known site, in part because they have no confidence that the e-commerce legal environment is secure. Multivariate analysis of variance reveals an overall effect for the type of Web site with regard to the willingness of respondents to reveal information. Exploring these difference individually, five times were different with respect to the type of site: age, gender, race, employer and medical information.
Book
As businesses seek to compete on a global stage, they must be constantly aware of pressures from all levels: regional, local, and worldwide. The organizations that can best build advantages in diverse environments achieve the greatest success. The Handbook of Research on Global Competitive Advantage through Innovation and Entrepreneurship explores the emergence of new ideas and opportunities in various markets and provides organizational leaders with the tools they need to take full advantage of those opportunities. With a focus on economic growth in a fast-paced environment, this handbook is a critical reference for business leaders, economists, and students of economic theory.
Article
This study intended to incorporate the Cognitive Appraisal Theory with the Extended Parallel Process Model (EPPM) by demonstrating that the appraisal process and emotional arousals are an essential part of people’s risk message processing. A 2 (behavioral recommendations: present vs. not present) × 2 (threat: high vs. low) × 2 (message types) between-subject experiment design was used to investigate the effects of the intersection between organizational risk communication strategies on publics’ negative emotions (i.e. fear and anxiety) and behavioral intentions in a cybersecurity crisis (data breach) context. Results confirmed the prediction and indicated that negative emotions (i.e. fear and anxiety) mediated behavioral recommendation and threat’s influence on publics’ behavioral outcomes such as compliance intentions, information seeking intentions and prosocial behavioral intentions. The study has practical implications for public policy making regarding the communication of cybersecurity risk.
Article
This study examined the impact of fear appeal messages on user cognitions, attitudes, behavioural attentions and precautionary behaviour regarding online information-sharing to protect against the threat of phishing attacks. A pre-test post-test design was used in which 768 Internet users filled out an online questionnaire. Participants were grouped in one of three fear appeal conditions: strong-fear appeal, weak-fear appeal and control condition. Claims regarding vulnerability of phishing attacks and claims concerning response efficacy of protective online information-sharing behaviour were manipulated in the fear appeal messages. The study demonstrates positive effects of fear appeals on heightening end-users’ cognitions, attitudes and behavioural intentions. However, future studies are needed to determine how subsequent security behaviour can be promoted, as the effects on this crucial aspect were not directly observed. Nonetheless, we conclude that fear appeals have great potential to promote security behaviour by making end users aware of threats and simultaneously providing behavioural advice on how to mitigate these threats.
Article
Cyber criminals use the Internet as a major platform to launch malware and social engineering attacks. Employees' violation of Internet use policy (IUP) elevates a firm's security risks from cyber-attacks. In the literature, such deviant behavior is generally considered to be the result of a cost-benefit calculus. However, this study shows that dispositional factors such as self-control and procedural justice moderate the cost-benefit calculus. We conclude that self-control and procedural justice need to be integrated with the Rational Choice Theory to better explain Internet abuses at work.
Article
As we begin to publish more articles in the area of cybersecurity, a case in point being the fine set of security papers presented in this particular issue as well as the upcoming special issue on Advances in Behavioral Cybersecurity Research which is currently in the review phase, it comes to mind that there is an emerging rubric of interest to the research community involved in security. That rubric concerns itself with the increasingly odd and inexplicable degree of comfort that computer users appear to have while operating in an increasingly threat-rich online environment. In my own work, I have noticed over time that users are blissfully unconcerned about malware threats (Poston et al., 2005; Stafford, 2005; Stafford and Poston, 2010; Stafford and Urbaczewski, 2004). This often takes the avenue of "it can't happen to me," or, "that's just not likely," but the fact is, since I first started noticing this odd nonchalance it seems like it is only getting worse, generally speaking. Mind you, a computer user who has been exploited and suffered harm from it will be vigilant to the end of his or her days, but for those who have scraped by, "no worries," is the order of the day, it seems to me. This is problematic because the exploits that are abroad in the online world these days are a whole order of magnitude more harmful than those that were around when I first started studying the matter a decade ago. I would not have commented on the matter, having long since chalked it up to the oddities of civilian computing, so to speak, but an odd pattern I encountered when engaging in a research study with trained corporate users brought the matter back to the fore recently. I have been collecting neurocogntive data on user response to security threats, and while my primary interest was to see if skin conductance or pupillary dilation varied during exposure to computer threat scenarios, I noticed an odd pattern that commanded my attention and actually derailed my study for a while as I dug in to examine it.
Article
Purpose Previous studies generally focused on the definition of cybercrime and its effect on the market. Following Kesan’s study, this paper aims to analyse the relationship between cyber insurance and social welfare and compare it among three countries, namely, USA, UK and Turkey. The paper also discusses the main obstacles that the cyber insurer has to deal with and its effect on social welfare. This paper answers two questions related to cyber insurance at an aggregate level. First, “what kind of contribution does cyber insurance make to social welfare?” Second,“What kind of problems do insurers and insured have to face?” Although the findings are similar to Kesan’s study, this study gives an opportunity to make a country-based study and interpret the results with a different perspective. Design/methodology/approach The calculation of utility is also important for interpreting social welfare in the market. Consumer behaviour under uncertainty constructs the background for this paper because the risks of malicious attacks are contingent and independent, which means that consumers have to make their decisions under uncertainty. Von-Neumann-Morgenstern utility function is used for interpreting consumer’s behaviour. Findings Basically, there are two important conclusions that can derive for cyber insurance. First, cyber insurance can be defined as a higher security investment when coupled with increased levels of safety and a robust IT infrastructure. Second, cyber insurance, as a high-security investment, would have a positive impact on social welfare by making the internet safer for all users. The results show that the problems that lead to market failure can be virtually eliminated with an accurate risk assessment that leads to appropriate premium levels for insured. These results are consistent with those of study by Kesan et al. (2006). Research limitations/implications Data availability for different industries have limited the ability to compare the impact of cyber-crime to different sectors. Originality/value Technological devices have become part of our daily life. Although they have brought us increasing access to all types of information, including opportunities for business, they have also increased the risk of malicious attacks and the risk of e-crime. By replicating the economic model used by Kesan et al. (2006), social welfare losses and insurance premiums are calculated for three countries: USA, UK and Turkey. Questions pertaining to contribution of cyber insurance to social welfare and problems faced by insurers and insured are addressed.
Article
Table 1. The cost of dealing with security incidents.
Article
Organizations are trying to induce employees to comply with information security policy (ISP) as organizational damage of information breach incidents gets serious. Many previous approaches to ISP compliance have focused on security technologies. However, researchers in this area agree that technology approach is not sufficient so that other approaches such as behavioral and social are required. This study suggests the integrated research model including ISP compliance antecedents and psychological contract fulfillment. The study investigates the mediating effect of psychological contract fulfillment between perceived costs and ISP compliance intention comparing supervisor and supervisee groups. The results show that psychological contract fulfillment can mitigate the negative effect of costs on ISP compliance intention in supervisor group. Employees also anticipate complying with ISP when they recognize the benefits of ISP compliance. This study could shed more lights on the ISP compliance area by integrating and examining ISP compliance research model with psychological contract as a social factor.
Article
Purpose This paper aims to provide an overview of the main research topics in the emerging fields of cyber risk and cyber risk insurance. The paper also illustrates future research directions, from both academic and practical points of view. Design/methodology/approach The authors conduct a literature review on cyber risk and cyber risk insurance using a standardized search and identification process that has been used in various academic articles. Based upon this selection process, a database of 209 papers is created. The main research results findings are extracted and organized in seven clusters. Findings The results illustrate the immense difficulties to insure cyber risk, especially due to a lack of data and modelling approaches, the risk of change and incalculable accumulation risks. The authors discuss various ways to overcome these insurability limitations, such as mandatory reporting requirements, pooling of data or public–private partnerships in which the government covers parts of the risk. Originality/value Despite its increasing relevance for businesses at present, research on cyber risk is limited. Many papers can be found in the IT domain, but relatively little research has been done in the business and economics literature. The authors illustrate where research stands currently and outline directions for future research.
Article
Smart critical infrastructure owners and operators are always looking for ways to minimize cyber risk while keeping a lid on cyber security expenditures. The insurance industry has been quantitatively assessing risk for hundreds of years to minimize risk and maximize profits. To achieve these goals, insurers continuously gather and analyze statistical data to improve their predictions, incentivize client investments in self-protection and periodically refine their models to improve the accuracy of risk estimates.
Article
To achieve a proper balance between security investments and acceptable loss, businesses take a mixed approach to risk management. In addition to preventive and remedial actions and self-insurance, many are now buying cyberinsurance, a cost-saving but still-developing strategy.
Article
Using a behavioral-experimental economics approach, this paper shows that the location of a potential innovator has an impact on her or his innovation attitude, specifically on her or his innovation optimism. Moreover, such an impact is a consequence of the way in which they can access the information about the chances of succeeding if they initiate an innovation process. Isolated innovators can learn about their success chances from external objective sources, such as market research companies or public institutions. On the other hand, when the potential innovator is located in an innovation cluster, she or he has the chance to observe innovation performance and share the experience of innovation. This work provides empirical evidence to support that innovation attitudes are significantly different in both types of location: while isolated innovators exhibit innovation pessimisms, members of innovation clusters tend to be optimistic as respect to their success chances in the innovation process.
Article
This paper compares two alternative methodologies—the experimental–behavioral approach and the contingent approach—for measuring the value that an attribute of a good (product or service) creates for potential customers. In the experimental–behavioral methodology, potential buyers make actual purchase decisions by receiving financial incentives. In the contingent approach, commonplace in marketing research and purchase decisions are hypothetical. A case–control experiment shows that both methodologies discriminate between key and less relevant attributes in purchase decisions, and provide reliable qualitative information on the value of an attribute. Contingent methodologies fail, however, to provide a reliable quantitative measure of such value.
Article
Most efforts to improve cyber security focus primarily on incorporating new technological approaches in products and processes. However, a key element of improvement involves acknowledging the importance of human behavior when designing, building and using cyber security technology. In this survey paper, we describe why incorporating an understanding of human behavior into cyber security products and processes can lead to more effective technology. We present two examples: the first demonstrates how leveraging behavioral science leads to clear improvements, and the other illustrates how behavioral science offers the potential for significant increases in the effectiveness of cyber security. Based on feedback collected from practitioners in preliminary interviews, we narrow our focus to two important behavioral aspects: cognitive load and bias. Next, we identify proven and potential behavioral science findings that have cyber security relevance, not only related to cognitive load and bias but also to heuristics and behavioral science models. We conclude by suggesting several next steps for incorporating behavioral science findings in our technological design, development and use.
Article
A proposed theory of planned behavior, an extension of Ajzen and Fishbein's (1980, Understanding attitudes and predicting social behavior. Englewood-Cliffs, NJ: Prentice-Hall) theory of reasoned action, was tested in two experiments. The extended theory incorporates perceived control over behavioral achievement as a determinant of intention (Version 1) as well as behavior (Version 2). In Experiment 1, college students' attendance of class lectures was recorded over a 6-week period; in Experiment 2, the behavioral goal was getting an “A” in a course. Attitudes, subjective norms, perceived behavioral control, and intentions were assessed halfway through the period of observation in the first experiment, and at two points in time in the second experiment. The results were evaluated by means of hierarchical regression analyses. As expected, the theory of planned behavior permitted more accurate prediction of intentions and goal attainment than did the theory of reasoned action. In both experiments, perceived behavioral control added significantly to the prediction of intentions. Its contribution to the prediction of behavior was significant in the second wave of Experiment 2, at which time the students' perceptions of behavioral control had become quite accurate. Contrary to expectations, there was little evidence for interactions between perceived behavioral control and the theory's other independent variables.
Article
The purpose of this chapter is to discuss the most recent theoretical and empirical research on the topic of fear appeals, or fear-arousing messages. First, a brief discussion on the nature of fear will be given. Then, the historical origins of fear appeals will be discussed. Third, the most recent fear appeal model, the extended parallel process model (EPPM), will be presented, followed by a section examining the research testing this model. Finally, modifications to the EPPM and future research directions will be suggested. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
As organizations become increasingly dependent on information systems (IS) for strategic advantage and operations, the issue of IS security also becomes increasingly important. In the interconnected electronic business environment of today, security concerns are paramount. Management must invest in IS security to prevent abuses that can lead to competitive disadvantage. Using the literature on security practices and organizational factors, this study develops an integrative model of IS security effectiveness and empirically tests the model. The data were collected through a survey of IS managers from various sectors of the economy. Small and medium-sized enterprises were found to engage in fewer deterrent efforts compared to larger organizations. Organizations with stronger top management support were found to engage in more preventive efforts than organizations with weaker support from higher management. Financial organizations were found to undertake more deterrent efforts and have stiffer deterrent severity than organizations in other sectors. Moreover, greater deterrent efforts and preventive measures were found to lead to enhanced IS security effectiveness. Implications of these findings for further research and practice are discussed.
Article
Fraudulent activity on the Internet, in particular the practice known as ‘Phishing’, is on the increase. Although a number of technology focussed counter measures have been explored user behaviour remains fundamental to increased online security. Encouraging users to engage in secure online behaviour is difficult with a number of different barriers to change. Guided by a model adapted from health psychology this paper reports on a study designed to encourage secure behaviour online. The study aimed to investigate the effects of education via a training program and the effects of risk level manipulation on subsequent self-reported behaviour online. The training program ‘Anti-Phishing Phil’ informed users of the common types of phishing threats and how to identify them whilst the risk level manipulation randomly allocated participants to either high risk or low risk of becoming a victim of online fraud. Sixty-four participants took part in the study, which comprised of 9 males and 55 females with an age range of 18–43years. Participants were randomly allocated to one of four experimental groups. High threat information and/or the provision of phishing education were expected to increase self-reports of secure behaviour. Secure behaviour was measured at three stages, a baseline measure stage, an intention measure stage, and a 7-day follow-up measure stage. The results showed that offering a seemingly tailored risk message increased users’ intentions to act in a secure manner online regardless of whether the risk message indicated they were at high or low risk of fraud. There was no effect of the training programme on secure behaviour in general. The findings are discussed in relation to the model of behaviour change, information provision and the transferability of training.
Article
Despite positive expectations, cyber-insurance products have failed to take center stage in the management of IT security risk. Market inexperience, leading to conservatism in pricing cyber-insurance instruments, is often cited as the primary reason for the limited growth of the cyber-insurance market. In contrast, here we provide a demand-side explanation for why cyber-insurance products have not lived up to their initial expectations. We highlight the presence of information asymmetry between customers and providers, showing how it leads to overpricing cyber-insurance contracts and helps explain why cyber insurance might have failed to deliver its promise as a cornerstone of IT security-management programs.