Cybersecurity as a Behavioural Science: Part 2

Updated: Apr 19, 2020

Risk Taking in Cyber Spaces: "Scary" Wearables and "Friendly" Apps

There is much information online about human behavior and cyber security and it is easy to get lost. So, I decided to write a short series of posts on cyber security as a behavioural science (#cybersecasbehavioralscience). In Part 1 of these series we have explored why we should worry about behavioral aspects of cybersecurity. In Part 2, we will consider why people take risks online, what behaviors they perceive as being more risky, and how we can measure risk taking behavior in cyber spaces. In other words, today we will try to answer a simple question: How do people deal with risk in cyber spaces?

Setting the Scene

Cybersecurity is one of the major problems faced by businesses in the digital age. On a daily basis, the overwhelming majority of businesses around the globe face hacking, cyber theft, malware, cyber fraud, as well as many other problems. It is estimated that American companies pay an average of $15.4 million a year to tackle issues related to hacking attacks alone while companies globally pay on average $7.7 million a year. With over 90% of all attacks starting with a phishing email, individual consumers often become targets for theft and fraud techniques of cybercriminals costing businesses large amounts of money. In the Finance sector, cybersecurity is becoming not only a matter of significant cost, the future trends in the sector suggest that consumers of the future will select a trusted institution based on its ability to protect the customer as well as customer personal data.

According to the IBM Cost of Data Breach Study, identity data (data which allows a cybercriminal masquerade as a victim) is the most targeted personal data with 64% of data breaches targeting identity information. Financial data (bank, credit card, or other financial account details) is the second most targeted data – 16% of data breaches target Financial data.

Measuring Risk Taking Behaviour

Despite the importance of the problem, we still know little about risk taking in the digital domain. How do people perceive different types of online risks (such as losing data, privacy, etc.) and how do they deal with them? To answer these questions, we designed a simple scale, which we called the Cyber Domain Specific Risk Taking Scale (or CyberDoSpeRT).

CyberDoSpeRT consists of 30 (potentially risky) activities, which are split into 5 categories – Security, Personal Data, Privacy, Negligence, and Cybercrime. Each category incorporates 6 activities. Specifically, the Security category incorporates potentially risky activities, related to general security in cyberspace such as “Not using anti-virus or anti-malware protection”. The Personal Data category includes such risky activities as “Providing private information (such as your email address) to obtain free WiFi in public places such as coffee shops, airports, train stations, etc.” and reflects potential risks related to the loss of personal data. The Privacy category includes activities which could potentially lead to privacy infringement for an individual or a group of people such as “Linking multiple social media websites (e.g., linking Twitter, Facebook, and Instagram accounts, etc.)”. Risky activities susceptible to Cybercrime incorporate “Using insecure connection or free WiFi”, where cybercrime is defined as an action which causes harm and employs digital technology constituting an offence. Finally, in the Negligence category risky activities involve “Letting web browser remember your passwords” and depict risks resulting from lack of knowledge, understanding, or care about the consequences of actions in cyberspace from an individual’s perspective.

The scale is based on a large-scale focus group survey of 121 cybersecurity professionals around the globe. It is also further validated through a comprehensive review of literature sources as well as related blogs. Activities listed by domain are shown below together with the number of mentions of each activity in various literature and blog sources (shown on the right hand side). CyberDoSpeRT activities are presented to participants in a random order. An example of order numbers for each activity is shown below on the left before each dash (“-”).

CyberDoSpeRT Scale: Activities, their Important and Display Order

Source: Kharlamov et al., 2018

Of the identified activities, the most frequently mentioned was “Not using a private server” (1,150,000 mentions) and least frequently mentioned was “Using the same password on multiple devices/websites” (102 mentions). This means that identified activities allowed us to look at a broad spectrum of behaviors in cyberspace and focus on risks relevant and known to the majority of population as well as on less understood and anticipated risks.

How Does It Work?

The resulting scale allows us to measure individual Risk Taking and Risk Perception across 5 domains. The Risk Taking measure question asks the study participants to indicate how likely they are to engage in each activity on a scale from 1 to 7 (the higher the more likely); and the Risk Perception measure asks the study participants to indicate how risky they perceive each activity to be on a scale from 1 to 7 (the higher the more risky). Since each activity can receive a score between 1 and 7, each of the 5 categories can accumulate scores from 6 to 42, and a total score for each individual can be between 30 and 210.

You can think of Risk Perception as a measure of your expectations about a particular type of risk and you can think of Risk Taking as a measure of the reality of your behavior. Clearly, the riskier you believe an activity is, the less likely you should be to engage in this activity.

What Do People's Perceptions and Actions Look Like?

To test the scale, we recruited representative samples of population from two nations – the US (500 people) and the UK (523 people). So, what activities are considered to be most risky and least risky and do people's actions reflect these perceptions? The graphs below show the mean risk taking and risk perception for each activity in our scale, mapping the relative positioning of risk taking versus risk perception in the US and the UK for each of the 30 CyberDoSpeRT activities separately (activities are numbered to match the CyberDoSpeRT graph above - see numbers of activities on the left before "-").

Cyber Risk Taking and Risk Perception in the US

Abbreviations: Security (SE), Personal Data (PD), Privacy (PR), Negligence (NE), and Cybercrime (CR).

Source: Kharlamov et al., 2018

Cyber Risk Taking and Risk Perception in the UK

Abbreviations: Security (SE), Personal Data (PD), Privacy (PR), Negligence (NE), and Cybercrime (CR).

Source: Kharlamov et al., 2018

Interestingly, the relative positioning of risk taking versus risk perception attitudes are similar across two countries except that in the UK all attitudes seems to be shifted towards lower risk taking and higher risk perception. In other words, people in the US are more risk taking in cyber spaces compared to the Brits. In both countries, activity 28 “Using a wearable device to collect your private data (e.g., FitBit, Apple Watch, etc.).” is associated with the highest level of risk perception (average risk perception =5.41 in the US and 5.54 in the UK) and the lowest level of risk taking (average risk taking =2.34 in the US and 2.61 in the UK). Second highest risk perception and second lowest risk taking in both countries is associated with activity 17 “Letting web browser remember your credit card information”. Notice that activity 16 which deals with letting web browser remember password information is associated with a lot higher levels of risk taking and lower levels of risk perception than risk taking and risk perception of activity 17, respectively. The third highest risk perception score and third lowest risk taking score is associated with activity 25 “Using the same password on multiple devices/websites.”. Interestingly, activity 3 “Not reading App permissions before uploading an App on your smart phone.” is the highest in terms of risk taking and lowest in terms of risk perception for both countries.

So What Do We Learn?

In both countries, people seem to be mostly concerned with Negligence (NE) risks and Security (SE) risks (with the only exception of activity 3) and less likely to take risks in those cyber domains. At the same time, they seem to be relatively less concerned about cybercrime (CR), privacy (PR), as well as personal data (PD) risks (with an exception of activity 28) and are more likely to take risks in those cyber domains. Generally, people seem to be particularly concerned about the data collected about them by the wearable devices as well as how these data are used. At the same time, they are least concerned about potential risks associated with the App download.

#cybersecurity #informationsecurity #datasecurity #infosec #cyberrisks #cyberthreats #behaviouralscience #humanbehavior #regulation #governance #responsibility #cybersecasbehavioralscience