Impact of framing and base size of computer security risk information on user behavior

This research examines the impact of framing and base size of computer security risk information on users\u27 risk perceptions and behavior (i.e., download intention and download decision). It also examines individual differences (i.e., demographic factors, computer security awareness, Internet structural assurance, self-efficacy, and general risk-taking tendencies) associated with users\u27 computer security risk perceptions. This research draws on Prospect Theory, which is a theory in behavioral economics that addresses risky decision-making, to generate hypotheses related to users\u27 decision-making in the computer security context. A 2 x 3 mixed factorial experimental design (N = 178) was conducted to assess the effect of framing and base size on users\u27 download intentions and decisions. The results show that framing and base size of computer security risk information are associated with users\u27 perceived risk and risk-taking behavior. More specifically, negative framing and large base size increase users\u27 perceived risk and reduce users\u27 risk-taking behavior. Moreover, users who have greater general risk-taking tendencies and perceive higher Internet structural assurance exhibited lower risk perceptions and greater risk-taking behavior in the computer security context. The findings from this research suggest that using negative framing and large base size to communicate computer security risk information is an effective way to lower risk-taking behavior of users --Abstract, page iii

Are we predisposed to behave securely? Influence of risk disposition on individual security behaviors

Employees continue to be the weak link in organizational security management and efforts to improve the security of employee behaviors have not been as effective as hoped. Researchers contend that security-related decision making is primarily based on risk perception. There is also a belief that, if changed, this could improve security-related compliance. The extant research has primarily focused on applying theories that assume rational decision making e.g. protection motivation and deterrence theories. This work presumes we can influence employees towards compliance with information security policies and by means of fear appeals and threatened sanctions. However, it is now becoming clear that security-related decision making is complex and nuanced, not a simple carrot- and stick-related situation. Dispositional and situational factors interact and interplay to influence security decisions. In this paper, we present a model that positions psychological disposition of individuals in terms of risk tolerance vs. risk aversion and proposes research to explore how this factor influences security behaviors. We propose a model that acknowledges the impact of employees' individual dispositional risk propensity as well as their situational risk perceptions on security-related decisions. It is crucial to understand this decision-making phenomenon as a foundation for designing effective interventions to reduce such risk taking. We conclude by offering suggestions for further research.</p

Ethical guidelines for nudging in information security &amp; privacy

There has recently been an upsurge of interest in the deployment of behavioural economics techniques in the information security and privacy domain. In this paper, we consider first the nature of one particular intervention, the nudge, and the way it exercises its influence. We contemplate the ethical ramifications of nudging, in its broadest sense, deriving general principles for ethical nudging from the literature. We extrapolate these principles to the deployment of nudging in information security and privacy. We explain how researchers can use these guidelines to ensure that they satisfy the ethical requirements during nudge trials in information security and privacy. Our guidelines also provide guidance to ethics review boards that are required to evaluate nudge-related research

Framing the UK’s counter-terrorism policy within the context of a wicked problem

Terrorist attacks can be seen as the ultimate wicked problem. After 9/11, terrorists moved from so-called ‘spectacular’ events to relatively low-intensity attacks against individuals and groups. The emergence of what has become known as the ‘home-grown’ terrorist has added a further dimension to the ‘wicked’ nature of the problem. This paper considers the UK’s CONTEST and PREVENT strategies as a policy response to the threats from terrorism and the impact that the policies themselves can have on the radicalization of individuals. The author highlights some of the limitations of the PREVENT strand of the overall strategy and the constraints that are imposed on government policies by failing to take a holistic perspective on the nature of the problem

Privacy as a Public Good

Privacy is commonly studied as a private good: my personal data is mine to protect and control, and yours is yours. This conception of privacy misses an important component of the policy problem. An individual who is careless with data exposes not only extensive information about herself, but about others as well. The negative externalities imposed on nonconsenting outsiders by such carelessness can be productively studied in terms of welfare economics. If all relevant individuals maximize private benefit, and expect all other relevant individuals to do the same, neoclassical economic theory predicts that society will achieve a suboptimal level of privacy. This prediction holds even if all individuals cherish privacy with the same intensity. As the theoretical literature would have it, the struggle for privacy is destined to become a tragedy. But according to the experimental public-goods literature, there is hope. Like in real life, people in experiments cooperate in groups at rates well above those predicted by neoclassical theory. Groups can be aided in their struggle to produce public goods by institutions, such as communication, framing, or sanction. With these institutions, communities can manage public goods without heavy-handed government intervention. Legal scholarship has not fully engaged this problem in these terms. In this Article, we explain why privacy has aspects of a public good, and we draw lessons from both the theoretical and the empirical literature on public goods to inform the policy discourse on privacy

Spatial Dynamic Modeling and Urban Land Use Transformation:

Assessing the economic impacts of urban land use transformation has become complex and acrimonious. Although community planners are beginning to comprehend the economic trade-offs inherent in transforming the urban fringe, they find it increasingly difficult to analyze and assess the trade-offs expediently and in ways that can influence local decisionmaking. New and sophisticated spatial modeling techniques are now being applied to urban systems that can quickly assess the probable spatial outcomes of given communal policies. Applying an economic impact assessment to the probable spatial patterns can provide to planners the tools needed to quickly assess scenarios for policy formation that will ultimately help inform decision makers. This paper focuses on the theoretical underpinnings and practical application of an economic impact analysis submodel developed within the Land use Evolution and Impact Assessment Modeling (LEAM) environment. The conceptual framework of LEAM is described, followed by an application of the model to the assessment of the cost of urban sprawl in Kane County, Illinois. The results show the effectiveness of spatially explicit modeling from a theoretical and a practical point of view. The agent-based approach of spatial dynamic modeling with a high spatial resolution allows for discerning the macro-level implications of micro-level behaviors. These phenomena are highlighted in the economic submodel in the discussion of the implications of land use change decisions on individual and communal costs; low-density development patterns favoring individual behaviors at the expense of the broader community.

The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities

In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.Comment: Presented at the Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria, June 201

Framing Information Security Budget Requests to Influence Investment Decisions

Researchers studying the economics of information security have traditionally focused on the use of rational choice decision models for evaluating investment alternatives. Security investment decisions involve risk, and several researchers have noted that risk-related decisions often violate the fundamental principles of rational choice decision models. This study tests the prevailing presumption in published research that information security investment decisions are made in an entirely rational manner. We empirically validated our hypothesis that information security investment decision makers in fact exhibit preference reversals when faced with competing budget alternatives involving risk. Specifically, we observed the framing effect under prospect theory, which suggests that individuals exhibit unique risk attitudes when evaluating gain-related and loss-related risk decisions. Accordingly, we argue that existing, widely accepted rational choice and economic models for information security investments need to be supplemented with risk perception measurement and account for individual level decision biases

Nudging folks towards stronger password choices:providing certainty is the key

Persuading people to choose strong passwords is challenging. One way to influence password strength, as and when people are making the choice, is to tweak the choice architecture to encourage stronger choice. A variety of choice architecture manipulations i.e. “nudges”, have been trialled by researchers with a view to strengthening the overall password profile. None has made much of a difference so far. Here we report on our design of an influential behavioural intervention tailored to the password choice context: a hybrid nudge that significantly prompted stronger passwords.We carried out three longitudinal studies to analyse the efficacy of a range of “nudges” by manipulating the password choice architecture of an actual university web application. The first and second studies tested the efficacy of several simple visual framing “nudges”. Password strength did not budge. The third study tested expiration dates directly linked to password strength. This manipulation delivered a positive result: significantly longer and stronger passwords. Our main conclusion was that the final successful nudge provided participants with absolute certainty as to the benefit of a stronger password, and that it was this certainty that made the difference