Risk perceptions of cyber-security and precautionary behaviour

A quantitative empirical online study examined a set of 16 security hazards on the Internet and two comparisons in 436 UK and US students, measuring perceptions of risk and other risk dimensions. First, perceived risk was highest for identity theft, keylogger, cyber-bullying and social engineering. Second, consistent with existing theory, significant predictors of perceived risk were voluntariness, immediacy, catastrophic potential, dread, severity of consequences and control, as well as Internet experience and frequency of Internet use. Moreover, control was a significant predictor of precautionary behaviour. Methodological implications emphasise the need for non-aggregated analysis and practical implications emphasise risk communication to Internet users

“This is the way ‘I’ create my passwords ...":does the endowment effect deter people from changing the way they create their passwords?

The endowment effect is the term used to describe a phenomenon that manifests as a reluctance to relinquish owned artifacts, even when a viable or better substitute is offered. It has been confirmed by multiple studies when it comes to ownership of physical artifacts. If computer users also "own", and are attached to, their personal security routines, such feelings could conceivably activate the same endowment effect. This would, in turn, lead to their over-estimating the \value" of their existing routines, in terms of the protection they afford, and the risks they mitigate. They might well, as a consequence, not countenance any efforts to persuade them to adopt a more secure routine, because their comparison of pre-existing and proposed new routine is skewed by the activation of the endowment effect.In this paper, we report on an investigation into the possibility that the endowment effect activates when people adopt personal password creation routines. We did indeed find evidence that the endowment effect is likely to be triggered in this context. This constitutes one explanation for the failure of many security awareness drives to improve password strength. We conclude by suggesting directions for future research to confirm our findings, and to investigate the activation of the effect for other security routines

Risk as affect:the affect heuristic in cybersecurity

Risk perception is an important driver of netizens’ (Internet users’) cybersecurity behaviours, with a number of factors influencing its formation. It has been argued that the affect heuristic can be a source of variation in generic risk perception. However, a major shortcoming of the supporting research evidence for this assertion is that the central construct, affect, has not been measured or analysed. Moreover, its influence in the cybersecurity domain has not yet been tested. The contribution of the research reported in this paper is thus, firstly, to test the affect heuristic while measuring its three constructs: affect, perceived risk and perceived benefit and, secondly, to test its impact in the cybersecurity domain. By means of two carefully designed studies (N = 63 and N = 233), we provide evidence for the influence of the affect heuristic on risk perception in the cybersecurity domain. We conclude by identifying directions for future research into the role of affect and its impact on cybersecurity risk perception

Mitigating Circumstances in Cybercrime: a Position Paper

This paper argues the need for considering mitigating circumstances in cybercrime. Mitigating circumstances are conditions which moderate the culpability of an offender of a committed offence. Our argument is based on several observations. The cyberspace introduces a new family of communication and interaction styles and designs which could facilitate, make available, deceive, and in some cases persuade, a user to commit an offence. User’s lack of awareness could be a valid mitigation when using software features introduced without a proper management of change and enough precautionary mechanisms, e.g. warning messages. The cyber behaviour of users may not be necessarily a reflection of their real character and intention. Their irrational and unconscious actions may result from their immersed and prolonged presence in a particular cyber context. Hence, the consideration of the cyberspace design, the “cyber psychological” status of an offender and their inter-relation could form a new family of mitigating circumstances inherent and unique to cybercrime. This paper elaborates on this initial argument from different perspectives including software engineering, cyber psychology, digital forensics, social responsibility and law

National Security Risks? Uncertainty, Austerity and Other Logics of Risk in the UK government’s National Security Strategy

Risk scholars within Security studies have argued that the concept of security has gone through a fundamental transformation away from a threat-based conceptualisation of defence, urgency and exceptionality to one of preparedness, precautions and prevention of future risks, some of which are calculable, others of which are not. This article explores whether and how the concept of security is changing due to this ‘rise of risk’, through a hermeneutically grounded conceptual and discourse analysis of the United Kingdom government’s national security strategy (NSS) from 1998 to 2011. We ask how risk-security language is employed in the NSS; what factors motivate such discursive shifts; and what, if any, consequences of these shifts can be discerned in UK national security practices. Our aim is twofold: to better understand shifts in the security understandings and policies of UK authorities; and to contribute to the conceptual debate on the significance of the rise of risk as a component of the concept of security

Simplifying Cyber Security Maturity Models through National Culture: A Fuzzy Logic Approach

Different assessment models exist to measure a country's cyber security maturity levels. These levels serve as a benchmark for indicating how well prepared a nation is against a cyber security attack and how resilient it would be in recovering from such an attack. However, results from these maturity assessments are either too general, overly complex, or resource intensive to apply and guide important national cyber security strategies and frameworks. To address this we propose a model to link national culture with a country's cyber security maturity through fuzzy logic mapping to ensure that a more uniform reflection of the cyber security maturity level within a country can be measured. In this paper, we present additional research towards optimising our model. The extended model incorporates input from two cyber security assessment models, and validates the refined output models on 11 countries to compare the maturity levels from the traditional assessment model with our optimised fuzzy model. Our results show that it is viable to reduce the resources required to conduct a national cyber security maturity assessment