Persuading end users to act cautiously online: a fear appeals study on phishing

Purpose The purpose of this paper is to test the protection motivation theory (PMT) in the context of fear appeal interventions to reduce the threat of phishing attacks. In addition, it was tested to what extent the model relations are equivalent across fear appeal conditions and across time. Design/methodology/approach A pre-test post-test design was used. In the pre-test, 1,201 internet users filled out an online survey and were presented with one of three fear appeal conditions: strong fear appeal, weak fear appeal and control condition. Arguments regarding vulnerability of phishing attacks and response efficacy of vigilant online information-sharing behaviour were manipulated in the fear appeals. In the post-test, data were collected from 786 internet users and analysed with partial least squares path modelling. Findings The study found that PMT model relations hold in the domain of phishing. Self-efficacy and fear were the most important predictors of protection motivation. In general, the model results were equivalent across conditions and across time. Practical Implications It is important to consider online information-sharing behaviour because it facilitates the occurrence and success of phishing attacks. The results give practitioners more insight into important factors to address in the design of preventative measures to reduce the success of phishing attacks. Future research is needed to test how fear appeals work in real-world settings and over longer periods. Originality/value This paper is a substantial adaptation of a previous conference paper (Jansen and Van Schaik, 2017a, b). </jats:sec

Understanding precautionary online behavioural intentions: A comparison of three models

We used a survey design to compare three social cognitive models in their ability to explain intentions of precautionary online behaviour. The models were protection motivation theory (PMT), the reasoned action approach (RAA) and an integrated model comprising variables of these models. Data from 1,200 Dutch users of online banking were analysed with partial-least-squares path-modelling. The two separate models explain about equally much variance in precautionary online behaviour; in the integrated model the significant predictors of the two models remained significant. We conclude that both PMT and RAA make a unique contribution in explaining variance. Our results give practitioners potentially a wider range of options to design preventative measures

Do you bend or break?:Preventing online banking fraud victimization through online resilience

This doctoral thesis is about the human aspects of online banking safety andsecurity. Preparations for this thesis, part of The Dutch Research Program onSafety and Security of Online Banking, started when online banking fraud figures were relatively high in the Netherlands. In this thesis, online banking fraud is limited to phishing and malware attacks. This thesis investigated a specific partof the issue of how to reduce this type of fraud, namely the extent to which the safety and security of online banking can be improved from an end-userpers pective. Hence, it examined how the online resilience of end users can be enhanced; making them better able to protect themselves against onlinebanking fraud. Next to the practical goal of this thesis, it also aimed to contribute to scientific theory in the behavioural information security domain.This thesis starts with an introductory Chapter (1) in which the context of studyis described and the goal and research questions are highlighted. The empiricalpart of this thesis is divided into two smaller parts. In order to get acomprehensive overview of the human aspects of online banking safety andsecurity, it is important to study the threats as well as people-focussedsafeguards. Therefore, Part I (Chapters 2 to 5) deals with studies on end-users’perceptions of and victimization due to online banking fraud. Learning moreabout risk perceptions, how and why victimization takes place, victimcharacteristics and how victims recover from incidents may lead to moreknowledge on how to combat online banking fraud effectively. Part II of thisthesis (Chapters 6 to 9) consequently deals with studies on precautionary onlinebehaviour of end users and how that behaviour can be improved. Knowledge onthis subject may contribute to strengthening one of the most essential links inthe safety and security of online banking: the end user. The concluding Chapter(10) provides an answer to the central and main research questions and dealswith the theoretical and practical implications of the findings. The main researchquestions are:1: What are the perceptions of end users regarding the safety and security ofonline banking?2: How can online banking fraud victimization be explained from an end-userperspective?3: How can precautionary online behaviour of end users be explained andimproved?To answer these questions, several studies were conducted; these areelaborated in Part I and Part II of this thesis. The contents of the chapters areoutlined below.In Chapter 2, end-user risk perceptions of online bank fraud are studied.Secondary analysis of data based on a survey among 1,200 Dutch onlinebanking users shows that online banking fraud is not considered to be a majorrisk. End users perceive the potential impact of online banking fraud to besevere, but the chances of falling victim themselves to be slim. However, theyestimate the chances of others being victimized to be higher. Furthermore,online banking customers mainly come into contact with online banking fraudthrough media communications. Indirect victimization in the social environmentand direct victimization were less common. In addition, online banking users, ingeneral, have reasonable levels of trust in online banking. Finally, this chapterreveals – using partial least squares path modelling – that risk perceptions aremainly affected by the estimated chance of becoming a victim of online bankingfraud. The perceived impact of online banking fraud and the degree of trust inonline banking affected risk perception to some extent. Direct and indirectvictimization and demographic characteristics hardly affected risk perceptions.In Chapter 3, an analysis of 600 phishing and malware incidents obtained from aDutch bank is presented. The goal of this chapter is to shed light on thecircumstances in which bank customers are victimized in phishing and malwareattacks and how these attacks manifest in practice. This chapter shows that anessential step in the fraudulent process entails customers giving away theirpersonal information to fraudsters. Phishing victimization mainly occurred byresponding to a fraudulent e-mail, a fraudulent phone call or a combination ofthese. Malware victimization primarily occurred by responding to a maliciouspop-up and by installing a malicious application on a mobile device. Customerscooperated because the fraudulent messages were perceived to be professionaland trustworthy and because customers were not sufficiently suspicious of whatwas happening. The results suggest that victims have an unintended andsubconscious, but active role in the fraudulent process. An interesting finding isthat the victims did not always seem to trust the fraudster’s intentions, but werementally unable to stop the process. Reasons for this include not being aware ofhow fraudulent schemes manifest in practice, not being alert at the rightmoment and having insufficient knowledge of online banking procedures andprecautionary measures.Chapter 4 explores factors that may explain online banking fraud victimizationbased on interviews with 30 victims using the routine activity approach andprotection motivation theory as theoretical lenses. A qualitative approach was chosen because previous quantitative studies failed to identify such factors. Theinterview data were analysed using computer-assisted qualitative data analysissoftware. This chapter demonstrates that no specific factors from the routineactivity approach and protection motivation theory that increase the chance ofonline banking fraud victimization could be identified. Moreover, victims weredistributed across genders, age categories and levels of education. Ultimately,end-user attributes that lead to higher chances of being victimized throughonline banking fraud could not be identified. This suggests that everyone issusceptible to online banking fraud victimization to some degree.In order to find out whether victims adequately recover from phishing andmalware incidents, it is important to gain insight into its effects and impact onvictims first. However, there was not much literature available on the impact ofthese cybercrimes. This gap is addressed in Chapter 5, in which interview datafrom the above mentioned 30 victims are analysed again. Besides (initial)financial effects (most victims were reimbursed), victims also described variouskinds of psychological and emotional effects, such as feeling awful and stressed,and various kinds of secondary impact, such as time loss and not being treatedproperly during the handling of the incident. Furthermore, this chapterdemonstrates that the level of impact varies among victims, ranging from littleor no impact to severe impact. Moreover, while some victims were only affectedfor a few days, some felt the effects in the long term. The impact of thesefraudulent schemes on victims should therefore not be underestimated.In addition, the interview data provided insight into cognitive and behaviouralchange in order to cope with the incident. Cognitive strategies were mainlyconcerned with reducing psychological and emotional distress, and increasingonline resilience to future attacks. The main behavioural strategies that wereidentified are reporting the incident to the bank and the police and seekingsupport from the social environment. Furthermore, various other actions weretaken, such as enhancing the safety and security of devices and being moreattentive during online banking sessions. However, it was observed that some ofthese actions were only of limited duration. Some victims adopted avoidancebehaviours, such as making less use of online banking services. Victims whowere left with financial damages rationalized the incident, thereby minimizingvictimization for themselves. Chapter 5 concludes that the coping approach thatwas applied provides a useful framework to study the effects and impact ofcybercrime victimization and how victims recover from it.In Chapters 6 and 7, survey data on 1,200 Dutch online banking users areexamined and analysed using partial least squares path modelling. In Chapter 6,three social cognitive models are compared with respect to their ability to explain the intentions of precautionary online behaviour. The models are:protection motivation theory, the reasoned action approach and an integratedmodel comprising variables of these models. The three models were successfullyapplied to online banking. The individual models equally explain much of thevariance in precautionary online behaviour. In the integrated model, thesignificant predictors of the two models remained significant and the level ofexplained variance was highest. Precautionary online behaviour is largely drivenby response efficacy, self-efficacy and attitude towards that behaviour. Thischapter concludes that both protection motivation theory and the reasonedaction approach make a unique contribution in explaining variance forprecautionary online behavioural intention. The integrated model explained mostvariance in protection motivation, which means that integrating theoreticalperspectives from different domains is worthwhile. However, protectionmotivation theory is used as the main theoretical basis in the following chapters,because of its applicability to interventions.Chapter 7 builds on the preceding chapter and continues to study a model ofprecautionary behaviour in the domain of online banking. The aim was to gaininsight into factors that encourage customers to take measures to protectthemselves against online threats. The analyses that were conducted for thischapter provided support for most of the hypothesized relationships and showedthat the model explains high levels of variance for precautionary onlinebehaviour as well as for risk perception. Threat and coping appraisal successfullypredicted the protection motivation of online banking users; in particular,response efficacy and self-efficacy were the most important predictors for takingprecautions. Secondary predictors include locus of control, perceived severity(direct effect) and the negative predictor response costs. Finally, somedifferences in precautionary online behavioural intentions were observed basedon gender and level of education.In Chapter 8, insight is gained into what protective measures self-employedentrepreneurs take in order to protect themselves against online threats andwhat motivates them to do so. Information technology is becoming increasinglyimportant for entrepreneurs. Protecting their technical infrastructure and storeddata is, therefore, also growing in importance. Nevertheless, research into thesafety and security of entrepreneurs in general, and online threats targeted atentrepreneurs in particular, are still limited. Based on secondary analyses ondata collected from 1,622 Dutch entrepreneurs, it was observed that themajority implement technical and personal coping measures. Entrepreneurs arelikely to implement protective measures if they believe a measure is effective, ifthey are capable of using internet technology, if their attitude towardsinformation security is positive and if they believe they are responsible for their own online security. These findings are similar to those of private users outlinedin Chapters 6 and 7. Finally, some differences in precautionary online behaviourwere observed based on age and education level.Chapter 9 examines the impact of fear appeal messages on user cognitions,attitudes, behavioural attentions and precautionary behaviour regarding onlineinformation-sharing to protect against the threat of phishing attacks. A pre-testpost-test design was used in which 768 internet users filled out an onlinequestionnaire. Participants were grouped in one of three fear appeal conditions:strong-fear appeal, weak-fear appeal and control condition. Claims regardingvulnerability of phishing attacks and claims concerning response efficacy ofprotective online information-sharing behaviour were manipulated in the fearappeal messages. This chapter demonstrates positive effects of fear appeals onheightening end-users’ cognitions, attitudes and behavioural intentions.However, future studies are needed to determine how subsequent securitybehaviour can be promoted, as the effects on this crucial aspect were notdirectly observed. Nonetheless, fear appeals have great potential for promotingsecurity behaviour by making end users aware of threats and simultaneouslyproviding behavioural advice on how to mitigate these threats.All things considered, this thesis investigated online banking fraud victimizationand precautionary online behaviour. Specifically, human aspects were the focusof the present research. This thesis demonstrates that good security is inpeople’s heads. It seems easier, cheaper and more successful for criminals toattack end users using psychology rather than the technology surrounding onlinebanking. Hence, even the best security engineers cannot stop end users fromgiving away their security codes. Therefore, using psychology to defend againstonline banking attacks also makes sense. This is especially the case for attacksusing social engineering (phishing), but to some extent also for attacks usingtechnical engineering (malware). Considering the further digitization of oursociety and the increasing dependability on information systems, the case ismade that people have to ‘bend’ with these developments and become resilientwhen online. This is necessary to stop people from ‘breaking’ and potentiallybecoming victims of online banking fraud.While this thesis obtained information on how safety and security of onlinebanking can be improved from an end-user perspective, it should be noted thatend users will always be confronted with numerous potential threats. It isunrealistic to believe that people can protect themselves against all threats at alltimes. Therefore, we have to accept that bad things will continue to happenonline, but optimistically they can be kept to a minimum if end users are morevigilant about what they do online and are aware of how some people abuse the advantages that the internet offers. At the very least, the impact of theseattacks can be reduced. The following main recommendations from this thesismay be helpful:1: Continue to invest in security education, training and awareness campaignsconcerning threats aimed at online banking.2: Focus on underlying cognitive dimensions in security education, training andawareness campaigns, most notably on response efficacy and self-efficacy.3: Make clear that banks and customers are partners in keeping online bankingsafe and secure.4: Facilitate victims in their recovery process, primarily by providing feedback.5: Continue with research on the human aspects of online banking safety andsecurity.In conclusion, security education, training and awareness remain an importantpriority, especially for combatting social risks. It is very important to promoteonline resilience. The research indicates that in order to strengthen the role ofcustomers in the safety and security of online banking, threat appraisals as wellas coping appraisals should be improved. If customers or end users believe thatprotective measures make a difference (response efficacy) and if they are ableto perform these measures (self-efficacy), it is likely that end users will adoptprecautionary behaviour and become a strong link in the information securitychain. Proper information security practices should become part of our generalskill set as people in this day and age. However, it should not be forgotten thatsafety and security is something that should be worked on together, with allparties involved. And when things do go wrong, we need to help one another torecover from it. All in all, an important requirement for a safer and more secureinternet is that the human factor takes a central place in information security

Channel choice and source choice of entrepreneurs in a public organizational context:the Dutch case

International audienceMost e-Government research focuses on citizens, the use and effects of electronic channels and services. However, businesses are an important target group for governmental agencies as well. Governmental agencies have a duty to inform businesses and to make this information easy to access. In order to increase accessibility it is important to closely relate to the behavior of users. Therefore, the purpose of the present investigation is to gain insight about the channel and source choice of entrepreneurs in a public organizational context. According to 323 entrepreneurs, who filled out an electronic questionnaire, the internet is the most preferred channel and a search engine is the most preferred source for obtaining governmental information. Business-, entrepreneur- and situational characteristics have, although small, effect on these choices

Risk as affect:the affect heuristic in cybersecurity

Risk perception is an important driver of netizens’ (Internet users’) cybersecurity behaviours, with a number of factors influencing its formation. It has been argued that the affect heuristic can be a source of variation in generic risk perception. However, a major shortcoming of the supporting research evidence for this assertion is that the central construct, affect, has not been measured or analysed. Moreover, its influence in the cybersecurity domain has not yet been tested. The contribution of the research reported in this paper is thus, firstly, to test the affect heuristic while measuring its three constructs: affect, perceived risk and perceived benefit and, secondly, to test its impact in the cybersecurity domain. By means of two carefully designed studies (N = 63 and N = 233), we provide evidence for the influence of the affect heuristic on risk perception in the cybersecurity domain. We conclude by identifying directions for future research into the role of affect and its impact on cybersecurity risk perception

Risk perceptions of cyber-security and precautionary behaviour

A quantitative empirical online study examined a set of 16 security hazards on the Internet and two comparisons in 436 UK and US students, measuring perceptions of risk and other risk dimensions. First, perceived risk was highest for identity theft, keylogger, cyber-bullying and social engineering. Second, consistent with existing theory, significant predictors of perceived risk were voluntariness, immediacy, catastrophic potential, dread, severity of consequences and control, as well as Internet experience and frequency of Internet use. Moreover, control was a significant predictor of precautionary behaviour. Methodological implications emphasise the need for non-aggregated analysis and practical implications emphasise risk communication to Internet users

Security and Privacy in Online Social Networking: Risk Perceptions and Precautionary Behaviour

A quantitative behavioural online study examined a set of hazards that correspond with security- and privacy settings of the major global online social network (Facebook). These settings concern access to a user's account and access to the user's shared information (both security) as well as regulation of the user's information-sharing and user's regulation of others' information-sharing in relation to the user (both privacy). We measured 201 non-student UK users' perceptions of risk and other risk dimensions, and precautionary behaviour. First, perceptions of risk and dread were highest and precautionary behaviour was most common for hazards related to users' regulation of information-sharing. Other hazards were perceived as less risky and less precaution was taken against these, even though they can lead to breaches of users' security or privacy. Second, consistent with existing theory, significant predictors of perceived risk were attitude towards sharing information on Facebook, dread, voluntariness, catastrophic potential and Internet experience; and significant predictors of precautionary behaviour were perceived risk, control, voluntariness and Internet experience. Methodological implications emphasise the need for non-aggregated analysis and practical implications emphasise interventions to promote safe online social-network use

Effects of Pharmacogenetic Screening for CYP2D6 Among Elderly Starting Therapy With Nortriptyline or Venlafaxine:A Pragmatic Randomized Controlled Trial (CYSCE Trial)

PURPOSE/BACKGROUND: The duration of untreated depression is a predictor for poor future prognosis, making rapid dose finding essential. Genetic variation of the CYP2D6 isoenzyme can influence the optimal dosage needed for individual patients. The aim of this study was to determine the effectiveness of CYP2D6 pharmacogenetic screening to accelerate drug dosing in older patients with depression initiating nortriptyline or venlafaxine. METHODS/PROCEDURES: In this randomized controlled trial, patients were randomly allocated to one of the study arms. In the intervention arm (DG-I), the specific genotype accompanied by a standardized dosing recommendation based on the patients' genotype and the prescribed drug was directly communicated to the physician of the participant. In both the deviating genotype control arm (DG-C) and the nonrandomized control arm, the physician of the participants was not informed about the genotype and the associated dosing advise. The primary outcome was the time needed to reach adequate drug levels: (1) blood levels within the therapeutic range and (2) no dose adjustments within the previous 3 weeks. FINDINGS/RESULTS: No significant difference was observed in mean time to reach adequate dose or time to adequate dose between DG-I and DG-C. Compared with the nonrandomized control arm group, adequate drug levels were reached significantly faster in the DG-I group (log-rank test; P = 0.004), and there was a similar nonsignificant trend for the DG-C group (log-rank test; P = 0.087). IMPLICATIONS/CONCLUSIONS: The results of this study do not support pharmacogenetic CYP2D6 screening to accelerate dose adjustment for nortriptyline and venlafaxine in older patients with depression