Risk homeostasis in information security:challenges in confirming existence and verifying impact

The central premise behind risk homeostasis theory is that humans adapt their behaviors, based on external factors, to align with a personal risk tolerance level. In essence, this means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this effect exists, it serves to restrict the ability of risk mitigation techniques to effect improvements.The concept is hotly debated in the safety area. Some authors agree that the effect exists, but also point out that it is poorly understood and unreliably predicted. Other re-searchers consider the entire concept fallacious. It is important to gain clarity about whether the effect exists, and to gauge its impact if such evidence can indeed be found.In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, information security could well be impaired if a risk homeostasis effect neutralizes the potential benefits of risk mitigation measures. If the risk homeostasis effect does indeed exist and does impact risk-related behaviors, people will simply elevate risky behaviors in response to feeling less vulnerable due to following security procedures and using protective technologies.Here we discuss, in particular, the challenges we face in confirming the existence and impact of the risk homeostasis effect in information security, especially in an era of ethical research practice

“This is the way ‘I’ create my passwords ...":does the endowment effect deter people from changing the way they create their passwords?

The endowment effect is the term used to describe a phenomenon that manifests as a reluctance to relinquish owned artifacts, even when a viable or better substitute is offered. It has been confirmed by multiple studies when it comes to ownership of physical artifacts. If computer users also "own", and are attached to, their personal security routines, such feelings could conceivably activate the same endowment effect. This would, in turn, lead to their over-estimating the \value" of their existing routines, in terms of the protection they afford, and the risks they mitigate. They might well, as a consequence, not countenance any efforts to persuade them to adopt a more secure routine, because their comparison of pre-existing and proposed new routine is skewed by the activation of the endowment effect.In this paper, we report on an investigation into the possibility that the endowment effect activates when people adopt personal password creation routines. We did indeed find evidence that the endowment effect is likely to be triggered in this context. This constitutes one explanation for the failure of many security awareness drives to improve password strength. We conclude by suggesting directions for future research to confirm our findings, and to investigate the activation of the effect for other security routines

Are we predisposed to behave securely? Influence of risk disposition on individual security behaviors

Employees continue to be the weak link in organizational security management and efforts to improve the security of employee behaviors have not been as effective as hoped. Researchers contend that security-related decision making is primarily based on risk perception. There is also a belief that, if changed, this could improve security-related compliance. The extant research has primarily focused on applying theories that assume rational decision making e.g. protection motivation and deterrence theories. This work presumes we can influence employees towards compliance with information security policies and by means of fear appeals and threatened sanctions. However, it is now becoming clear that security-related decision making is complex and nuanced, not a simple carrot- and stick-related situation. Dispositional and situational factors interact and interplay to influence security decisions. In this paper, we present a model that positions psychological disposition of individuals in terms of risk tolerance vs. risk aversion and proposes research to explore how this factor influences security behaviors. We propose a model that acknowledges the impact of employees' individual dispositional risk propensity as well as their situational risk perceptions on security-related decisions. It is crucial to understand this decision-making phenomenon as a foundation for designing effective interventions to reduce such risk taking. We conclude by offering suggestions for further research.</p

Is the responsibilization of the cyber security risk reasonable and judicious?

Cyber criminals appear to be plying their trade without much hindrance. Home computer users are particularly vulnerable to attack by an increasingly sophisticated and globally dispersed hacker group. The smartphone era has exacerbated the situation, offering hackers even more attack surfaces to exploit. It might not be entirely coincidental that cyber crime has mushroomed in parallel with governments pursuing a neoliberalist agenda. This agenda has a strong drive towards individualizing risk i.e. advising citizens how to take care of themselves, and then leaving them to face the consequences if they choose not to follow the advice. In effect, citizens are “responsibilized .” Whereas responsibilization is effective for some risks, the responsibilization of cyber security is, we believe, contributing to the global success of cyber attacks. There is, consequently, a case to be made for governments taking a more active role than the mere provision of advice, which is the case in many countries. We conclude with a concrete proposal for a risk regulation regime that would more effectively mitigate and ameliorate cyber risk

Cyber security responsibilization:an evaluation of the intervention approaches adopted by the Five Eyes countries and China

Governments can intervene to a greater or lesser extent in managing the risks their citizens face. They can adopt a maximal intervention approach (e.g. COVID-19) or a handsoff approach, effectively “responsibilizing” their citizens (e.g. unemployment). To manage the cyber risk, governments publish cyber-related policies. The question that we wanted to answer was: “What intervention stances do governments adopt in supporting individual citizens managing their personal cyber risk?” We pinpointed the cyber-related responsibilities that several governments espoused, applying a “responsibilization” analysis. We identified those that applied to citizens, and thereby revealed their cyber-related intervention stances. Our analysis revealed that most governments adopt a minimal cyber-related intervention stance in supporting their individual citizens. Given the increasing number of successful cyber attacks on individuals, it seems time for the consequences of this stance to be acknowledged and reconsidered. We argue that governments should support individual citizens more effectively in dealing with cyber threats

VISTA:an inclusive insider threat taxonomy, with mitigation strategies

Insiders have the potential to do a great deal of damage, given their legitimate access to organisational assets and the trust they enjoy. Organisations can only mitigate insider threats if they understand what the different kinds of insider threats are, and what tailored measures can be used to mitigate the threat posed by each of them. Here, we derive VISTA (inclusiVe InSider Threat tAxonomy) based on an extensive literature review and a survey with C-suite executives to ensure that the VISTA taxonomy is not only scientifically grounded, but also meets the needs of organisations and their executives. To this end, we map each VISTA category of insider threat to tailored mitigations that can be deployed to reduce the threat

Using intervention mapping to breach the cyber-defense deficit

It sometimes seems that every IT user is a com- batant, engaged in a battle with multitudes of hackers across the globe. This battle is unevenly biased in favor of the hackers, because people routinely act in ways that open doors for hackers, thereby enabling their nefarious activities. If current approaches to raising security awareness were working the hackers would not be having as much success in attacking systems. It is time to reconsider how we design, formulate and deliver security awareness training. In this paper we propose using a technique borrowed from the health arena, "Intervention Mapping," to target security awareness training more effectively. We detail the different phases of the methodology and give an example to show how it was applied to an SME. The purpose of this paper is to open a discourse in the community about how we can arrive at more effective awareness-raising endeavors

Physical Activity and Hippocampal Sub-Region Structure in Older Adults with Memory Complaints.

BackgroundPhysical activity (PA) plays a major role in maintaining cognition in older adults. PA has been shown to be correlated with total hippocampal volume, a memory-critical region within the medial temporal lobe (MTL). However, research on associations between PA and MTL sub-region integrity is limited.ObjectiveTo examine the relationship between PA, MTL thickness, and its sub-regions, and cognitive function in non-demented older adults with memory complaints.MethodsTwenty-nine subjects aged ≥60 years, with memory complaints were recruited for this cross-sectional study. PA was tracked for 7 days using accelerometers, and average number of steps/day determined. Subjects were categorized into two groups: those who walked ≤4000 steps/day (lower PA) and those with &gt;4000 steps/day (higher PA). Subjects received neuropsychological testing and 3T MRI scans. Nonparametric ANCOVAs controlling for age examined differences between the two groups.ResultsTwenty-six subjects aged 72.7(8.1) years completed the study. The higher PA group (n = 13) had thicker fusiform gyrus (median difference = 0.11 mm, effect size (ES) = 1.43, p = 0.001) and parahippocampal cortex (median difference = 0.12 mm, ES = 0.93, p = 0.04) compared to the lower PA group. The higher PA group also exhibited superior performance in attention and information-processing speed (median difference = 0.90, ES = 1.61, p = 0.003) and executive functioning (median difference = 0.97, ES = 1.24, p = 0.05). Memory recall was not significantly different between the two groups.ConclusionOlder non-demented individuals complaining of memory loss who walked &gt;4000 steps each day had thicker MTL sub-regions and better cognitive functioning than those who walked ≤4000 steps. Future studies should include longitudinal analyses and explore mechanisms mediating hippocampal related atrophy

A secure relationship with passwords means not being attached to how you pick them

When you are asked to create a password – either for a new online account or resetting login information for an existing account – you're likely to choose a password you know you can remember. Many people use extremely basic passwords, or a more obscure one they reuse across many sites. Our research has found that others – even ones who use different passwords for each site – have a method of devising them, for instance basing them all on a familiar phrase and making site-specific tweaks