Author Archives: enicaise

In April 2019, ENISA, the European Network and Information Security Agency, published an outstanding document (two in fact): “Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity”.

This document is the result of four evidence-based reviews of human aspects of cybersecurity performed by different scholars: two based on the use and effectiveness of models from social science used to improve cybersecurity, one on qualitative studies; and one on current practise within organisations. The details of these reviews are presented in the second document: “TECHNICAL ANNEX: EVIDENCE REVIEWS –
Review of Behavioural Sciences Research in the Field of Cybersecurity”

The guidelines are a 30 page document including recommendations on a process and metrics to improve cybersecurity culture in an organisation.

The annexes are barely bigger and offer a condensed summary of relevant research, weaknesses, and strong points. It should interest any scholar working on the topic.

You will also find a link to ConstructDB, the incredible database of 792 theoretical constructs gathered by Becker & Sasse (2018) during their review of scientific literature on the subject. An outstanding work!

A nice summary of the current literature is summarized in the five following points extracted from the report:

• Over-reliance on self-report measures:
  The vast majority of studies relied on self-report measures of cyber-security behaviours (or intention to behave). This is potentially problematic since self-reporting does not always correlate with actual behaviour (Wash, Rader & Fennel, 2017). However, there was some evidence of more creative measures being used.
• The poverty of models used:
  Three models for understanding human aspects of cyber-security dominated the studies reviewed. Both Protection Motivation Theory (See our recent short article on this theory) and the Theory of Planned Behaviour (TPB) were well represented in the review. Unfortunately, it seems that the research literature has not moved from these pathway models to consider wider contexts or to integrate insights from behaviour change or persuasive design.
• Threat models do not help to predict behaviour:
  Within PMT, people’s motivation to protect themselves from potential threats is determined by the relative balance of the severity and likelihood of the threat and the potential ways to cope with that threat. Studies that have studied the role of threat in predicting this motivation towards protection have reported either weak, neutral or even negative effects of increasing threat appraisal on motivation to take protective action. Similarly, studies of increased severity of punishment for violation of IS policies have found that they can backfire and lead to less compliance.
• Coping models have more value predicting behaviour:
  On the other hand, studies that have included the resources people have to cope with a threat have produced more promising outcomes. The second element of protection motivation theory is the individual’s appraisal of their likely response to a threat, both in terms of the likely efficacy of the response and their own ability to complete the required response. These two factors are commonly referred to as ‘response efficacy’ and ‘self-efficacy’. In later PMT models, the cost of completing the response was also factored into the model. Within the theory of planned behaviour, ‘self-efficacy’ or ‘perceived behavioural control’ are used to signify the users’ belief in their ability to complete the desired behaviour. Across studies of PMT and TPB, coping / self-efficacy was a reliable, moderately strong predictor of cyber-security intention and behaviour. This suggests that interventions that seek to improve users’ ability to respond appropriately to cyber-threats (and belief that those responses will be effective) are more likely to yield positive results than campaigns based around stressing the threat.
• Demographics and personality are not particularly useful:
  Relatively few studies in the review also studied personality or demographics (e.g. age, gender). Those that did found mixed results, with both older and young users often being found to be vulnerable and gender only sometimes linking to security behaviour or attitudes. Personality rarely linked to security behaviour in a consistent way, although there was some evidence that models of general decision making might be more predictive.

References:

• The ENISA Cybersecurity Culture Guidelines’ page: https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity
• The technical annexes’ page: https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-technical-annex-evidence-reviews/

Many theories are used to explain and predict human behaviour. Protection Motivation Theory is one of those theories sometimes used by cybersecurity professionals to prepare their programs. Is it a good choice?

Ronald W. Rogers proposed the Protection Motivation Theory (Rogers, 1975) to explain the effect of fear appeal in communications on the audience’s attitude change. Initially, Rogers developed PMT to explain health-related behavioural changes like the impact of fear-appeal on smokers’ behaviour. In 1983, Rogers and Maddux revised the model to include self-efficacy as an influencing factor (Maddux & Rogers, 1983).

PMT suppose an effect of the perceived efficacy of coping response, the perceived self-efficacy to perform the coping response and the probability of the threat on the attitude towards the coping response. We summarised the different variables and their effects in the figure below: Protection Motivation Theory – variables and effects.

PMT is now also used in an information security context by different researchers. As Menard et al. (2017) showed in their literature review on PMT, its application to the information security field gives mixed results.

It was mainly used to explain the impact of threat perception and perceived self-efficacy on changes in security behaviours or attitude in a population (Chou & Sun, 2017; Grimes & Marquardson, 2019; Ismail et al., 2017; Jansen & van Schaik, 2018; Menard et al., 2017; Milne et al., 2009).

If we take the specific case of phishing, these studies did not provide a specific model. Still, they suggest that perceived self-efficacy and threat perception might play a role in the process of detecting phishing emails.

It is an interesting model for health prevention professionals, but probably not for human-centrric cyber security ones.

Bibliography

• Chou, H.-L., & Sun, J. C.-Y. (2017). The moderating roles of gender and social norms on the relationship between protection motivation and risky online behavior among in-service teachers. Computers & Education, 112, 83–96. https://doi.org/10.1016/j.compedu.2017.05.003

• Grimes, M., & Marquardson, J. (2019). Quality matters: Evoking subjective norms and coping appraisals by system design to increase security intentions. Decision Support Systems, 119, 23–34. Scopus. https://doi.org/10.1016/j.dss.2019.02.010

• Ismail, K. A., Singh, M. M., Mustaffa, N., Keikhosrokiani, P., & Zulkefli, Z. (2017). Security Strategies for Hindering Watering Hole Cyber Crime Attack. Procedia Computer Science, 124, 656–663. https://doi.org/10.1016/j.procs.2017.12.202

• Jansen, J., & van Schaik, P. (2018). Testing a model of precautionary online behaviour: The case of online banking. Computers in Human Behavior, 87, 371–383. Scopus. https://doi.org/10.1016/j.chb.2018.05.010

• Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469–479. https://doi.org/10/cbzjj7

• Menard, P., Bott, G. J., & Crossler, R. E. (2017). User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory. Journal of Management Information Systems, 34(4), 1203–1230. Scopus. https://doi.org/10.1080/07421222.2017.1394083

• Milne, G. R., Labrecque, L. I., & Cromer, C. (2009). Toward an understanding of the online consumer’s risky behavior and protection practices. Journal of Consumer Affairs, 43(3), 449–473. Scopus. https://doi.org/10.1111/j.1745-6606.2009.01148.x

• Rogers, R. W. (1975). A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology, 91(1), 93–114. https://doi.org/10/cb4jgn