Human Factors in Cybersecurity

Dr Lee Hadlington of De Montfort University has published new open access EMPAC research in Heliyon (Vol. 3, Issue 7, July 2017).

The research explored the relationship between risky cybersecurity behaviours, attitudes towards cybersecurity in a business environment, Internet addiction, and impulsivity. 538 participants in part-time or full-time employment in the UK completed an online questionnaire, with responses from 515 being used in the data analysis. The survey included an attitude towards cybercrime and cybersecurity in business scale, a measure of impulsivity, Internet addiction and a ‘risky’ cybersecurity behaviours scale. The results demonstrated that Internet addiction was a significant predictor for risky cybersecurity behaviours. A positive attitude towards cybersecurity in business was negatively related to risky cybersecurity behaviours. Finally, the measure of impulsivity revealed that both attentional and motor impulsivity were both significant positive predictors of risky cybersecurity behaviours, with non-planning being a significant negative predictor. The results present a further step in understanding the individual differences that may govern good cybersecurity practices, highlighting the need to focus directly on more effective training and awareness mechanisms.

Read more about the research here.

No.1 threat

In 2010 the British Government assigned the growing threat from Cybercrime a “Tier One” status, its highest level of concern (HMSO, 2010). In the same year, a report published by The Symantec Corporation (LaBrie et al., 2010) noted that globally, 65% of adults had fallen victim to some form of cybercrime. The economic cost of breaches in cybersecurity has also been noted, with an estimated cost of between £75,000 and £311,000 for small and medium-sized enterprises (SMEs), this figure rising to between £1.46 m and £3.14 m for larger organisations (HM Government, 2015). The current research is presented alongside this alarming rise in cybercrime. The key aim is to provide an exploration of how individual differences serve to influence employee’s engagement in information security behaviours.

Human factors in the context of information security has begun to gain increased attention, particularly where the use of security technologies have failed to protect companies from cyberattacks (Anwar et al., 2016; Herath and Rao, 2009a,b). The use of such technologies is negated in instances where employees fail to follow cybersecurity protocols or engage in activities that place themselves and the company at risk. It is from this perspective that the growth in research exploring the role human factors play in information security has been born (Herath and Rao, 2009b). Research has found that employees consistently underestimated the probability of falling victim to a cybersecurity breach (Herath and Rao, 2009a). Herath and Rao (2009b) further argued that organisational, environmental and behavioural factors all serve to influence the extent to which employees adhere to cyber security practices.

Some attempts have been made to explore how individual differences in personality traits can impact on a person’s adherence to cybersecurity procedures. For example, Shropshire, Warkentin, Johnston, and Schmidt (2006) initially proposed a link between the intent to comply with information security protocols and the traits of agreeableness and conscientiousness. McBride et al. (2012) also noted that individuals who are more extraverted were more likely to violate cybersecurity polices in comparison to more neurotic and conscientious individuals. Shropshire et al., 2015 found that the intent to use a new piece of security software and actual use was also mediated by conscientiousness and agreeableness. However it should be noted that this last piece of research focused on a cohort of students aged between 18–21, potentially limiting the extension of these findings to a work-based population. The researchers also noted a general discrepancy between behavioural intent and actual behaviour, further exacerbating the capacity to predict security compliant behaviours (Shropshire et al., 2015).

Additional work exploring the link between personality traits and susceptibility to attacks has been included in pioneering work by Uebelacker and Quiel, (2014). This work examined the link between susceptibility to social engineering attacks and key personality factors. Social engineering is viewed as the use of manipulation, persuasion, and influence by an attacker to obtain sensitive information or access to restricted areas (Uebelacker and Quiel, 2014). Uebelacker and Quiel, (2014) presented a theoretical framework based on a comprehensive literature review that made direct links between the Big Five Personality traits (see John and Srivastava, 1999) and susceptibility to social engineering. The authors suggested that individuals exhibiting traits such as conscientiousness, extraversion, openness to experience, and agreeableness were highly susceptible to social engineering attacks. In contrast, further studies exploring information security behaviours have noted that conscientiousness, agreeableness and openness to experience were linked to lower risk taking and higher information security awareness scores (McCormac et al., 2016). This discrepancy in findings further highlights the potential benefits of conducting more research to examine the impact aspects of personality have on information security behaviours.

One personality trait that has been focused on within the research surrounding information security behaviours is that of impulsivity. Impulsiveness has been defined as “the urge to act spontaneously without reflecting on an action and its consequences” (Coutlee et al., 2014; p. 2). Research has shown that individuals who exhibit higher levels of impulsivity are less risk adverse when compared to those with lower levels (Coutlee et al., 2014; McCoul and Haslam, 2001; Zuckerman and Kuhlman, 2000). Coutlee et al. (2014) also noted trait impulsivity is a component of a wide number of clinical conditions such as ADHD, borderline personality disorder and impulsive control disorders. Recent work has also established links between impulsivity and aspects of information security awareness. For instance Egelman and Peer (Egelman and Peer, 2015b) explored the link between impulsivity and information security using their own Security Behaviours Intentions Scale (SeBIS). This scale examined awareness and engagement in good cybersecurity practices, including the use of different passwords for different accounts, verifying the authenticity of links before they follow them and keeping software up-to-date. Findings from this research showed that impulsivity was negatively correlated to security behaviours, presenting the potential for this trait to predict risky cybersecurity behaviours.

Welk et al. (2015) assessed the impact of individual differences on participant’s capacity to discriminate between legitimate emails and phishing emails. A phishing email typically involves some form of social engineering tactic with the attacker purporting to be an official source in an attempt to elicit personal information such as account login details (Welk et al., 2015). Welk et al. (2015) noted that measures of personality and impulsivity acted as significant predictors of detecting a phishing email. Individuals who scored higher on measures of extraversion and anxiousness performed significantly poorer on detecting phishing emails. Aspects of impulsivity including reservation, calmness, and the capacity to keep emotions under control were also positively correlated with the accuracy in detecting phishing emails. Those who were rated as being more reserved, calmer and have the capacity to keep their emotions in check had better detection rates for phishing emails (Welk et al., 2015).

Tischer et al. (2016) examined the potential for individuals to plug in USB devices that had been littered around a university campus. This process is often seen as a key mechanism of infiltration used by social engineers who will leave such devices in prominent places in an attempt to gain entry to highly protected systems (Tischer et al., 2016). Often such devices will be laden with malicious software allowing the social engineer remote access to system once they have been plugged into a computer connected to the Internet. In contrast to Egelman and Peer’s work, Tischer et al. (2016) found that individuals who were more likely to plug in a USB device were no more risk loving when compared to a matched sample. In fact those individuals who did plug in the USB were more risk averse in all categories apart from that of recreational risk. It does appear that these individuals devolve responsibility for their protection to the computer and security measures deployed on it, or are ignorant of the risks attached to poor cybersecurity practices (Tischer et al., 2016). Tischer et al. (2016) also used the SeBIS, but noted that the internal reliability of the scale was found to be much lower than had originally been found in the original research by Egelman and Peer (2015b). As there appears to be a lack of clarity in the research literature about the impact trait impulsivity has on both attitudes and behaviours in the context of information security, the present research aimed to examine this further. It is proposed, based on the previous findings from research, that impulsivity will significantly predict adherence to information security protocols.

Internet addiction

Internet addiction has garnered a great deal of attention over the past two decades, with many arguing for it to be classified as a pathological disorder. (Griffiths, 1998; Griffiths, 2000; Young, 1998). Griffiths (2000) suggested that the concept of Internet addiction is potentially a misnomer, and is an umbrella term that actually masks other technological addictions fuelled by access to the Internet. These could include aspects of addiction to email (Marulanda-Carter and Jackson, 2012), online gaming (Kuss et al., 2012; Ng and Wiemer-Hastings, 2005), and social networking (Karaiskos et al., 2010).

To date there have been no explicit attempts to link Internet addiction to the potential to engage in risky cybersecurity behaviours. Most of the research examining the impact of Internet addiction in the workplace has focused on aspects of lost productivity (Greenfield and Davis, 2002; Young and Case, 2004). A potential link between Internet addiction and Internet abuse has been mention in the research literature, with Griffiths (2010) noting that although related, these concepts are not the same. Stanton (2002) previously made the suggestion that Internet abuse in the workplace is a natural extension of activities related to Internet addiction. Accordingly, Rosen (2010) claimed that the new iGeneration of workers believe that they have the right to be online at all times, irrespective of if they are in work or not. Aspects of Internet abuse are not without an associated cost, and can lead to the clogging of computer networks as well as increasing the incidents of security breaches within an organisation (Pee et al., 2008; Weatherbee, 2010). Chen et al. (2008) noted that unethical use of the Internet within the workplace had the potential to develop into cybercrime, including aspects of intellectual property theft, distributing offensive material and online piracy. Panko (2010) also noted that users could cause a variety of issues through computer abuse and misuse, such as inadvertently downloading malicious code or visiting compromised websites. Further work is deemed necessary to establish exactly how aspects of technology addition link into poor cybersecurity behaviours and in turn if such a metric could be used to help organisations target training more effectively. It is suggested that those individuals exhibiting a compulsive use of the Internet will be inclined to take more risks in order to get online, and as a result be less compliant with accepted protocols.

The current study aimed to explore potential variables that could serve to predict a higher frequency for engaging in risky cybersecurity behaviours. The results present a preliminary step into exploring human factors within cybersecurity. There is the potential for certain predictors to provide a mechanism for identifying those who may be more susceptible to engage in cyber-related risky behaviours. Each of these will now be discussed in turn.

Cyber security is someone else’s job

One of the key findings from the current research is that employee attitudes towards cybersecurity were negatively correlated to the frequency with which they engaged in risky cybersecurity behaviours. The capacity to instil good cybersecurity behaviour should be viewed as being of paramount importance for all organisations, irrespective of their size and complexity. However, it is apparent that from the responses to the attitude scale this is not the case, with pockets of individuals appearing to be disengaged or ill equipped to act appropriately. Some 98% of those questioned devolved responsibility of company cybersecurity to management, with a further 58% stating they did not know how they could protect the company from cybercrime. One analogue to this is found in Tischer et al. (2016), who noted that certain individuals appear to devolve aspects of their security to computer systems. In the context of the present study the concept of ‘computer systems’ may also extend to include other aspects of the work-based environment, including system administrators and management. It would appear that these are the people who individuals believe have a direct responsibility for prevention from cyberattacks. It would also appear that those individuals who are dismissive or are ignorant to the threats from poor cybersecurity are more likely to engage in risky cybersecurity behaviours. It is unclear if this is due to a complete disregard for information security or the belief that technology-based security measures will protect an individual from cybercrime, and provides a route for further empirical study. One of the key reasons for employing the use of an attitude scales in research of this nature is that, given the capacity for attitudes to change over time, it provides a good metric to examine if interventions have served to alter knowledge and perceptions (Shropshire et al., 2006).

Risky behaviours

The extent to which individuals engage in risky cybersecurity behaviours also appears to be closely linked to the level of problematic or addictive Internet use they exhibit. At the heart of behavioural addiction is the drive to engage in the addictive behaviour, which goes above all else and dominates the individual’s thoughts, feelings and behaviours (Giffiths, 2010). This concept of ‘salience’ may be one potential element of the addictive complex that overrides a capacity to engage in good cybersecurity behaviours. Griffiths (2010) discussed the capacity for Internet addiction to lead to aspects of Internet abuse within the workplace, with the present study representing one of the first to link the potential impact on the cybersecurity of the organisation. In very early work of this nature, Stanton (2002) had suggested that there was the potential for a small proportion of employees who were addicted to the Internet to also abuse Internet access at work. In the context of the present study Internet addiction is not presented as a potential screening tool to isolate individuals in order for punitive action to be taken. Researchers such as Young and Case (2004) suggested that caution should be exercised when attempting to punish individuals who exhibit problematic Internet use in the workplace. By doing so, the employer could be creating even wider issues, and they advise support and the provision of potential routes to therapeutic interventions as a more effective approach.

Impulsivity and risky cybersecurity behaviours present significant predictors for risky cybersecurity behaviours. Attentional and Motor impulsivity both presented as significant positive predictors for risky behaviours. Based on past research it is assumed that those with high levels of impulsiveness often act without reflection and pay little attention to the cost of their actions (Coutlee et al., 2014). This ‘think before you act’ behaviour may be a key mechanism that serves to override engagement in positive cybersecurity practices. Individuals may engage in risky cybersecurity behaviours without fully establishing the cost of doing so, not only for them but also the company for whom they work.

The Non-Planning element of impulsivity was found to be a significant negative predictor for risky cybersecurity behaviours. This suggests that individuals who plan for short-term and long-term goals, in turn less likely to rush to complete activities, and in turn are not jeopardising cybersecurity as a result. These findings differ from previous research which noted negative correlations between the sub-scales of the BIS-11 and the SeBIS (Egelman and Peer, 2015a, b)). However qualitative differences in the content of the scales used could be one potential reason for the difference in results, and it suggested that further studies aim to clarify this. It is also noted that impulsivity accounted for just 9% of the overall variance in the data, suggesting that other factors could be contributing to the difference in risky behaviours.

The notion of risk compensation (Wilde, 1998) also presents a potential confound in the context of the present study. The example often presented in the context of risk compensation is the use of seat belts in automobiles. The logic here is that drivers believe they are more protected by wearing a seat belt in contrast to not wearing one, and therefore will take more risks. This has a direct link to information security behaviours, particularly when the individual is in a place of work. Many working environments employ information technology infrastructures that are protected by a variety of technical countermeasures designed to prevent potential breaches. As the individual believes they are more protected in the workplace they may be inclined to take more risks, circumvent accepted protocols and engage in poorer information security behaviours. This proposition is couched very much in a tentative way, and there is need to explore this in more detail through further research.

The Human Touch

As the fight against susceptibility to cybercrime and the prevention of digital attacks within businesses moves an emphasis away from technology towards human factors, research of this nature becomes more and more important. The present research highlights how aspects of personality, problematic Internet use and employee attitudes can impact on the potential to engage in effective information security behaviours. As a more systematic model of how individuals are choosing to engage (or not) in good cybersecurity practices is developed, there is the potential to create clearer communications packages or strategies to proliferate these further. Some work has already been conducted in this area, with research from Bada et al. (2014) noting that in order to be effective, key design elements have to be adhered to. For instance the researchers noted that information security education has to go beyond just providing information to users.

Read the full article at