Drivers of information security search behavior: An investigation of network attacks and vulnerability disclosures

More and more people use search engines to seek for various information. This study investigates the search behavior that drives the search for information security knowledge via a search engine. Based on theories in information search and information security behavior we examine the effects of network attacks and vulnerability disclosures on search for information security knowledge by ordinary users. We construct a unique dataset from publicly available sources, and use a dynamic regression model to test the hypotheses empirically. We find that network attacks of current day and one day prior significantly impact the search, while vulnerability disclosure does not significantly affect the search. Implications of the study are discussed.

[1]  May R. Chaffin,et al.  Empirical Estimates and Observations of 0Day Vulnerabilities , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[2]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[3]  S. Dunwoody,et al.  Proposed model of the relationship of risk information seeking and processing to the development of preventive behaviors. , 1999, Environmental research.

[4]  John H. Gerdes,et al.  Using web-based search data to predict macroeconomic statistics , 2005, CACM.

[5]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[6]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[7]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[8]  Richard D. Holowczak,et al.  Locking the door but leaving the computer vulnerable: Factors inhibiting home users' adoption of software firewalls , 2008, Decis. Support Syst..

[9]  A. Wister,et al.  From Cues to Action: Information Seeking and Exercise Self-Care among Older Adults Managing Chronic Illness* , 2006, Canadian Journal on Aging / La Revue canadienne du vieillissement.

[10]  Melissa C. Brouwers,et al.  Uncertainty orientation and protection motivation theory : the role of individual differences in health compliance , 1993 .

[11]  W. Fuller,et al.  LIKELIHOOD RATIO STATISTICS FOR AUTOREGRESSIVE TIME SERIES WITH A UNIT ROOT , 1981 .

[12]  Crystale Purvis Cooper,et al.  Cancer Internet Search Activity on a Major Search Engine, United States 2001-2003 , 2005, Journal of medical Internet research.

[13]  Alan Pankratz,et al.  Forecasting with Dynamic Regression Models: Pankratz/Forecasting , 1991 .

[14]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[15]  Helen L. Armstrong,et al.  Internet anonymity practices in computer crime , 2003, Inf. Manag. Comput. Secur..

[16]  Pu Li,et al.  An examination of private intermediaries’ roles in software vulnerabilities disclosure , 2007, Inf. Syst. Frontiers.

[17]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[18]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1972 .

[19]  Stephen K. Kwan,et al.  A Web Search Model for Strategic Decision Making , 2008 .

[20]  Abagail McWilliams,et al.  Event Studies In Management Research: Theoretical And Empirical Issues , 1997 .

[21]  Symeon Papavassiliou,et al.  Network intrusion and fault detection: a statistical anomaly approach , 2002, IEEE Commun. Mag..

[22]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[23]  Steven Furnell,et al.  Computer crime and abuse: A survey of public attitudes and awareness , 1999, Comput. Secur..

[24]  Bruce E. Barrett,et al.  Decision quality using ranked attribute weights , 1996 .

[25]  Bernard J. Jansen,et al.  The comparative effectiveness of sponsored and nonsponsored links for Web e-commerce queries , 2007, TWEB.

[26]  Jerold B. Warner,et al.  Using daily stock returns: The case of event studies , 1985 .

[27]  Ritu Agarwal,et al.  Practicing Safe Computing: Message Framing, Self-View, and Home Computer User Security Behavior Intentions , 2006, ICIS.

[28]  Qiu-Hong Wang,et al.  The Deterrent and Displacement Effects of Information Security Enforcement:  International Evidence , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[29]  B. Ratchford,et al.  An Empirical Test of a Model of External Search for Automobiles , 1991 .

[30]  Daniel E. Rose,et al.  Understanding user goals in web search , 2004, WWW '04.

[31]  S. Dunwoody,et al.  Protection Motivation and Risk Communication , 2000, Risk analysis : an official publication of the Society for Risk Analysis.

[32]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[33]  Jose J. Gonzalez,et al.  Vulnerability Black Markets: Empirical Evidence and Scenario Simulation , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[34]  Jeremy Ginsberg,et al.  Detecting influenza epidemics using search engine query data , 2009, Nature.

[35]  Jeffrey O. Kephart,et al.  Measuring and modeling computer virus prevalence , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[36]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[37]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[38]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[39]  Michele L. Ybarra,et al.  Help seeking behavior and the Internet: A national survey , 2006, Int. J. Medical Informatics.

[40]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[41]  W. Fuller,et al.  Distribution of the Estimators for Autoregressive Time Series with a Unit Root , 1979 .

[42]  Melissa C. Brouwers,et al.  Uncertainty orientation and protection motivation theory : the role of individual differences in health compliance , 1993 .

[43]  Nicolas Chantler,et al.  Profile of A Computer Hacker , 2001 .

[44]  Olivia R. Liu Sheng,et al.  What are people searching on government web sites? , 2007, CACM.

[45]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[46]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[47]  A. Lo,et al.  THE ECONOMETRICS OF FINANCIAL MARKETS , 1996, Macroeconomic Dynamics.

[48]  Glenn J. Browne,et al.  Cognitive Stopping Rules for Terminating Information Search in Online Tasks , 2007, MIS Q..

[49]  B. Dervin AN OVERVIEW OF SENSE-MAKING RESEARCH: CONCEPTS, METHODS AND RESULTS TO DATE , 1983 .

[50]  Matthew Richardson,et al.  Learning about the world through long-term query logs , 2008, TWEB.

[51]  George O. Rogers,et al.  The Dynamics of Risk Perception: How Does Perceived Risk Respond to Risk Events? , 1997 .

[52]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[53]  Dolores J Severtson,et al.  Applying a Health Behavior Theory to Explore the Influence of Information and Experience on Arsenic Risk Representations, Policy Beliefs, and Protective Behavior , 2006, Risk analysis : an official publication of the Society for Risk Analysis.

[54]  John W. Payne,et al.  Do risk information programs promote mitigating behavior? , 1995 .

[55]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1971 .

[56]  Tyler Moore,et al.  Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing , 2009, Financial Cryptography.

[57]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[58]  James B. Hunt,et al.  Knowledge and the ordered protection motivation model: Tools for preventing AIDS , 1994 .

[59]  Jose J. Gonzalez,et al.  A Quest for a Framework to Improve Software Security : Vulnerability Black Markets Scenario , 2009 .

[60]  F. J. Anscombe,et al.  Rejection of Outliers , 1960 .

[61]  Peter Shea,et al.  Book Review: 'Click: What Millions of People Are Doing Online and Why it Matters' by Bill Tancer , 2010, ELERN.

[62]  Abdur Chowdhury,et al.  A picture of search , 2006, InfoScale '06.