Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs

Standards and best practices for information security awareness programs focus on the content and processes of the programs, without taking into consideration how individuals internalize security-related information and how individuals make security related decisions. Relevant literature, however has identified that individual perceptions, beliefs, and biases significantly influence security policy compliance behavior. Security awareness programs need, therefore, to be aligned with the factors affecting the internalization of the communicated security objectives. This paper explores the role of cognitive and cultural biases in shaping information security perceptions and behaviors. We draw upon related literature from contiguous disciplines (namely behavioral economics and health and safety research) to develop a conceptual framework and analyze the role of cognitive and cultural biases in information security behavior. We discuss the implications of biases for security awareness programs and provide a set of recommendations for planning and implementing awareness programs, and for designing the related material. This paper opens new avenues for information security awareness research with regard to security decision making and proposes practical recommendations for planning and delivering security awareness programs, so as to exploit and alleviate the effect of cognitive and cultural biases on shaping risk perceptions and security behavior. Security literature lacks an examination of cognitive and cultural biases' role.We study how cognitive and cultural biases affect security compliance behavior.Security awareness programs could alleviate the effect of biases.We provide recommendations for security awareness programs towards this goal.

[1]  B. Fischhoff,et al.  Behavioral decision theory perspectives on risk and safety , 1984 .

[2]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[3]  D. Kahneman,et al.  Representativeness revisited: Attribute substitution in intuitive judgment. , 2002 .

[4]  P. Slovic,et al.  The affect heuristic , 2007, European Journal of Operational Research.

[5]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[6]  Howard Kunreuther,et al.  The Affection Effect in Insurance Decisions , 2006 .

[7]  D. Kahneman,et al.  Before you make that big decision... , 2011, Harvard business review.

[8]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[9]  Melissa L. Finucane,et al.  Risk as Analysis and Risk as Feelings: Some Thoughts about Affect, Reason, Risk, and Rationality , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[10]  L. Ross,et al.  Biased Assimilation and Attitude Polarization: The Effects of Prior Theories on Subsequently Considered Evidence , 1979 .

[11]  Mark Wilson,et al.  SP 800-16. Information Technology Security Training Requirements: a Role- and Performance-Based Model , 1998 .

[12]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[13]  Andrea Caputo A literature review of cognitive biases in negotiation processes , 2013 .

[14]  P. Slovic Perception of risk. , 1987, Science.

[15]  Sokratis K. Katsikas Health care management and information systems security: awareness, training or education? , 2000, Int. J. Medical Informatics.

[16]  W. Klein,et al.  Heuristics and Biases: Resistance of Personal Risk Perceptions to Debiasing Interventions , 2002 .

[17]  Gunela Astbrink,et al.  Security Design Based on Social and Cultural Practice: Sharing of Passwords , 2007, HCI.

[18]  A. Furnham,et al.  A literature review of the anchoring effect , 2011 .

[19]  R. Cialdini,et al.  Imagining Can Heighten or Lower the Perceived Likelihood of Contracting a Disease , 1985 .

[20]  M. Douglas,et al.  Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers , 1983 .

[21]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[22]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[23]  Evangelos A. Kiountouzis,et al.  Information Management & Computer Security Formulating information systems risk management strategies through cultural theory , 2016 .

[24]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[25]  R. Nickerson Confirmation Bias: A Ubiquitous Phenomenon in Many Guises , 1998 .

[26]  Easwar A. Nyshadham,et al.  A Cognitive Map of People's Online Risk Perceptions and Attitudes: An Empirical Study , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[27]  Johann Kranz,et al.  Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior , 2013, ICIS.

[28]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[29]  E. Phelps,et al.  Neural mechanisms mediating optimism bias , 2007, Nature.

[30]  Eric J. Johnson,et al.  Incorporating the Irrelevant: Anchors in Judgments of Belief and Value , 2002 .

[31]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[32]  F. Strack,et al.  Explaining the Enigmatic Anchoring Effect: Mechanisms of Selective Accessibility , 1997 .

[33]  Claire Marris,et al.  Testing the Cultural Theory of Risk in France , 1998 .

[34]  Shari Lawrence Pfleeger Risky business: what we have yet to learn about risk management , 2000, J. Syst. Softw..

[35]  Gavriel Salvendy,et al.  Perception of information security , 2010, Behav. Inf. Technol..

[36]  Susanne Rippl Cultural theory and risk perception: a proposal for a better measurement , 2002 .

[37]  P. Slovic,et al.  Violence Risk Assessment and Risk Communication: The Effects of Using Actual Cases, Providing Instruction, and Employing Probability Versus Frequency Formats , 2000, Law and human behavior.

[38]  C. Gettys,et al.  MINERVA-DM: A memory processes model for judgments of likelihood. , 1999 .

[39]  Karyn Riddle,et al.  Always on My Mind: Exploring How Frequent, Recent, and Vivid Television Portrayals Are Used in the Formation of Social Reality Judgments , 2010 .

[40]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[41]  Young U. Ryu,et al.  Unrealistic optimism on information security management , 2012, Comput. Secur..

[42]  Alessandro Acquisti,et al.  Privacy in electronic commerce and the economics of immediate gratification , 2004, EC '04.

[43]  Lois Biener,et al.  The Impact of Emotional Tone, Message, and Broadcast Parameters in Youth Anti-smoking Advertisements , 2004, Journal of health communication.

[44]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[45]  Andreas Eckhardt,et al.  Sensitizing Employees' Corporate IS Security Risk Perception , 2014, ICIS.

[46]  Shelley E. Taylor,et al.  Heuristics and Biases: When Predictions Fail: The Dilemma of Unrealistic Optimism , 2002 .

[47]  D. Kahneman,et al.  Heuristics and Biases: The Psychology of Intuitive Judgment , 2002 .

[48]  A. Tversky,et al.  Choices, Values, and Frames , 2000 .

[49]  S. Sloman Two systems of reasoning. , 2002 .

[50]  Elizabeth Sillence,et al.  It won't happen to me: Promoting secure behaviour among internet users , 2010, Comput. Hum. Behav..

[51]  Rosemary J. Day,et al.  Public Perceptions of Health Risks from Polluted Coastal Bathing Waters: A Mixed Methodological Analysis Using Cultural Theory , 2000, Risk analysis : an official publication of the Society for Risk Analysis.

[52]  Gavriel Salvendy,et al.  Factors affecting perception of information security and their impacts on IT adoption and security practices , 2011, Int. J. Hum. Comput. Stud..

[53]  LeanPing Ong,et al.  Information Security Awareness: An Application of Psychological Factors – A Study in Malaysia , 2014, INFOCOM 2014.

[54]  David Lacey,et al.  Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness , 2012, Inf. Manag. Comput. Secur..

[55]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[56]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[57]  Geordie Stewart,et al.  A safety approach to information security communications , 2009, Inf. Secur. Tech. Rep..

[58]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[59]  Piotr Winkielman,et al.  Subliminal affective priming resists attributional interventions. , 1997 .

[60]  Shanefrederick,et al.  Time Discounting and Time Preference : A Critical Review , 2022 .

[61]  I H Langford,et al.  A Quantitative Test of the Cultural Theory of Risk Perceptions: Comparison with the Psychometric Paradigm , 1998, Risk analysis : an official publication of the Society for Risk Analysis.

[62]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..