Introducing the Cybersurvival Task: Assessing and Addressing Staff Beliefs about Effective Cyber Protection

Despite increased awareness of cybersecurity incidents and consequences, organisations still struggle to convince employees to comply with information security policies and engage in effective cyber prevention. Here we introduce and evaluateThe Cybersurvival Task, a ranking task that highlights cybersecurity misconceptions amongst employees and that serves as a reflective exercise for security experts. We describe an initial deployment and refinement of the task in one organisation and a second deployment and evaluation in another. We show how the Cybersurvival Task could be used to detect ‘shadow security’ cultures within an organisation and illustrate how a group discussion about the importance of different cyber behaviours led to the weakening of staff’s cybersecurity positions (i.e. more disagreement with experts). We also discuss its use as a tool to inform organisational policy-making and the design of campaigns and training events, ensuring that they are better tailored to specific staff groups and designed to target problematic behaviours.

[1]  L. Ashburn-Nardo,et al.  Implicit Outgroup Favoritism and Intergroup Judgment: The Moderating Role of Stereotypic Context , 2008 .

[2]  Y. Ohtsubo,et al.  Effects of Status Difference and Group Size in Group Decision Making , 2004 .

[3]  Kat Krol,et al.  Appropriation of security technologies in the workplace , 2015 .

[4]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[5]  R. Milich,et al.  Effects of an Academic Expectancy and Gender on Students' Interactions , 1996 .

[6]  M. J. Harris,et al.  Effects of distraction on interpersonal expectancy effects: a social interaction test of the cognitive busyness hypothesis , 1995 .

[7]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[8]  Hilary Johnson,et al.  Using and managing multiple passwords: A week to a view , 2011, Interact. Comput..

[9]  S. Giessner,et al.  Team-oriented leadership: the interactive effects of leader group prototypicality, accountability, and team identification. , 2013, The Journal of applied psychology.

[10]  D. Knippenberg,et al.  Leader power and leader self-serving behavior: The role of effective leadership beliefs and performance information , 2010 .

[11]  S. Giessner,et al.  United we win, divided we fail? Effects of cognitive merger representations and performance feedback on merging groups , 2008 .

[12]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[13]  Steven Furnell,et al.  From culture to disobedience: Recognising the varying user acceptance of IT security , 2009 .

[14]  Paul C. van Oorschot,et al.  Revisiting password rules: facilitating human management of passwords , 2016, 2016 APWG Symposium on Electronic Crime Research (eCrime).

[15]  Chunghun Lee,et al.  Understanding information security stress: Focusing on the type of information security compliance activity , 2016, Comput. Secur..

[16]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[17]  Stefan Savage,et al.  Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild , 2014, Internet Measurement Conference.

[18]  Serge Egelman,et al.  Behavior Ever Follows Intention?: A Validation of the Security Behavior Intentions Scale (SeBIS) , 2016, CHI.

[19]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[20]  Katherine W. Phillips,et al.  When What You Know Is Not Enough: Expertise and Gender Dynamics in Task Groups , 2004, Personality & social psychology bulletin.

[21]  Rick Wash,et al.  Can People Self-Report Security Accurately?: Agreement Between Self-Report and Behavioral Measures , 2017, CHI.

[22]  Kat Krol,et al.  Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours , 2016, SOUPS.

[23]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[24]  Steven Furnell,et al.  Information security policies: A review of challenges and influencing factors , 2016, 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST).

[25]  J. George Extrinsic and Intrinsic Origins of Perceived Social Loafing in Organizations , 1992 .

[26]  R. A. Cooke,et al.  Estimating the Difference Between Group Versus Individual Performance on Problem-Solving Tasks , 1987 .

[27]  Wu He,et al.  Cyber Security Awareness and Its Impact on Employee's Behavior , 2016, CONFENIS.

[28]  Lynne M. Coventry,et al.  The Design of Messages to Improve Cybersecurity Incident Reporting , 2017, HCI.

[29]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[30]  R. Milich,et al.  Taking offense: effects of personality and teasing history on behavioral and emotional reactions to teasing. , 2003, Journal of personality.

[31]  DumitraşTudor,et al.  Understanding the Relationship between Human Behavior and Susceptibility to Cyber Attacks , 2017 .

[32]  Bill Cheswick Rethinking passwords , 2013, CACM.

[33]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[34]  Jason R. C. Nurse,et al.  Cyber Security Awareness Campaigns: Why do they fail to change behaviour? , 2014, ArXiv.

[35]  Myron H. Dembo,et al.  Effects of perceived ability and grade status on social interaction and influence in cooperative groups. , 1987 .

[36]  Yair Levy,et al.  Expert assessment of the top platform independent cybersecurity skills for non-IT professionals , 2015, SoutheastCon 2015.

[37]  R. Kent Secrets and lies. , 2007, Nursing Standard.

[38]  M. Angela Sasse,et al.  "Shadow security" as a tool for the learning organization , 2015, CSOC.

[39]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[40]  Wendy E. Mackay,et al.  High Costs and Small Benefits: A Field Study of How Users Experience Operating System Upgrades , 2017, CHI.

[41]  Linda Little,et al.  Unpacking Security Policy Compliance: The Motivators and Barriers of Employees' Security Behaviors , 2015, SOUPS.

[42]  Manish Gupta,et al.  Fortifying Corporate Human Wall: A Literature Review of Security Awareness and Training , 2018 .

[43]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[44]  To think or not to think: the moderating role of need for cognition in expectancy-consistent impression formation , 2003 .

[45]  Gurpreet Dhillon,et al.  Organizational power and information security rule compliance , 2011, Comput. Secur..

[46]  Jokers in the Pack: Why Boys are More Adept than Girls at Speaking in Public Settings , 2002 .

[47]  Manfred Tscheligi,et al.  Persuasive Technology , 2016, Lecture Notes in Computer Science.

[48]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[49]  G. Littlepage,et al.  Effects of Task Experience and Group Experience on Group Performance, Member Ability, and Recognition of Expertise , 1997 .