The Design of Messages to Improve Cybersecurity Incident Reporting

Cybersecurity suffers from the problem of poor incident reporting. We explored message influences on incident reporting rate. Participants were presented with messages that differed in terms of (i) whether the problem was framed as a technical or a security issue and (ii) the perceived beneficiaries of making a report (benefit to the user, to others vs. no benefit message). Participants were more likely to report a problem if so doing implied some benefit to self, where making the problem more personally relevant might act to reduce social loafing in group settings. They were also more likely to report a technical rather than a security problem and qualitative data suggested that users were sometimes suspicious of messages reporting a security incident – believing that the message itself might be a cybersecurity attack. The findings provide starting points for future research aimed at improving incident reporting.

[1]  Frank Drews,et al.  Individual differences in interrupted task performance: One size does not fit all , 2015, Int. J. Hum. Comput. Stud..

[2]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[3]  Kat Krol,et al.  Don't work. Can't work? Why it's time to rethink security warnings , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[4]  Richard J. Holden,et al.  A Review of Medical Error Reporting System Design Considerations and a Proposed Cross-Level Systems Research Framework , 2007, Hum. Factors.

[5]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[6]  Punit Ahluwalia,et al.  The More Secure the Better?A Study of Information Security Readiness , 2011, Ind. Manag. Data Syst..

[7]  Rainer Böhme,et al.  The security cost of cheap user interaction , 2011, NSPW '11.

[8]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[9]  J. Cacioppo,et al.  Personal involvement as a determinant of argument based persuasion , 1981 .

[10]  S. Harkins,et al.  Effects of task difficulty and task uniqueness on social loafing. , 1982 .

[11]  Sadie Creese,et al.  Guidelines for usable cybersecurity: Past and present , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[12]  Steven Furnell,et al.  Who guides the little guy? Exploring security advice and guidance from retailers and ISPs , 2008 .

[13]  Steven J. Karau,et al.  Social Loafing: Research Findings, Implications, and Future Directions , 1995 .

[14]  R. Hembree Correlates, Causes, Effects, and Treatment of Test Anxiety , 1988 .

[15]  Thomas Pfeiffer,et al.  It is not about the design - it is about the content! Making warnings more efficient by communicating risks appropriately , 2012, Sicherheit.

[16]  T. Robbins,et al.  Social loafing on cognitive tasks: An examination of the “sucker effect” , 1995 .

[17]  Robert W. Reeder,et al.  Improving user-interface dependability through mitigation of human error , 2005, Int. J. Hum. Comput. Stud..

[18]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[19]  Ross Anderson,et al.  Reading this May Harm Your Computer: The Psychology of Malware Warnings , 2014 .

[20]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.

[21]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[22]  Yang Wang,et al.  A field trial of privacy nudges for facebook , 2014, CHI.

[23]  Kipling D. Williams,et al.  Social loafing on difficult tasks: Working collectively can improve performance. , 1985 .

[24]  Terrence August,et al.  The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing , 2013, Manag. Sci..

[25]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[26]  Matthew Smith,et al.  Using personal examples to improve risk communication for security & privacy decisions , 2014, CHI.

[27]  Matthew Smith,et al.  Sorry, I Don't Get It: An Analysis of Warning Message Texts , 2013, Financial Cryptography Workshops.

[28]  Stephen J. Zaccaro Social Loafing , 1984 .

[29]  Zinta S. Byrne,et al.  The Psychology of Security for the Home Computer User , 2012, 2012 IEEE Symposium on Security and Privacy.

[30]  N. Kerr,et al.  Dispensability of member effort and group motivation losses: Free-rider effects , 1983 .

[31]  Sigmund Tobias,et al.  Test Anxiety: Interference, Defective Skills, and Cognitive Capacity , 1985 .

[32]  Lujo Bauer,et al.  Warning Design Guidelines (CMU-CyLab-13-002) , 2013 .

[33]  Sue M. Evans,et al.  Attitudes of doctors and nurses towards incident reporting: a qualitative analysis , 2004, The Medical journal of Australia.

[34]  S. Harkins Social Loafing and Social Facilitation , 1987 .

[35]  Ross J. Anderson,et al.  Reading this may harm your computer: The psychology of malware warnings , 2014, Comput. Hum. Behav..

[36]  Alessandro Acquisti,et al.  Information revelation and privacy in online social networks , 2005, WPES '05.

[37]  Geoffrey B. Duggan,et al.  Interleaving tasks to improve performance: Users maximise the marginal rate of return , 2013, Int. J. Hum. Comput. Stud..

[38]  Melanie Volkamer,et al.  Contextualized Web Warnings, and How They Cause Distrust , 2013, TRUST.

[39]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[40]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[41]  Bin Zhao,et al.  Error Reporting in Organizations , 2006 .

[42]  Kipling D. Williams,et al.  PROCESSES Social Loafing: A Meta-Analytic Review and Theoretical Integration , 2022 .

[43]  Kirstie Hawkey,et al.  Investigating user account control practices , 2010, CHI EA '10.

[44]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[45]  Gurdev Singh,et al.  A Visual Computer Interface Concept for Making Error Reporting Useful at the Point of Care , 2008 .

[46]  José Carlos Brustoloni,et al.  Improving security decisions with polymorphic and audited dialogs , 2007, SOUPS '07.