Valuing information security from a phishing attack

In most cyber security contexts, users need to make trade-offs for information security. This research examined this issue by quantifying the relative value of information security within a value system that comprises of multiple conflicting objectives. Using this quantification as a platform, this research also examined the effect of different usage contexts on information security concern. Users were asked to indicate how much loss in productivity and time, and how much more money they were willing to incur to acquire an effective phishing filter. The results indicated that users prioritize productivity and time over information security while there was much more heterogeneity in the concern about cost. The value of information security was insignificantly different across different usage contexts. The relative value of information security was found to be predictive of self-reported online security behaviors. These results offer valuable implications for the design of a more usable information security system.

[1]  Heather Rosoff,et al.  The effects of attacker identity and individual user characteristics on the value of information privacy , 2016, Comput. Hum. Behav..

[2]  Michael D. Buhrmester,et al.  Amazon's Mechanical Turk , 2011, Perspectives on psychological science : a journal of the Association for Psychological Science.

[3]  R. Keeney,et al.  The Value of Internet Commerce to the Customer , 1999 .

[4]  Craig W. Kirkwood,et al.  Strategic decision making : multiobjective decision analysis with spreadsheets : instructor's manual , 1996 .

[5]  Chyi-Lu Jang,et al.  Measuring Electronic Government Procurement Success and Testing for the Moderating Effect of Computer Self-efficacy , 2010, J. Digit. Content Technol. its Appl..

[6]  A. T. Panter,et al.  The SAGE andbook of methods in social psychology , 2004 .

[7]  Jochen Wirtz,et al.  Consumer online privacy concerns and responses: a power–responsibility equilibrium perspective , 2007 .

[8]  K. Glanz,et al.  Health behavior and health education : theory, research, and practice , 1991 .

[9]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[10]  Jaak Jurison,et al.  Perceived Value and Technology Adoption Across Four End User Groups , 2000, J. Organ. End User Comput..

[11]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[12]  Siddharth Suri,et al.  Conducting behavioral research on Amazon’s Mechanical Turk , 2010, Behavior research methods.

[13]  Mary Beth Rosson,et al.  The personalization privacy paradox: An exploratory study of decision making process for location-aware marketing , 2011, Decis. Support Syst..

[14]  Iván Arce,et al.  The Weakest Link Revisited , 2003, IEEE Secur. Priv..

[15]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[16]  Tiago Oliveira,et al.  Deciding between information security and usability: Developing value based objectives , 2016, Comput. Hum. Behav..

[17]  Franz Eisenführ,et al.  Rational Decision Making , 2010 .

[18]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[19]  Cicely Marston,et al.  Patient and public views about the security and privacy of Electronic Health Records (EHRs) in the UK: results from a mixed methods study , 2015, BMC Medical Informatics and Decision Making.

[20]  S. Schwartz,et al.  Toward A Universal Psychological Structure of Human Values , 1987 .

[21]  Hans van der Heijden,et al.  User Acceptance of Hedonic Information Systems , 2004, MIS Q..

[22]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[23]  Kai Lung Hui,et al.  Overcoming Online Information Privacy Concerns: An Information-Processing Theory Approach , 2007, J. Manag. Inf. Syst..

[24]  Jonathan Baron,et al.  Regular ArticleProtected Values , 1997 .

[25]  Ross J. Anderson,et al.  The Economics of Online Crime , 2009 .

[26]  Louis Anthony Tony Cox,et al.  Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks , 2008 .

[27]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[28]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[29]  G. Loewenstein,et al.  What Is Privacy Worth? , 2013, The Journal of Legal Studies.

[30]  Shuang Xu,et al.  Moderating Effects of Task Type on Wireless Technology Acceptance , 2005, J. Manag. Inf. Syst..

[31]  B. Verplanken,et al.  Motivated decision making: effects of activation and self-centrality of values on choices and behavior. , 2002, Journal of personality and social psychology.

[32]  A. Tversky,et al.  Contingent weighting in judgment and choice , 1988 .

[33]  R. L. Keeney,et al.  Decisions with Multiple Objectives: Preferences and Value Trade-Offs , 1977, IEEE Transactions on Systems, Man, and Cybernetics.

[34]  Kaisa Väänänen-Vainio-Mattila,et al.  Value of Information Systems and Products: Understanding the Users’ Perspective and Values , 2009 .

[35]  T. Grothmann,et al.  People at Risk of Flooding: Why Some Residents Take Precautionary Action While Others Do Not , 2006 .

[36]  Steve Love,et al.  A game design framework for avoiding phishing attacks , 2013, Comput. Hum. Behav..

[37]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[38]  Oscar H. Gandy,et al.  Public Opinion Surveys and the Formation of Privacy Policy , 2003 .

[39]  Lindsley G. Boiney,et al.  Reaping the Benefits of Information Technology in Organizations , 1998 .

[40]  Mari Ervasti,et al.  Understanding human values in adopting new technology - A case study and methodological discussion , 2011, Int. J. Hum. Comput. Stud..

[41]  Ohbyung Kwon,et al.  Intimacy, familiarity and continuance intention: An extended expectation-confirmation model in web-based services , 2011, Electron. Commer. Res. Appl..

[42]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[43]  Panagiotis G. Ipeirotis,et al.  Running Experiments on Amazon Mechanical Turk , 2010, Judgment and Decision Making.

[44]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[45]  Stefan Stieger,et al.  Internet users' perceptions of 'privacy concerns' and 'privacy actions' , 2007, Int. J. Hum. Comput. Stud..