It won't happen to me: Promoting secure behaviour among internet users

Fraudulent activity on the Internet, in particular the practice known as 'Phishing', is on the increase. Although a number of technology focussed counter measures have been explored user behaviour remains fundamental to increased online security. Encouraging users to engage in secure online behaviour is difficult with a number of different barriers to change. Guided by a model adapted from health psychology this paper reports on a study designed to encourage secure behaviour online. The study aimed to investigate the effects of education via a training program and the effects of risk level manipulation on subsequent self-reported behaviour online. The training program 'Anti-Phishing Phil' informed users of the common types of phishing threats and how to identify them whilst the risk level manipulation randomly allocated participants to either high risk or low risk of becoming a victim of online fraud. Sixty-four participants took part in the study, which comprised of 9 males and 55 females with an age range of 18-43years. Participants were randomly allocated to one of four experimental groups. High threat information and/or the provision of phishing education were expected to increase self-reports of secure behaviour. Secure behaviour was measured at three stages, a baseline measure stage, an intention measure stage, and a 7-day follow-up measure stage. The results showed that offering a seemingly tailored risk message increased users' intentions to act in a secure manner online regardless of whether the risk message indicated they were at high or low risk of fraud. There was no effect of the training programme on secure behaviour in general. The findings are discussed in relation to the model of behaviour change, information provision and the transferability of training.

[1]  Jason Milletary,et al.  Technical Trends in Phishing Attacks , 1969 .

[2]  I. Rosenstock,et al.  Social Learning Theory and the Health Belief Model , 1988, Health education quarterly.

[3]  H. Leventhal,et al.  Findings and Theory in the Study of Fear Communications , 1970 .

[4]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[5]  Jens Riegelsberger,et al.  Shiny happy people building trust?: photos on e-commerce websites and consumer trust , 2003, CHI '03.

[6]  Bettina Berendt,et al.  E-privacy in 2nd generation E-commerce: privacy preferences versus actual behavior , 2001, EC '01.

[7]  B. Lukas,et al.  The Nature and Social Uses of the Internet: A Qualitative Investigation. , 1997 .

[8]  Sam Radelfinger,et al.  Some Effects of Fear-Arousing Communications on Preventive Health Behavior , 1965 .

[9]  Shengliang Deng,et al.  A guide to intellectual property rights in Southeast Asia and China , 1996 .

[10]  R. Watson,et al.  Marketing communication and the world wide web , 1996 .

[11]  Ellen R. Tauber,et al.  Experts vs. Online Consumers: A Comparative Credibility Study of Health and Finance Web Sites , 2002 .

[12]  M. Allen,et al.  A Meta-Analysis of Fear Appeals: Implications for Effective Public Health Campaigns , 2000, Health education & behavior : the official publication of the Society for Public Health Education.

[13]  Peter A. Todd,et al.  Consumer Reactions to Electronic Shopping on the World Wide Web , 1996, Int. J. Electron. Commer..

[14]  G. Fong,et al.  Impact of the graphic Canadian warning labels on adult smoking behaviour , 2003, Tobacco control.

[15]  Markus Jakobsson,et al.  Phishing and Countermeasures , 2006 .

[16]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[17]  Colin Potts,et al.  Privacy practices of Internet users: Self-reports versus observed behavior , 2005, Int. J. Hum. Comput. Stud..

[18]  B. J. Fogg,et al.  What makes Web sites credible?: a report on a large quantitative study , 2001, CHI.

[19]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[20]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[21]  Peter R Harris,et al.  Self-affirmation promotes health behavior change. , 2008, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[22]  Bruce Schneier,et al.  Secrets and Lies , 2004 .

[23]  R. LaPiere Attitudes vs Actions. 1934. , 1934, International journal of epidemiology.

[24]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[25]  Tyler Moore,et al.  An Empirical Analysis of the Current State of Phishing Attack and Defence , 2007, WEIS.

[26]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[27]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[28]  Anol Bhattacherjee,et al.  Individual Trust in Online Firms: Scale Development and Initial Test , 2002, J. Manag. Inf. Syst..

[29]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[30]  Hatice Ferhan Odabasi,et al.  Unethical computer using behavior scale: A study of reliability and validity on Turkish university students , 2007, Comput. Educ..

[31]  Markus Jakobsson,et al.  Introduction to Phishing , 2006 .

[32]  I. Rosenstock Why people use health services. , 1966, The Milbank Memorial Fund quarterly.

[33]  Robert A. Peterson,et al.  Electronic Marketing and the Consumer , 1997 .

[34]  L. Festinger,et al.  A Theory of Cognitive Dissonance , 2017 .

[35]  ŞendağSerkan,et al.  Exploring the types and reasons of Internet-triggered academic dishonesty among Turkish undergraduate students , 2008 .

[36]  Seymour Sudman,et al.  Surveying Subjective Phenomena , 1986 .

[37]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[38]  M. Becker,et al.  The Health Belief Model and prediction of dietary compliance: a field experiment. , 1977, Journal of health and social behavior.

[39]  David Sprott,et al.  The importance of normative beliefs to the self-prophecy effect. , 2003, The Journal of applied psychology.

[40]  Miriam J. Metzger Privacy, Trust, and Disclosure: Exploring Barriers to Electronic Commerce , 2006, J. Comput. Mediat. Commun..

[41]  V. Strecher,et al.  Physicians' recommendations for mammography: do tailored messages make a difference? , 1994, American journal of public health.

[42]  Ramnath K. Chellappa,et al.  Personalization versus Privacy: An Empirical Examination of the Online Consumer’s Dilemma , 2005, Inf. Technol. Manag..

[43]  B H Marcus,et al.  Maintenance of physical activity following an individualized motivationally tailored intervention , 2001, Annals of behavioral medicine : a publication of the Society of Behavioral Medicine.

[44]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[45]  K. Sheehan,et al.  Dimensions of Privacy Concern among Online Consumers , 2000 .

[46]  Yael Benyamini,et al.  Illness representations: Theoretical foundations. , 1997 .

[47]  V. Strecher,et al.  Do tailored behavior change messages enhance the effectiveness of health risk appraisal? Results from a randomized trial. , 1996, Health education research.

[48]  Robert A. Bjork,et al.  Learning from tests: Effects of spacing , 1977 .

[49]  Markus Jakobsson,et al.  Phishing Attacks: Information Flow and Chokepoints , 2006 .

[50]  V. Strecher,et al.  The effects of computer-tailored smoking cessation messages in family practice settings. , 1994, The Journal of family practice.

[51]  Yavuz Akbulut,et al.  Exploring the types and reasons of Internet-triggered academic dishonesty among Turkish undergraduate students: Development of Internet-Triggered Academic Dishonesty Scale (ITADS) , 2008, Comput. Educ..

[52]  Anthony G. Greenwald,et al.  Increasing voting behavior by asking people if they expect to vote. , 1987 .

[53]  S. Fiske,et al.  The Handbook of Social Psychology , 1935 .

[54]  V. Strecher,et al.  Improving dietary behavior: the effectiveness of tailored messages in primary care settings. , 1994, American journal of public health.

[55]  Elizabeth Sillence,et al.  Going online for health advice: Changes in usage and trust practices over the last five years , 2007, Interact. Comput..

[56]  Elizabeth Sillence,et al.  A framework for understanding trust factors in web-based health advice , 2006, Int. J. Hum. Comput. Stud..

[57]  Margaret Tan,et al.  Factors Influencing the Adoption of Internet Banking , 2000, J. Assoc. Inf. Syst..

[58]  David A. Hamburg,et al.  Coping And Adaptation , 1974 .

[59]  Stephen M. Corey,et al.  Professed attitudes and actual behavior. , 1937 .

[60]  P. Sheeran Intention—Behavior Relations: A Conceptual and Empirical Review , 2002 .

[61]  Florian N. Egger,et al.  "Trust me, I'm an online vendor": towards a model of trust for e-commerce system design , 2000, CHI Extended Abstracts.

[62]  H. Leventhal,et al.  Changing attitudes and habits to reduce risk factors in chronic disease. , 1973, The American journal of cardiology.

[63]  Antonella De Angeli,et al.  Personalisation and Trust: A Reciprocal Relationship? , 2004, Designing Personalized User Experiences in eCommerce.

[64]  D. R. Danielson,et al.  How do users evaluate the credibility of Web sites?: a study with over 2,500 participants , 2003, DUX '03.

[65]  Y. Sahin,et al.  Development of a Scale to Investigate Cybervictimization among Online Social Utility Members. , 2010 .