Valuing information security from a phishing attack

The extent to which users take precautionary actions against cyber risks is conditional upon how they perceive the value of information security relative to other important personal goals. In most cyber security contexts, users are faced with trade-offs between information security and other important attributes that they desire to maximize. We examined this issue by eliciting the “security premiums” that users were willing to sacrifice to protect their information security in a phishing context. We also examined the effect of usage contexts on value of information security using an experimental design. Respondents from Amazon Mechanical Turk were randomized into one of three conditions in which the context of a phishing attack was varied. Respondents were asked to make trade-offs between pairs of attributes including security, cost, latency, and productivity, from which we could quantify security premiums. Results indicated that half of the respondents were willing to pay a premium between $9 and $11 per month, willing to wait between 8 and 9 additional minutes, and willing to forgo their access to 21–29 valid pieces of information, to obtain a more effective phishing filter that reduces the number of false negatives from 24 to 6 per month. Interestingly, the value of information security was sensitive to the usage context, such that social media invoked greater security premiums in terms of productivity than email and web surfing. We also found that vulnerability and perceived net benefit significantly correlated with security premiums in terms of monthly cost. These results offer valuable insights for the design of more usable information security systems.

[1]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[2]  Franz Eisenführ,et al.  Rational Decision Making , 2010 .

[3]  Siddharth Suri,et al.  Conducting behavioral research on Amazon’s Mechanical Turk , 2010, Behavior research methods.

[4]  Cicely Marston,et al.  Patient and public views about the security and privacy of Electronic Health Records (EHRs) in the UK: results from a mixed methods study , 2015, BMC Medical Informatics and Decision Making.

[5]  Michael D. Buhrmester,et al.  Amazon's Mechanical Turk , 2011, Perspectives on psychological science : a journal of the Association for Psychological Science.

[6]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[7]  Heather Rosoff,et al.  The effects of attacker identity and individual user characteristics on the value of information privacy , 2016, Comput. Hum. Behav..

[8]  Baron,et al.  Protected Values , 1997, Virology.

[9]  S. Schwartz,et al.  Toward A Universal Psychological Structure of Human Values , 1987 .

[10]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[11]  Panagiotis G. Ipeirotis,et al.  Running Experiments on Amazon Mechanical Turk , 2010, Judgment and Decision Making.

[12]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[13]  Mari Ervasti,et al.  Understanding human values in adopting new technology - A case study and methodological discussion , 2011, Int. J. Hum. Comput. Stud..

[14]  Chyi-Lu Jang,et al.  Measuring Electronic Government Procurement Success and Testing for the Moderating Effect of Computer Self-efficacy , 2010, J. Digit. Content Technol. its Appl..

[15]  A. T. Panter,et al.  The SAGE andbook of methods in social psychology , 2004 .

[16]  P. Himmel Health Behavior and Health Education: Theory, Research, and Practice , 1992, Annals of Internal Medicine.

[17]  Ohbyung Kwon,et al.  Intimacy, familiarity and continuance intention: An extended expectation-confirmation model in web-based services , 2011, Electron. Commer. Res. Appl..

[18]  Ross J. Anderson,et al.  The Economics of Online Crime , 2009 .

[19]  Oscar H. Gandy,et al.  Public Opinion Surveys and the Formation of Privacy Policy , 2003 .

[20]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[21]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[22]  Shuang Xu,et al.  Moderating Effects of Task Type on Wireless Technology Acceptance , 2005, J. Manag. Inf. Syst..

[23]  Allison Woodruff,et al.  Would a Privacy Fundamentalist Sell Their DNA for $1000 ... If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences , 2014, SOUPS.

[24]  Lorrie Faith Cranor,et al.  Phinding Phish: Evaluating Anti-Phishing Tools , 2006 .

[25]  Jaak Jurison,et al.  Perceived Value and Technology Adoption Across Four End User Groups , 2000, J. Organ. End User Comput..

[26]  Iván Arce,et al.  The Weakest Link Revisited , 2003, IEEE Secur. Priv..

[27]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[28]  B. Verplanken,et al.  Motivated decision making: effects of activation and self-centrality of values on choices and behavior. , 2002, Journal of personality and social psychology.

[29]  Stefan Stieger,et al.  Internet users' perceptions of 'privacy concerns' and 'privacy actions' , 2007, Int. J. Hum. Comput. Stud..

[30]  Kai Lung Hui,et al.  Overcoming Online Information Privacy Concerns: An Information-Processing Theory Approach , 2007, J. Manag. Inf. Syst..

[31]  A. Tversky,et al.  Contingent weighting in judgment and choice , 1988 .

[32]  Louis Anthony Tony Cox,et al.  Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks , 2008 .

[33]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[34]  G. Loewenstein,et al.  What Is Privacy Worth? , 2013, The Journal of Legal Studies.

[35]  R. Keeney,et al.  The Value of Internet Commerce to the Customer , 1999 .

[36]  Jochen Wirtz,et al.  Consumer online privacy concerns and responses: a power–responsibility equilibrium perspective , 2007 .

[37]  Lindsley G. Boiney,et al.  Reaping the Benefits of Information Technology in Organizations , 1998 .

[38]  Alessandro Acquisti,et al.  Information revelation and privacy in online social networks , 2005, WPES '05.

[39]  Kaisa Väänänen-Vainio-Mattila,et al.  Value of Information Systems and Products: Understanding the Users’ Perspective and Values , 2009 .

[40]  T. Grothmann,et al.  People at Risk of Flooding: Why Some Residents Take Precautionary Action While Others Do Not , 2006 .

[41]  Steve Love,et al.  A game design framework for avoiding phishing attacks , 2013, Comput. Hum. Behav..

[42]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[43]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[44]  Hans van der Heijden,et al.  User Acceptance of Hedonic Information Systems , 2004, MIS Q..

[45]  Ralph L. Keeney,et al.  Decisions with multiple objectives: preferences and value tradeoffs , 1976 .

[46]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .