Behavioral Experiments Exploring Victims' Response to Cyber-based Financial Fraud and Identity Theft Scenario Simulations

two scenario-simulation behavioral experiments to explore individual users' response to common cyber-based financial fraud and identity theft attacks depend on systematically manipulated variables related to characteristics of the attack and the attacker. Experiment I employed a 4 by 2 between-groups factorial design, manipulating attacker characteristics (individual with picture vs. individual vs. group vs. unknown) and attack mode (acquiring a bank database vs. obtaining personal bank account information) in response to a bank letter scenario notifying respondents of a data breach. Respondents' positive and negative affect, perceived risk, behavioral intention and attitude towards the government's role in cyber security were measured. Results suggest that respondents experienced greater negative affect when the attacker was an individual, as well as experienced more positive affect when the attack target was an individual bank account. In addition, a picture of an individual attacker increased intended behavioral changes and expectations of the bank to manage the response in the bank database attacks only. Experiment II utilized a 4 by 3 between-groups factorial design, manipulating attacker motivation (fame vs. money vs. terrorism vs. unknown) and attack resolution status (resolved vs. still at risk vs. unknown) in response to an identity theft scenario that evolves over four time points. In this experiment, respondents' affect, perceived risk and intended short- and long-term behavior were measured at each time point. Results suggest that respondents reported less perceived risk when the attacker's motivation was to fund terrorism. Respondents also reported lower negative affect and lower perceived risk when the identity theft case was reported as resolved. Respondents also were more willing to pursue long- term behavior changes when the attack outcome was still at risk or unknown. In both experiments, respondents' sex and age were related to affect, risk perception, and behavioral intentions. The paper also includes discussion of how further understanding of individual user decision making informs policy makers' design and implementation of cyber security policies related to credit fraud and identity theft.

[1]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[2]  S. Brenner 'At Light Speed' - Attribution and Response to Cybercrime/Terrorism/Warfare , 2007 .

[3]  C. Hale,et al.  Fear of Crime: A Review of the Literature1 , 1996 .

[4]  Lynn Westbrook,et al.  A. Nascent Model: Private crises/public reponses: A nascent model , 2012, ASIST.

[5]  Teun Terpstra,et al.  Emotions, Trust, and Perceived Risk: Affective and Cognitive Routes to Flood Preparedness Behavior , 2011, Risk analysis : an official publication of the Society for Risk Analysis.

[6]  Daniel R. Tesone,et al.  Achieving Cyber Defense Situational Awareness: A Cognitive Task Analysis of Information Assurance Analysts , 2005 .

[7]  Wesley G. Skogan,et al.  Coping With Crime: Individual and Neighborhood Reactions , 1981 .

[8]  A. Leiserowitz Climate Change Risk Perception and Policy Preferences: The Role of Affect, Imagery, and Values , 2006 .

[9]  Baruch Fischhoff,et al.  Judged Terror Risk and Proximity to the World Trade Center , 2003 .

[10]  Yaacov Trope,et al.  Temporal construal. , 2003, Psychological review.

[11]  Dennis S. Mileti,et al.  An Examination of the Effect of Perceived Risk on Preparedness Behavior , 2013 .

[12]  Ming-Chou Ho,et al.  How Do Disaster Characteristics Influence Risk Perception? , 2008, Risk analysis : an official publication of the Society for Risk Analysis.

[13]  H. Raghav Rao,et al.  On risk, convenience, and Internet shopping behavior , 2000, CACM.

[14]  P. Slovic,et al.  The Role of Affect and Worldviews as Orienting Dispositions in the Perception and Acceptance of Nuclear Power1 , 1996 .

[15]  L. Cameron,et al.  Risk-Taking Behavior in the Wake of Natural Disasters , 2013, The Journal of Human Resources.

[16]  Heather Rosoff,et al.  Heuristics and biases in cyber security dilemmas , 2013, Environment Systems and Decisions.

[17]  Mark S. Ackerman,et al.  Privacy in e-commerce: examining user scenarios and privacy preferences , 1999, EC '99.

[18]  Sue-Huei Chen,et al.  Perception of Earthquake Risk in Taiwan: Effects of Gender and Past Earthquake Experience , 2012, Risk analysis : an official publication of the Society for Risk Analysis.

[19]  Lauren I. Labrecque,et al.  Toward an Understanding of the Online Consumer's Risky Behavior and Protection Practices , 2009 .

[20]  Lionel Larqué Young People and Science , 2009 .

[21]  Melissa L. Finucane,et al.  Risk as Analysis and Risk as Feelings: Some Thoughts about Affect, Reason, Risk, and Rationality , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[22]  Nick Nykodym,et al.  Criminal profiling and insider cyber crime , 2005, Digit. Investig..

[23]  D. Watson,et al.  Development and validation of brief measures of positive and negative affect: the PANAS scales. , 1988, Journal of personality and social psychology.

[24]  Y. Trope,et al.  Construal Levels and Psychological Distance: Effects on Representation, Prediction, Evaluation, and Behavior. , 2007, Journal of consumer psychology : the official journal of the Society for Consumer Psychology.

[25]  P. Slovic,et al.  FACTS AND FEARS: UNDERSTANDING PERCEIVED RISK.: P/3 , 1980 .

[26]  Ellen Garbarino,et al.  GENDER DIFFERENCES IN THE PERCEIVED RISK OF BUYING ONLINE AND THE EFFECTS OF RECEIVING A SITE RECOMMENDATION , 2004 .

[27]  B. Fischhoff,et al.  Facts and Fears: Understanding Perceived Risk , 2005 .

[28]  B. Fischhoff,et al.  Behavioral decision theory perspectives on risk and safety , 1984 .

[29]  Heather Rosoff,et al.  Should I stay or should I go? An experimental study of health and economic government policies following a severe biological agent release , 2013, Environment Systems & Decisions.

[30]  B E Sabey,et al.  PERCEPTION OF RISK , 1982 .

[31]  H. Raghav Rao,et al.  A trust-based consumer decision-making model in electronic commerce: The role of trust, perceived risk, and their antecedents , 2008, Decis. Support Syst..

[32]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[33]  Charles Vlek,et al.  Rational and personal aspects of risk , 1980 .

[34]  Ming-Chi Lee,et al.  Factors influencing the adoption of internet banking: An integration of TAM and TPB with perceived risk and perceived benefit , 2009, Electron. Commer. Res. Appl..

[35]  F. Norris,et al.  Community Resilience as a Metaphor, Theory, Set of Capacities, and Strategy for Disaster Readiness , 2008, American journal of community psychology.

[36]  Y. Trope,et al.  Construal-level theory of psychological distance. , 2010, Psychological review.

[37]  Bradford W Reyns,et al.  Fear of Crime Online? Examining the Effect of Risk, Previous Victimization, and Exposure on Fear of Online Interpersonal Victimization , 2013 .