Abstract
Interest in the individual differences underlying end user computer security behavior has led to the development of a multidisciplinary field of research known as behavioral information security. An important gap in knowledge and the motivation for this research is the development of ways to measure secure and insecure cyber behavior for research and eventually practice. Here we report a study designed to develop a technique for assessing secure and insecure cyber behavior for broad research use. The Susceptibility and Resilience to Cyber Threat (SRCT) is an immersive scenario decision program. The SRCT measures susceptibility to cyber threat and malicious behavior as well protective resilience actions via participant responses/decisions to emails, interactions with security dialogs, and computer actions in a real-world simulation. Data were collected from a sample of 190 adults (76.3% female), between the ages of 18–61 (mean age = 26.12). Personality, behavioral tendencies, and cognitive preferences were measured with standard previously validated protocols and self-report measures. Factor analysis suggested a 5 item secure actions scale and a 9 item insecure actions scale as viable to extract from the SRCT responses. Statistically analyzable distributions of secure and insecure cyber behaviors were obtained, and these subscales demonstrated acceptable internal consistency as hypothesized. Associations between SRCT scales and other indices of cyber behavior, as well as self-reported personality, were lower than predicted, suggesting that past research reporting links between self-reports of personality and self-reported cyber-behavior may be overestimating the links for actual cyber actions. However, our exploratory analyses suggest discrepancies between self-report and actions in the SRCT may be an interesting avenue to explore. Overall, results were consistent with theorizing and suggest the technique is viable as a construct measure in future research or as an outcome variable in experimental intervention designs.
Highlights
The need for multifaceted cybersecurity efforts in academic, government, and business communities have resulted in calls for greater understanding of personality, behavioral, and cognitive factors in secure computing behavior [1,2,3,4]
Interest in the individual differences underlying end user computer security behavior has led to the development of a multidisciplinary field of research known as behavioral information security (BIS)
While personal computer and network protection systems can defend against external cyber threats, most organizations still depend on the end user to engage in secure computing practices to minimize vulnerability [9]
Summary
The need for multifaceted cybersecurity efforts in academic, government, and business communities have resulted in calls for greater understanding of personality, behavioral, and cognitive factors in secure computing behavior [1,2,3,4]. While personal computer and network protection systems can defend against external cyber threats, most organizations still depend on the end user to engage in secure computing practices to minimize vulnerability [9]. Internal threats to network/organization security can occur when a user passively (or inadvertently) fails to abide by organizational (or best practice) security procedures or actively attempts to thwart security (i.e., insider attack). Such internal threats are theoretically related to behavior, cognitive styles, or personality traits of system users. Development of a conceptual definition of cyber secure/insecure behavior of system users is a first step in designing the measurement of constructs in psychological science (i.e., defining what should be measured). An individual’s secure or insecure cyber behavior would constitute actions that promote or disrupt this ability to protect or defend
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
