This report presents the results of a study conducted to improve understanding of cyber security risk preferences by leveraging past research on public health risk preferences. Cyber security shares many similarities with public health–in cyberspace, the insecurity of individual Internet users that often permits distributed attacks to occur is analogous to populations of sick individuals that facilitate infectious diseases transmission due to poor public health practices. Because individuals’ insecure computers can be turned into bots that spread attach vulnerabilities, similar to an infectious disease epidemic, developing a baseline of individual risk perceptions will help to improve understanding of individuals’ view of risks to themselves and to society from cyber security threats.
Building off of a public health framework, vaccines were identified as a prevention measure that has many similarities to antimalware software that is used to help prevent successful cyber threats. To assess the public health research on individual perceptions of threats and related preventative measures. Using the public health framework, the results and data analysis in this report focus on how experience with antimalware, exposure to malware, and general risk aversion might influence what costs and benefits most affect the utility that individuals derive from antimalware software.
As in public health, such information can be used to inform both private companies developing cyber security products and services and government agencies designing policy and regulatory strategies for improving cyber security.
The inadequacy of U.S. small and medium size business’ cyber security poses a great risk to these businesses and to all U.S. organizations and individuals. To test strategies for improving the level of cyber security maintained by small and medium businesses in the United Staes, RTI International and Applied Research Associates (ARA) launched the Cyber Test Bed project to develop a framework for identifying and testing best practices in cyber security specifically targeted at small and mid-size businesses.
The Cyber Test Bed project was a case study analysis of how a set of interventions, including threat analysis, best practices sharing, and executive and staff training events, over the course of one year, would impact a group of nine small and mid-size businesses in North Carolina. Pre and post-Test Bed interviews were conducted with company officials to establish a baseline and evaluate the impact of the Test Bed experience. After the Cyber Test Bed experience, decision makers at these companies indicated an increase in their perceptions of the risk of cyber attacks and an increase in their knowledge of possible solutions. Companies also reported that the Test bed led them to spend more time on cyber security and made them more willing to spend company funds on cyber security in the future. Over three-fourths of these officials perceived a benefit from the Test Bed indicated by a willingness to pay for this experience.
While stereotypes portray millennials as risk-seeking and blithely unaware of threats to and policies regarding cybersecurity, the Millennial Cybersecurity Project demonstrated that digitally-mediated interventions can both reinforce positive identification of phishing emails and reduce associated risky behaviors. Millennials that experienced real-time feedback about their skill at identifying phishing emails and who received best practice phishing “strategies” from avatars improved their ability to identify suspicious emails from low and medium-trust senders. Millennials, however, consistently overlooked standard clues in phishing emails from high-trust senders. Risky behaviors regarding password creation and use were also reduced after online interventions. The first intervention provided real-time feedback about password “strength” while the second intervention supplemented feedback about password strength with a password “strategy” that encoded best practices for password creation–both delivered by a personalized avatar. Both interventions achieved reductions in risky behaviors related to password strength, suggesting that awareness and behavioral training programs that integrate real-time, online interactions with students about their cyber behaviors are worth fuller experimentation and development.
Strong evidence indicates that employees are a major threat to the security of an organization’s information resources. It is, therefore, imperative to understand the factors that promote compliant and non-compliant cybersecurity behaviors. Appropriate cybersecurity designs, especially within the workplace, should be based on and informed deep understanding of insider psychological profiles. This research project identifies individual personality traits that shape cybersecurity policy violation intentions. The results demonstrate that individuals react to cyber threats and deterrents in different ways and that their personality affects the way they approach compliance with cybersecurity policies. Therefore, security education, training and awareness programs should reflect these differences and provided appropriate training protocols to each individual trainee. Rather than utilizing a one-size-fits-all training approach, organizations should provided cybersecurity training and other persuasive messages that are customized to address the unique elements of employees’ personalities.
Link to Research Summary (“One Size Doesn’t Fit all: Cybersecurity Training Should be Customized”)
Link to Research Brief (“The Role of Situational Factors and Personality on Cybersecurity Policy Violation”)
Link to Final Report (“Exploring the Role of Individual Employee Characteristics and Personality on Employee Compliance with Cybersecurity Policies”)
This study aims to assess whether a market structure exists for Internet Service Providers (ISPs) to provide additional security to their customers. Currently, home Internet users invest too little in security from a social perspective because they do not bear all of the costs of an insecure computer—other users (individuals and organizations) are hurt by attacks that originate from insecure home computers. ISPs are in an optimal position to cost-effectively provide additional security to these home users. We will use novel approaches to estimate both the demand for and costs (supply) of a variety of ISP-based solutions aimed at improving the current ineffective security paradigm.