Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk - Prof. Dr. Norbert Pohlmann

Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk

O. Braun, J. Hörnemann, M. Große-Kampmann, Norbert Pohlmann (Institut für Internet-Sicherheit), T. Urban: „Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk”,
The 6th International Conference on Science of Cyber Security – SciSec 2024, Copenhagen

Abstract
This paper challenges the conventional assumption in cybersecurity that users act as rational actors. Despite numerous technical solutions, awareness campaigns, and organizational strategies aimed at bolstering cybersecurity, these often overlook the prevalence of nonrational user behavior. Our study, involving a survey of 208 participants, empirically demonstrates this aspect. We found that a significant portion of users (55.3%) would accept a substantial risk (35%) to click on a potentially malicious link or attachment. This propensity increases to 61% when users are led to believe there is a 65% chance of facing no adverse consequences. To address this irrationality, we explored the efficacy of nudging mechanisms within email systems. Our qualitative user study revealed that incorporating a simple colored nudge in the email inbox can notably enhance the ability of users to discern malicious emails, improving decision-making accuracy by an average of 10%.

Keywords: Economics of Cybersecurity · User Behavior · Behavioral Economics.

1 Introduction
Threats to internet-facing users and systems are manifold. Ransomware, spam, fraud, and malware delivery are just a few to be named. The delivery vector email is a threat to users and organizations especially. Human users are often emphasized and framed as the last line of defense, yet little is known about the economics of decision-making in cybersecurity. Malicious actors use different delivery vectors for various kinds of illicit activities, ranging from stealing data and compromising single machines to whole networks and compromising the privacy of victims. The victims do not recognize that they are victims of fraud because the attack is deceptive. Thus, building awareness among users is essential when protecting modern information systems. This paper aims to understand how decision-making under risk is done and how awareness measures help users improve these decisions. We do this using an online survey, in which 208 participants took part. Furthermore, we wanted to understand how users perceive the warning marker. Therefore, we conducted a qualitative user study asking 31 participants to determine if a mail is malicious or legit. We used a simple color nudge during our experiment to evaluate the ef- fectiveness of this approach and whether this changed the participant’s detection capabilities. Our results show that participants perform better regarding email classification if they are nudged in their inbox and that a misclassified email, whether false negative or false positive, is correctly classified.

In summary, we make the following contributions:

To the best of our knowledge, this is the first work to empirically analyze behavioral economics in cybersecurity with a focus on decision-making under risk and stress.
We show that ‘stress’ affects the chances that users might click on malicious emails and that awareness measures help users perceive themselves or their organization as more secure.
We empirically show that more than half of our surveyed users would take a risk in clicking a potentially malicious link or attachment, and if they are framed to believe there is a chance that nothing will happen, the share of risk-takers rises.
We conducted an experiment with a follow-up survey that shows that placing nudges in email inboxes helps users decide if an email is malicious or legitimate. It also seems to raise their confidence in their detection capabilities.

2 Background
Before we describe our approaches to determine the effects of cybersecurity awareness and decision-making under risk, we briefly provide the background information necessary to follow our methods.

2.1 Human User
Several papers describe the users of information processing systems as the weakest link, and human-centered cybersecurity is getting more and more attention nowadays. Cybersecurity decision-making is similar to other kinds of decisions, but cybersecurity decisions have distinctly other features. Security and Risk in themselves are intangible concepts, especially in the cyber domain invisible to users. As Schneier states: “Security is both a feeling and a reality. And they are not the same”. For example, the presence of a TLS warning is often not enough to stop users from visiting a website anyway.
Human Behavior and its Economics. Behavioral Economics is the combination of psychology and economics. It takes human limitations and complications into account and determines what happens if these humans make decisions within a market.

…

kostenlos downloaden