Values and Cyber Security

Despite all of the technological advances, cyber security is to a large extent determined by the behavior of the end-users. The integrity the network depends on the willingness of the users to adhere to security guidelines. Increasing awareness to security threats and the steps that should be taken to avoid them is an important factor. However, increased awareness is not sufficient to ensure safe behavior. People often behave in ways that expose them to the risk of undesirable consequences even when they are well aware of these consequences (unhealthy eating habits, unsafe driving practices, etc.). Thus, a different approach is needed to identify factors that increase willingness of end-users to adopt safe behavior.

We will apply apply the vast knowledge accrued on personal values for this purpose. Personal values are cognitive representations of abstract, desirable motivational goals that guide the way individuals select actions, evaluate people and events, and explain their actions and evaluations. They are a core aspect of people’s identity, and serve as standards or criteria that provide social justification for choices and behaviors across situations. Values are recognized as important psychological constructs, because, as guiding principles in people’s lives, they are hypothesized to have wide-ranging effects. Lately, the effects of personal values on preferences, choices and behaviors have evoked much interest.

Behavior that is inconsistent with cyber security is usually not malicious, and not random. It serves to attain important motivations.  Informing users that a specific practice is unsafe, is only useful to the extent to which the primary motivation of the users is to obtain safety.  But safety is rarely the core motivations of end-users.

A first step in a program of research aimed at changing behavior of end users is to identify the values that are associated with behavior that breaches security: For example, sharing intimate information is consistent with social connectedness (the motivation captured by self-transcendence values), sharing information about one's success is consistent with to self enhancement values.

To examine whether user values affect network security, we will conduct empirical studies in laboratory settings. Participants will be 300 University students and staff. Participants will first answer the “Schwartz values” questionnaire. This will enable us to have quantitative measures for the importance of each value. In this survey, we will also measure relevant personality traits (impulsivity) and computer experience.

We will then expose users to several computerized "in basket" email tasks. Some of the e-mails will be legitimate, while some will be phishing attempts.  Participants will be instructed that they will need to distinguish between legitimate emails (whose content needs to be addressed), spam emails (which can be deleted) and phishing attempts (which should be put in a separate folder). They will be compensated according to their accuracy, thus creating an incentive to correctly identify each type of message. We will give the users a relatively full 'inbox,' in order to simulate the real world in which employees often must rapidly deal with a large number of emails.  In order to simulate time pressures, some participants will have a time limit to complete the tasks, while others will not have a time limit.  Users will randomly be assigned to one of the two categories.

Some of the phishing attempts will be specifically related to different values, e.g. seeking help -- is related to altruistic values. The order of the email tasks will be randomized across participants.  It may be that people with different values fall prey to specific types of phishing attempts, or it may be that people with certain types of values (perhaps altruistic ones) are more likely to fall prey in general to phishing attempts.  Our empirical work will be able to examine both of these hypotheses.