|
The threat and impact of cybersecurity breaches are felt throughout society with massive financial losses to businesses and breach of national secrets. Human behavior is increasing seen as a fundamental security vulnerability that is at the center of many security breaches. Several approaches have been used for improving user security behavior, including enacting information security policies, providing security awareness training, and introducing penalties for security violations; these approaches have not been very effective. In this research, we are influencing human security decision analysis through direct financial incentives and behavioral interventions such that the decision analysis aligns with economic rationality.
The dominant theoretical frameworks used by researchers to improve information security are Protection Motivation Theory and Deterrence Theory. These theories suggest that users make rational security decisions by cognitively weighing the relative gains and losses associated with their choices within a decision calculus. They assume that users will respond rationally to perceived security threats in the environment and to sanctions imposed on noncompliance. Users are expected to internally regulate their behavior based on an understanding of security threats and the consequences of risky behavior; however, in the course of daily activities users often minimize the risks associated with their behavior and may rationalize noncompliant behavior by perceiving that costs of compliance outweigh benefits. We seek to improve security compliance by changing the user?s security decision calculus. Drawing on principles of behavioral economics, we use extrinsic rewards (i.e. financial incentives) to initiate compliance, and psychological manipulations (nudges) to promote ongoing internal regulation of security behavior, such that users sustain secure behaviors when external incentives are no longer in place. The multidisciplinary nature of this work enhances understanding of many information security issues and provides a fresh perspective for research on behavioral security and security economics.
|
SBE: Small: THE NEW SECURITY CALCULUS: Incentivizing Good User Security Behavior