What can health teach us about security awareness?

Add to my custom PDF

Cyber-victimization preventive behavior: A health belief model approach

People using the internet for their own personal reasons are largely left to fend for themselves. Although they might be aware of the risks, they don’t always act consistently to protect themselves.

Dodel and Mesch examined whether knowledge from long-established work in health awareness could inform cybersecurity awareness campaigns. Health behavior models are considered some of the most developed for understanding reactions to threats both in the physical world and online. These theories argue that a small number of beliefs and attitudes are the best indicators of preventive behavior. People could be considered to be rational decision makers, who weigh the potential costs and benefits of taking precautions. However, they do so imperfectly as they may act on outdated or false information and beliefs. The Health Belief Model (HBM) considers the perceptions people have about threats and their expectations when investigating their precautionary activities. The perception of threats is a complicated set of beliefs about the likelihood and harm from an event. The perceived severity of an event is feelings created by the thought of the threat and its difficulties. Precautionary behaviours are judged based on the apparent benefits in reducing their susceptibility to the threat. Regardless of the perceived effectiveness of an action it may still seem expensive, inconvenient or unpleasant. This is also considered along with other perceived barriers such as secondary effects. The willingness to act can be influenced by the confidence or belief in one’s own abilities to engage in the protective behavior. It can also by triggered by external cues such as advice or public awareness campaigns, and internal cues such as previous experience with the issue.

Data were collected as part of a larger a national sample of Israeli adults collected in October 2014, totaling 1850 completed interviews. The survey participants were asked about the actions they believed they could take to protect themselves on the internet, whether they had installed and use anti-virus software, their opinion about the risk of getting a virus and their experience with security incidents (e.g. account breach). They were also asked about their awareness of the consequences of a breach and their opinion about their ability to protect themselves.

The results of the survey indicated that peoples' beliefs about digital threats are better predictors of anti-virus preventive behaviors than socio-demographic characteristics or their amount of Internet use. Peoples' expectations about the outcome of a security activity and their opinion about their own ability were also linked to them taking precautions.

The results suggest that methods other than awareness messaging focusing on compliance to avoid threats could be beneficial. Fear-based messages underscore the susceptibility of people to cyber-attacks and the seriousness of the consequences, which could undermine their belief in their ability to protect themselves. Campaigns that reduce perceived barriers to digital safety-related behaviors and which strengthen beliefs in the effectiveness of anti-malware software seem to be clear and cost-efficient policy measures to increase engagement in cyber-safety.

Fear-based messages could turn people off of cyber safety behaviour. Campaigns that reduce perceived barriers and strengthen beliefs in the effectiveness of security software could be more effective.