Integrated User Behavioural Model
Sandeep Mittal, I.P.S.,*
It is globally realized that humans are the weakest link in cyber security to the extent that the dictum ‘users are the enemy’ has been debated over about two decades to understand the behavior of the user while dealing with cyber security issues.Attempts have been made to identify the user behavior through various theories in criminology to understand the motive and opportunities available to the user while he interacts with the computer system. In this article, the available literature on interaction of user with the computer system has been analyzed and an integrated model for user behavior in information system security has been proposed by the author. This integrated model could be used to devise a strategy to improve user’s behaviour by strengthening the factors that have a positive impact and reducing the factors that have a negative impact on information system security.
Most of the system security organizations work on the premise that the human factor is the weakest link in the security of computer systems, yet not much research has hitherto been undertaken to explore the scientific basis of these presumptions. The interaction between computers and humans is not a simple mechanism but is instead a complex interplay of social, psychological, technical and environmental factors operating in a continuum of organizational externality and internality.1 This article tries to examine various aspects of interaction between humans and computers with particular reference to the ‘users’.The taxonomy adopted for understanding who is actually a user is based on the available literature.It is also imperative to explore the following questions: Why do users behave the way they do? Is there a psychological basis for the specific behaviour of users during the human’ computer interaction, and if yes, how does it affect the security of the computer system?Various hypotheses and suggestions offered by different experts are thus being reviewed in order to identify ways to improve both user behaviour and the overall security of computer systems. The debate on this issue was initiated by an article entitled,’UsersAre Not the Enemy’2,where the authors studied the behaviour and perceptions of users relating to password systems, and challenged the conclusion drawn in a previous work3 (DeAlvare,1988 quoted in Adams and Sasse, 1999) that many password users do not comply with the password security rules because ‘users are inherently careless and therefore insecure’.
Adams and Sasse (1999) concluded that the possession of a large number of passwords by users prevents the latter from memorising all of them, thereby also compromising password security,that users are generally not aware of the concept of secure passwords, and that they also have insufficient information about security issues. The earlier perceptions of security managers were thus challenged and users were no longer seen as the ‘enemy’. Since then, a number of studies have been undertaken by researchers who have adopted either of these two positions, viz., ‘The user is the enemy’ or ‘The user is not the enemy’. In this article, we examine various hypotheses before taking either of these two positions.
Taxonomy of Users’ Behaviours
It has been found that the effectiveness of technology is impacted by the behaviour of human agents or users,who access, administer and maintain information system resources4. These users could be physically or virtually situated inside or outside the organisations,thus, bringing into interplay a range of environmental factors that influence their behaviour. Most of the organizations tend to be more concerned with threats from external users even though surveys conducted by professional bodies indicate that three- quarters of the security breaches in computer systems originate from within the user fraternity.5Therefore,it is necessary to foster a systematic understanding of the behaviour of users and how it impacts information security.In this context, researchers have developed taxonomy of the behaviour of information security end-users.6 This taxonomy of security behaviour, comprising of six elements, (as has been depicted in Figure 1) is dependent upon two factors, viz., intentionality and technical expertise. On the one hand, the intentionality dimension indicates whether a particular behaviour was intentionally malicious or beneficial, or whether there was no intent at all. The dimension of technical expertise, on the other hand, takes into consideration the degree of technological knowledge and skill required for the performance of a particular behaviour.
The taxonomy of end-user behaviour, as delineated in Figure 1, helps in classifying the raw data on users’ behaviours and also in selecting the paths that could be followed for improving the information security behaviour of a particular user within an organization.
Exploring ‘What the Users Do?’
A fundamental postulate is that the users’ behaviour is guided by the risk which they perceive to be associated with their interaction with the information system in everyday situations. However, research has revealed that users normally fail to take optimal or reasoned decisions about the risks concerning security of information systems. The decision-making process of users exhibits the following predictable characteristics, and thereby understanding them would be of great use in positively impacting the decision-making ability of users7:
- Users often do not consider themselves to be at risk.In fact, as the users increase
the security measures for their computer systems, they start indulging in more risky behaviours.
- Although users are not, by and large, imbecile or obtuse in their thinking, they
lack both the motivation and capacity to devote full attention to information processing, especially since they resort to multi-tasking, which prevents them from concentrating fully on a single task at a time.
- The concept of safety per se is unlikely to be a persuasive element in determining human behaviour, especially because the argument that safety prevents something bad from happening is a rather abstract one, and consequently, human beings do not perceive adherence to safety norms as a gain or a beneficial exercise.
- It has been observed, that adherence to safety and security norms does not always produce instant results. In fact, the results often come weeks or months later, if at all, which prevents human beings from immediately comprehending the positive outcomes of their actions, thereby making them complacent. The same delay in perception of outcomes is also evident in the case of negative actions. Thus, human beings realize the impact of their actions only when the results can be seen instantaneously, as in the case of disasters.
- Research on the association between the concepts of risk, losses and gains indicatethat ‘people are more likely to avoid risk when alternatives are presented as gains and take risks when alternatives are presented as losses. When evaluating a security decision, the negative consequences are potentially greater, but the probability is generally less and unknown. When there is a potential loss in a poor security decision as compared to the guaranteed loss of making a pro-security decision, the user may be inclined to take the risk’.8 This study, therefore, shows a strong likelihood of users gambling to offset a potential loss rather than accepting a guaranteed loss in toto. This observation is depicted in Figure 2 (West, 2008, adapted from Tversky and Kahneman, 1986).9
The author is tempted to undertake a detailed literature survey to study the influence of human factors on security of information systemsin order to gain an insight into the entire scenario. However, in view of the limited scope of the present article, the author is restricting himself to presenting only a summary of the important available literature on users’ behaviour vis-à-vis the information system security (Table 1), leaving it to the readers to probe the matter further.
Table 1: Summary of Research on Users’ Behaviour and Information System Security
|1.||Users’ Behaviour||a) There is a relation between end-user security behaviour and a combination of situational factors.
b) The various factors that are believed to influence security-related behaviour include the users’ perceptions of their own susceptibility and efficiency, and the possible benefits they are likely to derive from security.
c) It is extremely difficult to audit employee behaviour and the reasons thereof as individuals react differently in each situation, depending upon organizational culture.
|Stanton et al., 2004
Ng, Kankanhalli and Xu, 2009
Vroom and von
|2.||Familiarity with information security aspects||a) Shared knowledge about information security is important as it contributes towards bringing about a change in individual behaviour and eventually in an organization’s behaviour.
b) The following three factors have been identified as barriers to information
* General security awareness,
* Users’ computer skills, and
* Organizational budgets.
|Vroom and von Sloms, 2004
Shawet al., 2009
|3.||Awareness||The following factors have been identified among Users as three levels of security
* Perception re-use of potential security risks,
* Comprehensive know-how to perceive and interpret risks, and
* Prevention of the user.s ability to predict future situational events.
|Shawet al., 2009|
|4.||Organizational||In a positive work environment,users Environment understand their role in the complex information security system,which helps them improve their behaviour. An organization with a positive climate may influence the behaviour and commitment of users.||Shawet al., 2009.|
|5.||Work Conditions||Unsatisfactory and negative work conditions can contribute negatively to work. Tiredness and fatigue may also lead to failure to follow policies and procedures among users, thereby resulting in their disregarding information security.||Kellowayet al., 2010 .|
Unfolding Criminology Theories to Understand Users’ Behaviour
The theoretical foundation for several research models designed for studying users’ behavior has been provided by criminology theories. These theories have been categorized according to their focal concepts and aims, as enumerated in Table 2.10 As pointed out in the last column of Table 2, a number of researchers have tried to apply these criminology theories in isolation or in combination with each other to the information security system. These theories explain the behaviour of users as perceived by criminologists, most of whom have deep foundations in psychology.
Table 2: Criminology Theories, Concepts and Principles in Information Security (IS) Literature (afterTheoharidou , et al., 2005)
|Criminal theories||Focal concept||Basic Principles||Related Research within IS Security literature|
|General Deterrence Theory (GDT).
|A person commits a crime if the expected benefits outweight the cost of sanction.||(Goodhue and Straub, 1991)
(Straub and Welke, 1998).
|Social Bond Theory
|A person commits a crime if the social bonds of attachment, involvement and belief are weak.||(Lee and Lee, 2002),
(Lee et al., 2003)
|Social Learning Theory
(Sutherland, 1924 ,
quoted in Akers,2011)
|Motive||A person commits a crime if (s) he associates with delinquent peers, who transmit delinquent ideas, reinforce delinquency, and function as delinquent role models.||(Lee and Lee, 2002)
(Skinner and Fream, 1997)
|Theory of Planned Behavior (TPB)
(Ajzen and Fishbein,2000)
|A person’s intension towards crime is akey factor in predicting his/ her behavior. Intentions are shaped based on attitude, subjective norms and perceived behavioural control||(Lee and Lee, 2002)
|Situational Crime Prevention (SCP)
|Opportunity||A crime occurs when there is both motive and opportunity. Crime is reduced when no opportunities exist.||(Willison, 2000)|
Models of User Behaviour
Researchers have used theories used in general criminology and literature pertaining to interaction between humans and technology in information security systems for developing theoretical and research models to understand users’ behaviour. Figure 3 depicts an integrated model of this behaviour derived and designed by the present author from two research studies.11
The findings of these studies can be summarized as follows12:
- A constructive organizational environment has a positive impact on the responsible behaviour of users towards information security.
- Stressful work conditions would negatively impact the responsible behaviour of users towards information security.
- The adoption of responsible behaviour by users in terms of adhering to information security policies and procedures would negatively impact the vulnerabilities of users to information security breaches.
- Familiarity with information security policies and procedures among users would:
a)Positively impact their responsible behaviour towards information security;
b)Negatively impact their vulnerability to information security breaches; and c)Positively impact their awareness of potential information security threats.
- Awareness of potential information security threats among users would:
a)Positively impact their responsible behaviour towards information security; and
b)Negatively impact their vulnerability to information security breaches.
- Some of the key elements that play a vital role in users behaviour include gender, work experience, age, and educational qualifications.
- The intentions of users to follow security policies are determined by both internal and external motivating factors.
- The security behaviour of users is positively affected by both standard prescriptive beliefs as well as peer influences.
- The security-related behavioural intentions of users are positively impacted if detection is certain.
- The security-related behavioural intentions of users are negatively impacted if the prospective penalty for neglecting security is expected to be severe.
- The perceptions of users regarding compliance by others with security behaviour also play an important role in determining their own behaviour towards security.
- The vulnerability of users to any breaches in information security are inversely related to the compliance with security procedures among users. This implies that the stronger the users’ intention to adhere to security behaviour, the lower would be their vulnerability to any security failures.
While the element of technology remains constant during human’computer interaction, it is the human element which remains highly dynamic mainly due to the complexity of human behavior. Suggestions for the relevant implications of human behavioural science in improving cyber security are as follows13:
- The implication of the ‘Identifiable Victim’s Effect’ (the tendency of an individual to offer greater help when an identifiable person is observed in hardship as compared to a vaguely defined group in the same need) may lead a user to choose a stronger security system when possible negative outcomes are real and personal, rather than abstract. 14
- The ‘Elaboration Likelihood Model’ describes how human attitudes form and persist. There are two main routes to attitude change, viz., the central route (the logical, conscious and thoughtful route, resulting in a permanent change in attitude) and the peripheral route (that is, when people do not pay attention to persuasiv e arguments, and are instead in fluenced by superficial characteristics, and the change in their attitude is consequently temporary). Efforts should thus be made to motivate users to take the central route while receiving cyber security training and education. Fear can also be used to compel users to pay attention to security, but this would be effective only when the fear levels are moderate and simultaneously, a solution is also offered to the fear-inducing situation. The inducement of a strong fear, on the other hand, would lead to fight or flight reactions from users.15
- Cognitive Dissonance (a feeling of discomfort due to conflicting thoughts) acts as a powerful motivator by evoking the following reactions among users, making people react in the following three ways:
a)Change in their behaviour
b)Justification of their behaviour through a rejection of any conflicting attitude; or
c) Addition of new attitudes for justifying their behaviour.
- Cognitive dissonance is hence used to persuade users to change their attitude towards cyber security and then eventually adopt a behaviour that motivates them to choose better security.16
- Social Cognitive Theory stipulates that learning among people is based on two key elements—by watching others, or through the effect of their own personality. Thus, by incorporating the demographic elements of age, gender and ethnicity, one could initiate a cyber awareness campaign that would help reduce cyber risk by enabling the users to identify with their recognisable peers and thereby imitate the secure behaviour of the latter.17
- Status Quo Bias’the tendency of a person not to change an established behaviour without being offered a compelling incentive to do so’ necessitates the introduction of strong incentives for users to change their cyber behaviour. This can be exploited positively by information system designers.18
- The Prospect Theory helps us in framing user choices about cyber security by framing them as gains rather than losses.19
- Another factor to be considered is Optimism Bias, which leads users to under- estimate the security risk, thereby making them perceive that they are immune to cyber-attacks. In order to enable users to overcome this attitude, the security system could be designed to incorporate the real experiences of users for effectively conveying the impact of the risk.20
- 8. Control Bias or the belief among users that they have a strong control over or capacity to determine outcomes hinders people from following security measures. This bias should be kept in mind while designing systems and training programmes for users.21
- Confirmation Biaslooking for evidence to confirm a positionexposes the users minds to new ideas. In order to overcome this bias, the system must provide evidence to change their current beliefs (for example, regular security digests may be e-mailed to them).22
- While trying to improve the cyber behaviour of users, the Endowment Effect, wherein people place a higher value on the objects they own as compared to the objects they do not own, could be used. Users may thus be persuaded to pay more for security when it allows them to safely keep something that they already have (for example, the privacy of data).23
It is amply clear from the foregoing discussion that humancomputer interaction is not a simple process but is instead a complex and dynamic mechanism, characterized by the interplay of a large number of technological, human and environmental factors with each other in space and time. Being humans, users do not have the biological capacity to handle these numerous factors simultaneously in space and time, which is why they behave the way they do, thus, unintentionally or accidentally (and sometimes maliciously) compromising the information system security. In this way, users themselves become the enemy of information security, and are therefore categorized as the weakest link in the information security chain.
The most important and dynamic aspect of the interaction between humans and computers is the behaviour of the user, which varies in space and time. It is also influenced by psychological, intrinsic and extrinsic factors, which in turn, are governed by peer behaviour, normative beliefs, and social pressures, among other things. Therefore, the behaviour of the user is not solely dependent on the user himself, or we could say that he might have little control over his own behaviour while interacting with the security of information systems. The integrated model discussed in this article may thus be used to devise a strategy for improving the users’ behaviour by strengthening the factors that have a positive impact and reducing or even eliminating the factors that have a negative impact on the security of the information system security. However, this is a complex task and should not be considered as simple, as for instance, selling a non-durable consumer item like a soap!
1E.M. Luciano, M.A. Mahmood and A.C.G Maçada, ‘The Influence of Human Factors on Vulnerability to Information Security Breaches’, ‘Proceedings of the Sixteenth Americas Conference on Information Systems, Lima’, Peru, August, 2010, p. 12.
_Maada/file/e0b4952f0d76b267b1.pdf Accessed on 29 June 2014.
2A. Adams and A.M. Sasse, Users Are Not The enemy, Communications of the ACM, vol. 42, no. 12,1999,pp. 40-6.
3A. Adams and A.M. Sasse, Users Are Not the Enemy, Communications of the ACM, vol. 42, no. 12, 1999.
4C.Vroom and R.Von Solms,’Towards InformationSecurityBehaviouralCompliance’, Computers & Security,2004, vol. 23, no. 3, pp. 191-8.http://www.sciencedirect.com/science/article/pii/S016740480400032X Accessed on 2 July 2014.
5J.M.Stanton et al.,’Analysis of end user security behaviors’, Computers & Security,vol. 24, no. 2, 2005,pp.124-33.
6J.M. Stanton, et al. ‘Analysis of end user security behaviors’, Computers & Security, vol. 24, no. 2, 2005, pp.124-133.
7 R. West, ‘The psychology of security’, Communications of the ACM, vol. 51, no. 4, 2008, pp. 34-40.
8R. West, ‘The psychology of security’, Communications of the ACM, vol. 51, no. 4, 2008; R. West et al.,’The Weakest Link: A Psychological Perspective on Why’, Social and Human Elements of Information Security: Emerging Trends,2009.
9A. Tversky, and D. Kahneman,’Rational Choice and the Framing of Decisions’, Journal of Business, 1986, pp. S251-S278.
Accessed on 29 June 2014.
10M. Theoharidou et al., ‘The insider threat to information systems and the effectiveness of ISO17799’, Computers & Security, vol. 24, no. 6, 2005, pp. 472-84.
11D.L. Goodhue, & D.W. Straub, ‘Security Concerns of System Users: A Study of Perceptions of the Adequacy of Security’, Information & Management,vol. 20, no. 1, pp. 13-27 http://www.researchgate.net/profile/ Edimara_Mezzomo_Luciano/publication/260012210_Influence_of_human_factors_on_information_security_ breaches_-_Luciano_-_Mahmood_-_Maada/file/e0b4952f0d76b267b1.pdf ; T. Herath and R.H. Rao,
‘Protection motivation and deterrence: A framework for Security Policy Compliance in Organisations’, European Journal of Information Systems, vol. 18, no. 2, 2009, pp. 106-25.
13S.L. Pfleeger and D.D. Caputo,’Leveraging Behavioral Science to Mitigate Cyber Security Risk’, Computers & Security,vol. 31, no. 4, 2012, pp. 597-611.https://www.mitre.org/sites/default/files/pdf/12_0499.pdf Accessed on 1 July 2014.
14K. Jenni and G. Loewenstein, ‘Explaining the Identifiable victim Effect’, Journal of Risk and Uncertainty,1997, vol. 14, no. 3, pp. 235-57,https://www.mitre.org/sites/default/files/pdf/12_0499.pdf Accessed on 1 July 2014.
1515 R.E. Petty and J.T. Cacioppo, ‘The Elaboration Likelihood of Perusation’ https://www.mitre.org/sites/default/files/pdf/12_0499.pdf Accessed on 1 July 2014.
17 A. Bandura,’Human Agency in Social Cognitive Theory’,American psychologist, vol. 44, no. 9, 1989, p.1175. http://meagherlab.tamu.edu/M-Meagher/Health%20360/Psyc%20360%20articles/Psyc%20360%20Ch%203/self-efficacy.pdf
18 W.Samuelson and R. Zeckhauser, ‘Status Quo Bias in Decision Making’. http://www.hks.harvard.edu/fs/rzeckhau/status%20quo%20bias.pdf Accessed on 1 July 2014.
19A.Tversky and D. Kahneman,’Rational Choice and the Framing of Decisions’, Journal of Business,1986, pp. S251-S278.
Accessed on 29 June 2014.
20 D. Dunning, C. Heath and J.M.Suls, ‘Flawed Self-Assessment’,
http://heatherlench.com/wp-content/uploads/2008/07/dunning-heath.pdf Accessed on 1 July 2014.
21 J. Baron and J.C. Hershey,’Outcome Bias in Decision Evaluation’, Journal of Personality and Social Psychology,vol. 54, no. 4, 1988, p. 569. http://commonweb.unifr.ch/artsdean/pub/gestens/f/as/files/4660/21931_171009.pdf Accessed on 1 July 2014.
22 M. Lewika, ‘Confirmation Bias’, Personal Control in Action, Springer, 1998, pp. 233-58. http://link.springer.com/chapter/10.1007/978-1-4757-2901-6_9 Abstract accessed on 1 July 2014.
23 R.Thaler, ‘The Psychology of Choice and the Assumptions of Economics, Laboratory Experimentation in Economics, p. 99.http://library.fa.ru/files/Roth.pdf#page=109 Accessed on 1 July 2014.