Individual Differences on Conservative and Risky Behaviors about Information Security

Year 2021, Volume: 14 Issue: 2, 161 - 170, 30.04.2021

Onur Ceran , Serçin Karataş

https://doi.org/10.17671/gazibtd.697555

Abstract

In order to provide information security; hardware and software solutions are widely used; research and development endeavors increases day by day and huge amounts of investments are made. However, these attempts still cannot stop information systems’ to be compromised because of the holes in the human firewall caused by vulnerable behaviors of individuals. Even though individuals have knowledge about information security, they do not always show appropriate behavior. Hence information security is not a problem that can only be solved with technological solutions. As being the weakest link, human behavior on information security needs to be evaluated and assessed. With this study it was aimed to examine the relationship between conservative and risky behaviors of individuals about information security and individual differences which are demographics, internet usage routines, personality, risk perception and exposure to offense. Behaviors and individual difference variables were examined via a survey of 619 participants who were invited through social media platforms. Multiple linear regression analysis conducted and one linear model was created in order to calculate the amount of change on conservative and risky behaviors caused by independent variables. While level of education, age, duration of being an internet user, time spent on the internet, agreeableness, neuroticism, openness, exposure to offence and risk perception variables were found as significant predictors for risky behaviors; time spent on the internet, agreeableness, conscientiousness and openness variables were found to be the significant predictors for conservative behaviors. The results of the study can be used either by organizations or educational institutes for developing personalized and adaptive training programs or for creating preventive strategies.

Keywords

individual differences, information security, risky and conservative behavior, personality, exposure to offence, risk perception

Bilgi Güvenliği Konusunda Korumacı ve Riskli Davranışlarda Bireysel Farklılıklar

Abstract

Bilgi güvenliği konusunda donanımsal ve yazılımsal çözümler geniş bir şekilde kullanılmakta, araştırma ve geliştirme çabaları gün ve gün artmakta ve bu konuda büyük miktarda yatırımlar yapılmaktadır. Ancak, bireylerin zarar göremeye eğilimli davranışlarının sebep olduğu hatalardan dolayı, bu uğraşlar bilişim sistemlerinin güvenliğinin aşılmasına hala engel olamamaktadır. Bireyler bilgi güvenliği konusunda yeterli bilgileri olsa dahi bu bilgiyi her zaman davranışa dönüştürememektedirler. Bu sebeple bilgi güvenliği sadece teknolojik çözümler ile üstesinden gelinebilecek bir problem değildir. Bilgi güvenliği konusunda zincirin en zayıf halkası olarak kabul edilen insan davranışları da değerlendirilerek bu yöndeki çalışmalara dâhil edilmelidir. Bu çalışma ile bireylerin bilgi güvenliği konusunda sergilediği riskli ve korumacı davranışlar ile demografik, internet kullanım alışkanlıkları, kişilik, tehlike algısı ve suça maruz kalmadan oluşan bireysel farklılıkları arasındaki ilişki incelenmeye çalışılmıştır. Davranış ve bireysel farklılıklar sosyal medya platformları üzerinden davet edilen 619 kişinin katıldığı bir anket kullanılarak incelenmiştir. Çoklu lineer regresyon analizinin kullanılarak lineer bir modelin oluşturulması ile bireysel farklılıklar olan bağımsız değişkenlerin riski ve korumacı davranışlar üzerindeki meydana getirdiği değişimin boyutu hesaplanmıştır. Buna göre eğitim düzeyi, yaş, internet kullanım yılı, internette geçirilen zaman, uyumluluk, nevrotizm, gelişime açıklık, suça maruziyet durumu ve tehlike algısı riskli davranışları; internette geçirilen zaman, uyumluluk, özdenetim ve gelişime açıklık korumacı davranışları etkileyen önemli değişkenler olarak bulunmuştur. Çalışmanın sonuçları organizasyonların veya eğitim birimlerinin kişiselleştirilmiş ve uyarlanabilir eğitim programları geliştirmeleri için kullanılabileceği gibi bu sonuçlardan önleyici stratejiler oluşturmak için de faydalanılabilir.

Keywords

bireysel farklılıklar, bilgi güvenliği, riskli ve korumacı davranışlar, kişilik, suça maruz kalma, tehlike algısı

References

• R. Sarre, L. Y.-C. Lau, and L. Y. Chang, “Responding to cybercrime: current trends”, Taylor & Francis, 19(6), 515-518, 2018.
• H. Berger and A. Jones, “Cyber Security & Ethical Hacking For SMEs”, 11th International Knowledge Management in Organizations Conference on The changing face of Knowledge Management Impacting Society, 2016.
• T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social phishing”, Communications of the ACM, 50(10), 94–100, 2007.
• K. Krombholz, H. Hobel, M. Huber, and E. Weippl, “Advanced social engineering attacks”, Journal of Information Security and applications, 22, 113–122, 2015.
• B. Krishnamurthy and C. E. Wills, “On the leakage of personally identifiable information via online social networks”, 2nd ACM workshop on Online social networks, Barcelona, Spain, 2009.
• Thomas, K., Huang, D., Wang, D., Bursztein, E., Grier, C., Holt, T.J., Kruegel, C., McCoy, D., Savage, S. and Vigna, G., “Framing dependencies introduced by underground commoditization”, 2015.
• K. D. Mitnick, W. L. Simon, The art of intrusion: the real stories behind the exploits of hackers, intruders and deceivers, John Wiley & Sons, 2009.
• B. Filkins, “IT Security Spending Trends”, SANS, 2016.
• M. Levi, “Assessing the trends, scale and nature of economic cybercrimes: overview and issues”, Crime, Law and Social Change, 67(1), 3–20, 2017.
• M. Gorham, Internet Crime Report, Internet Crime Complaint Center, FBI National Press Office, Annual (202) 324- 3691, 2018.
• S. Lineberry, “The human element: The weakest link in information security”, Journal of Accountancy, 204(5), 44, 2007.
• A. AlHogail, “Design and validation of information security culture framework”, Computers in Human Behavior, 49, 567–575, 2015.
• S. Morgan, 2019 Official Annual Cybercrime Report, Herjavec, 2019. D. Trček, R. Trobec, N. Pavešić, and J. F. Tasič, “Information systems security and human behaviour”, Behaviour & Information Technology, 26(2), 113–118, 2007.
• D.-E. Neghina and E. Scarlat, “Managing information technology security in the context of cybercrime trends”, International journal of computers communications & control, 8(1), 97–104, 2013.
• J. Zhang, B. J. Reithel, H. Li, “Impact of perceived technical protection on security behaviors”, Information Management & Computer Security, 2009.
• R. Ayyagari, “An exploratory analysis of data breaches from 2005-2011: Trends and insights”, Journal of Information Privacy and Security, 8(2), 33–56, 2012.
• S. Egelman, E. Peer, “Scaling the security wall: Developing a security behavior intentions scale (sebis)”, 33rd Annual ACM Conference on Human Factors in Computing Systems, 2873–2882, 2015.
• K. Parsons, A. McCormac, M. Butavicius, M. Pattinson, C. Jerram, “Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)”, computers & security, 42, 165–176, 2014.
• M. Dodel, G. Mesch, “Cyber-victimization preventive behavior: A health belief model approach”, Computers in Human behavior, 68, 359–367, 2017.
• J. Shropshire, M. Warkentin, S. Sharma, “Personality, attitudes, and intentions: Predicting initial adoption of information security behavior”, computers & security, 49, 177–191, 2015.
• T. Halevi, J. Lewis, N. Memon, “A pilot study of cyber security and privacy related behavior and personality traits”, 22nd International Conference on World Wide Web, 737–744, 2013.
• N. Hajli, X. Lin, “Exploring the security of information sharing on social networking sites: The role of perceived control of information”, Journal of Business Ethics, 133(1), 111–123, 2016.
• B. Yucedal, “Victimization in cyberspace: An application of Routine Activity and Lifestyle Exposure theories”, Doctoral Dissertation, Kent State University, 2010.
• M. L. Ybarra, K. J. Mitchell, D. Finkelhor, J. Wolak, “Internet prevention messages: Targeting the right online behaviors”, Archives of Pediatrics & Adolescent Medicine, 161(2), 138–145, 2007.
• N. Nicholson, E. Soane, M. Fenton‐O’Creevy, P. Willman, “Personality and domain‐specific risk taking”, Journal of Risk Research, 8(2), 157–176, 2005.
• J. Bejtkovský, “The current generations: the baby boomers, x, y and z in the context of human capital management of the 21st century in selected corporations in the Czech Republic”, Littera scripta, 9(2), 25–45, 2016.
• O. Adıgüzel, H. Z. Batur, N. Ekşili, “Kuşakların değişen yüzü ve Y kuşağı ile ortaya çıkan yeni çalışma tarzı: Mobil yakalılar”, Süleyman Demirel Üniversitesi Sosyal Bilimler Enstitüsü Dergisi, 1(19), 165–182, 2014.
• G. Öğütçü, Ö. M. Testik, and O. Chouseinoglou, “Analysis of personal information security behavior and awareness”, Computers & Security, 56, 83–93, 2016.
• Öğütçü, “E-Dönüşüm Sürecinde Kişisel Bilişim Güvenliği Davranışı ve Farkındalığı Analizi”, Master Thesis, Başkent University, 2010.
• O. P. John and S. Srivastava, “The Big Five trait taxonomy: History, measurement, and theoretical perspectives”, Handbook of personality: Theory and research, 2(1999), 102– 138, 1999.
• Internet: Sümer, H. C. Sümer, Beş faktör kişilik özellikleri ölçeği https://scholar. google.com.tr, 10.05.2020.
• D. P. Schmitt, J. Allik, R. R. McCrae, V. Benet-Martínez, “The geographic distribution of Big Five personality traits: Patterns and profiles of human self-description across 56 nations”, Journal of cross-cultural psychology, 38(2), 173–212, 2007.
• N. Sümer, T. Lajunen, T. Özkan, “Big five personality traits as the distal predictors of road accident”, Traffic and transport psychology: Theory and application, 215, 215–227, 2005.
• TUİK, “Hanehalkı Bilişim Teknolojileri Kullanım Araştırması”, 2016.
• S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, J. Downs, “Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions”, SIGCHI Conference on Human Factors in Computing Systems, 373–382, 2010.
• M. Whitty, J. Doodson, S. Creese, D. Hodges, “Individual differences in cyber security behaviors: an examination of who is sharing passwords”, Cyberpsychology, Behavior, and Social Networking, 18(1), 3–7, 2015.
• T. Zukowski, I. Brown, “Examining the influence of demographic factors on internet users’ information privacy concerns”, 2007 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries, 197–204, 2007.
• F. B. Fatokun, S. Hamid, A. Norman, J. O. Fatokun, “The Impact of Age, Gender, and Educational level on the Cybersecurity Behaviors of Tertiary Institution Students: An Empirical investigation on Malaysian Universities”, Journal of Physics: Conference Series, 1339, 2019.
• M. Anwar, W. He, I. Ash, X. Yuan, L. Li, L. Xu, “Gender difference and employees’ cybersecurity behaviors”, Computers in Human Behavior, 69, 437–443, 2017.
• A. McCormac, T. Zwaans, K. Parsons, D. Calic, M. Butavicius, and M. Pattinson, “Individual differences and information security awareness”, Computers in Human Behavior, 69, 151–156, 2017.
• T. Govani and H. Pashley, “Student awareness of the privacy implications when using Facebook,” Unpublished paper presented at the “Privacy poster fair” at the Carnegie Mellon university school of library and information science, 9, 1–17, 2005.
• B. Debatin, J. P. Lovejoy, A.-K. Horn, B. N. Hughes, “Facebook and online privacy: Attitudes, behaviors, and unintended consequences”, Journal of computer-mediated communication, 15(1), 83–108, 2009.
• K. Parsons, D. Calic, M. Pattinson, M. Butavicius, A. McCormac, T. Zwaans, “The human aspects of information security questionnaire (HAIS-Q): two further validation studies”, Computers & Security, 66, 40–51, 2017.
• M. Warkentin, M. McBride, L. Carter, A. Johnston, “The role of individual characteristics on insider abuse intentions”, AMCIS, 2012.
• M. Alohali, N. Clarke, F. Li, S. Furnell, “Identifying and predicting the factors affecting end-users’ risk-taking behavior”, Information & Computer Security, 2018.
• C. Sumner, A. Byers, and M. Shearing, “Determining personality traits & privacy concerns from facebook activity”, Black Hat Briefings, 11(7), 197–221, 2011.
• D. Kelley, “Investigation of attitudes towards security behaviors”, McNair Research Journal SJSU, 14(1), 10, 2018.
• A. C. Johnston, M. Warkentin, M. McBride, L. Carter, “Dispositional and situational factors: influences on information security policy violations”, European Journal of Information Systems, 25(3), 231–251, 2016.
• M. Gratian, S. Bandi, M. Cukier, J. Dykstra, A. Ginther, “Correlating human traits and cyber security behavior intentions”, computers & security, 73, 345–358, 2018.
• M. L. Korzaan, K. T. Boswell, “The influence of personality traits and information privacy concerns on behavioral intentions”, Journal of Computer Information Systems, 48(4), 15– 24, 2008.
• B. Bulgurcu, H. Cavusoglu, I. Benbasat, “Information security policy compliance: an empirical study of rationality- based beliefs and information security awareness”, MIS quarterly, 34(3), 523–548, 2010.
• K. Wittebrood, P. Nieuwbeerta, “Criminal victimization during one’s life course: The effects of previous victimization and patterns of routine activities”, Journal of research in crime and delinquency, 37(1), 91–122, 2000.
• G. Dhillon, J. Backhouse, “Technical opinion: Information system security management in the new millennium,” Communications of the ACM, 43(7), 125–128, 2000.
• C. Vroom, R. Von Solms, “Towards information security behavioural compliance”, Computers & Security, 23(3), 191–198, 2004.
• W. R. Flores, M. Ekstedt, “Shaping intention to resist social engineering through transformational leadership, information security culture and awareness”, computers & Security, 59, 26–44, 2016.
• Z. Tan, R. Beuran, S. Hasegawa, W. Jiang, M. Zhao, and Y. Tan, “Adaptive security awareness training using linked open data datasets”, Education and Information Technologies, 25, 5235–5259, 2020.
• M. Pattinson et al., “Matching training to individual learning styles improves information security awareness”, Information & Computer Security, 2019.
• G. Hatzivasilis et al., “Modern Aspects of Cyber-Security Training and Continuous Adaptation of Programmes to Trainees”, Applied Sciences, 10(16), 5702, 2020.