Abstract
This study examines users’ risk-taking behavior in software downloads. We are interested in quantifying the degree of risks that users are willing to take in the cyber security context. We propose conducting an experiment using Amazon’s Mechanical Turk to assess the degree of risks that people are willing to take for monetary gains when they download software from uncertified sources.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Security and privacy threats are common on the Internet. To reduce cyber security risks and protect users’ private information, mainstream browsers, such as Google Chrome, Safari, and Firefox, are working toward providing security warnings, security indicators, pop-up windows, and other types of warning systems when users are at risk of facing cyber security threats. Identification of security risks depends on user behavior and user response to such warnings [1, 2]. Users are expected to assess cyber security threats before they conduct online transactions, access a URL, or download files or applications.
Some of the previous studies on cyber threats have focused on comparing physical or structural cues and miscues [3, 4]. Researchers have looked at Internet users’ ability to interpret cues and miscues that are embedded in webpages or emails. Researchers have also studied human factors, including individual differences, gender differences, human cognitive limitations, and factors influencing how users distinguish between legitimate and fraudulent messages [5, 6]. Awareness and vigilance of cyber threats among Internet users have increased; however, hackers and phishers have become more sophisticated and are able to fabricate content or display. As a result, some phishing websites can easily evade filters [7]. A recent work indicates that phishers framed their phishing messages as gains or benefits to induce users’ responses [8]. Phishers and hackers exploit users’ susceptibility to deception by providing potential monetary gains or by offering rewards. However, few studies have taken risks into consideration in examining how Internet users make trade-offs between the offered rewards and the risks involved when they make decisions. Therefore, the goal of this research is to fill this gap in the literature by quantifying users’ perceived risks of cyber security threats.
2 Literature Review
2.1 Security Warnings and Cues/Miscues in Cyber Security Decision Making
Understanding human cognition and decision-making process is key to explaining user behavior when faced with cyber security threats. Hence, we need to open up the ‘black box’ in order to more fully understand users’ cyber decisions, such as decisions to click through a link embedded in an email, downloading files from websites, or entering personal information on e-commerce websites or social media.
Several studies have focused on developing better interface and warning design to get users’ attention to foster safe cyber security behavior. Security researchers have studied security warnings from multiple perspectives. In a laboratory study to assess the effectiveness of phishing warnings, it was found that more than 90% of the participants fell into the trap of phishing emails without any warnings [9]. On the contrary, when active warnings were popped up on the screen, 79% of the participants avoided the phishing attack. Based on the findings, it was recommended that warnings or indicators be provided to convey clear recommended actions to users even though they may interrupt the users’ work. In a large-scale field study that assessed the effectiveness of browser security warnings on the Firefox and Chrome’s telemetry platform, it was found that more participants entered personal information when there were no active warning indicators than when active warning indicators were provided [10]. The findings in another study indicate that opinionated framing or design increases adherence by users through decreasing the rate of click-through of SSL warnings [11].
Smith et al. examined user assessment of security levels in e-commerce by varying cues/miscues (i.e., HTTP vs. HTTPS, fraudulent vs. authentic URL, padlocks beside fields) presented on web pages [12]. They conducted an experiment and let users rate their perceived security, trustworthiness, and safety after examining e-commerce web pages that vary in these cues/miscues. They found that padlocks provided beside a field (i.e., miscues) do not affect user perceptions of security but primed subjects to look for more important security cues, such as HTTP vs. HTTPS.
2.2 Susceptibility to Cyber Threats
Human factors, such as past experience, culture, and concerns with Internet security, are expected to influence user security behaviors. In a study that investigated the relationship between demographic characteristics and phishing susceptibility, participants were asked to complete a background survey before they proceeded to a roleplay on phishing, where they were asked to click on a phishing link or enter personal information on phishing websites [13]. The results indicate that women were easier to fall into the phishing trap than men, and 18–25 year old individuals were found to be more susceptible to phishing. The authors provided a possible reason for the gender difference by suggesting that women tend to have less technical knowledge than men. The authors also considered the susceptible behavior to arise from lower levels of education and less experience on the Internet.
Flores et al. examined the influence of demographic, cultural, and personal factors on phishing [14]. Participants from nine organizations in Sweden, USA and India participated in their survey to compare user behavior in response to phishing attacks across users of different cultural backgrounds. The authors did not find any relationship between phishing and age or gender, but employees’ observed phishing behavior, intention and security awareness have a significant effect on reactions to phishing. Additionally, the results show that subjects with the intention to resist social engineering and subjects with general security awareness and computer experience have higher resilience to phishing attacks.
In a study by Goel et al., phishing emails were sent to more than 7000 undergraduate students and their responses to the phishing attack were recorded [15]. The phishing message contained different rewards, such as gift cards, tuition relief, bank cards and registrations. The results show that susceptibility varies across users with different demographics (i.e., major and gender). Women were more likely to open phishing emails, with an overall rate of 29.9% as compared to 24.4% among men, but the rate varies based on content in the emails. Participants with business education backgrounds had the highest opening/clicking link rate than those with social science, business and STEM backgrounds. Based on the results, the authors suggest developing context-based education to decrease the susceptibility to phishing attacks on the Internet.
In another study that examined the effect of gender and personality on phishing, females were found to be more vulnerable to phishing [16]. 53% of women were phished as compared to 14% of men. The authors attributed the behavior to women being more comfortable with online shopping and digital communication than men. Moreover, they found women who fell into the phishing trap have a very high correlation with neuroticism. A possible explanation for it is that women tend to admit fears and are more sensitive to emotional needs, which could result in susceptibility to phishing attacks.
Vishwanath studied the influence of e-mail habits and cognitive processing on phishing [17]. Phishing emails were sent to college students to assess their response. They were later asked to complete a survey on their background and demographic information. It was found that heuristic processing and email habits have a positive effect on victimization.
2.3 Framing Effect and Prospect Theory
A key factor that is likely to influence users’ cyber decision-making behavior relates to whether information is framed as a gain or a loss. Prospect theory suggests that decision-making under risk depends on whether the potential outcome is perceived as a gain or a loss [18]. Tversky and Kahneman proposed that the choice between options can be affected by the phrasing or framing of the options [19]. A well-known example is the “Asian disease problem,” in which subjects were told that “the U.S. is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people” [20, p. 453]. Half of the subjects were given two positively framed options, which contained a certain outcome (i.e., 200 people will be saved) and a risky outcome (i.e., 1/3 probability of saving 600 people and 2/3 probability of saving none). 72% of subjects selected the certain outcome, suggesting that people are risk adverse in the positively framed scenario. In the other half of the subjects that were given two negatively framed options, one with a certain outcome (i.e., 400 people will die) and the other with a risky outcome (i.e., 1/3 probability that none will die and 2/3 probability that 600 will die), 78% chose the risky option, suggesting that people are risk seeking in the negatively framed scenario. Their findings indicate that losses have a greater impact on people’s decision making than gains. Furthermore, they discovered two facts that influence people’s high sensitivity to losses: reference points and loss aversion. Reference point refers to the status quo, in which people use the current situation as a reference and evaluates the outcome of options with uncertainty. People tend to attach subjective judgments to potential gains and losses. For example, they may associate gains with a positive value, such as a monetary reward, a free product, or a potential earning opportunity, and associate losses with a negative value, such as a penalty, a monetary cost, or a potential loss proposition. Loss aversion refers to the fact that people tend to avoid losses even if the risk is high. In other words, people perceive the value of a loss differently from the value of gaining the same amount. Prospect theory provides important implications for cybersecurity research. Phishing messages can provide incentives that influence users to change their status quo (reference point). To be more specific, hackers and phishers may indicate that they can help you save money, or offer complimentary products or service in order to deceive users.
2.4 Positive and Negative Framing in Cyber Decision-Making
Rosoff et al. [21] conducted an experiment to investigate whether and how human decision-making depends on gain-loss framing and the salience of a prior near-miss experience. They looked at one kind of near-miss experience, resilient near-miss, which refers to the case where a user had a near-miss experience on a cyber-attack [21]. They carried out a 2 by 2 factorial design and manipulated two levels of each of the two independent variables: frame (gain vs. loss framing) and previous near-miss experience (absence vs. presence). Their results show that users tend to follow a safe practice when they have prior experience with a near-miss cyber-attack. They also concluded that females are more likely to select a risky choice compared to men. More importantly, they discovered that framing has a strong influence on decision making.
There are two types of persuasion that have been investigated in the cyber context: reward-based and risk-based [22]. Persuasion techniques can be used to lure users to comply with a recommended course of action. Reward-based persuasion is designed to attract users by offering a reward or benefit. For example, emails that inform the recipient about winning a lottery. Risk-based persuasion is designed to scare people by describing a potential risk. It focuses on persuading people through the fear of threats, such as clicking a link to avoid an account from being suspended or downloading a software to prevent a loss.
Other empirical research on the framing effect has also been studied in the cyber context. Helander and Du examined how the gain-loss frame affects users’ purchase intentions in e-commerce [23]. They found that perceiving the value of a product positively (gain frame) affects purchase intentions, and perceiving the risk of credit card fraud and price inflation (loss frame) does not negatively affect user’s purchase intentions. Individuals tend to make decisions that are risk-adverse in a gain frame [24]. However, Valecha’s study found that the presence of both reward-based persuasion (gain frame) and risk-based persuasion (loss frame) in phishing emails increase the likelihood of response [22]. The influence of framing effects also has some limiting conditions. When subjects were required to explain their choices, the framing effect tended to be reduced [25]. The framing effect can be eliminated if users are encouraged to think through the rationale underlying their choices [26]. Also, if users are experts in a particular area, the framing effect will be reduced [27]. Studies on prospect theory have shown that people tend to avoid risks under gain frames, but seek risks under loss frames [18].
2.5 Cyber Security Risk Assessment and Risk Taking
Assessing risks when making decisions is fundamental to cyber security. Risk taking is often associated with specific actions and environment. Chen, Gates, Li, and Proctor conducted three experiments on Amazon Mechanical Turk [28] to assess the influence of summary risk information on app-installation decisions. Their study focused on the security of the Android operating system because 99% of mobile malware is targeted at the Android system [29]. Risk information was framed as the amount of risk (negative framing) or amount of safety (positive framing) in the experimental conditions. The results suggest that summary information that was positively framed as safety has a greater effect on app-installation decisions than summary information that was negatively framed as risks. Hence, a valid risk index that is framed positively by focusing on safety can be developed to improve users’ app-installation decisions.
Compared to adults, teens use the Internet extensively in terms of social networking sites, online shopping, and interactive communications. In a study on teens’ perceived safety and risk taking behavior in online chat sites, it was found that teens with more social discomfort were less likely to take risks, and those who trusted their online friends were more likely to take risks [30].
Risk has been estimated using the formula: Risk = Threat × Vulnerability × Consequence [31]. The formula is based on the Risk Analysis and Management for Critical Asset Protection (RAMCAP) model with the definition of the terms provided in Table 1.
3 Research Methodology
A within-subject experiment is proposed to explore the relationship between cyber security risks and their associated monetary values. We will use a scenario-based survey [32] in the experiment to identify the users’ trade-off decisions between cyber security risks and the minimum monetary value gains for users to take the associated risks. Furthermore, by varying the levels of cyber security risks that users face, we can identify the minimum monetary value gains to entice users to take different levels of risks. We will recruit our research subjects through Amazon Mechanical Turk.
3.1 Research Design and Task/Scenarios
We are interested in quantifying the gains in monetary values associated with different levels of risks that users are willing to take. Through a series of scenarios, where subjects have to make a choice between two options given to them in each scenario, we will determine the threshold level for risk tolerance at which a user would not take any risk beyond that level. The threshold is the point at which the user would not risk any cyber threats for any amount of monetary value gain. Figure 1 shows an example of the threshold level for risk tolerance of a user. In this case, the user can tolerate up to 50% risk for a monetary value gain, but would not tolerate any risk beyond that level regardless of any amount of monetary value gain.
Illustration of the threshold for risk tolerance
In order to determine the threshold level for risk tolerance, we use the scenario-based approach in which subjects have to make a selection between two choices for every scenario posed to them. An example of a scenario is as follows:
“You need to download a software named Accelerator that has a market price of $100 onto your primary computer.
In this scenario, you have to make a choice between the following two options:
Option A: Download Accelerator at the full price of $100 with 0% of cyber security risks.
Option B: Download Accelerator at a discounted price of $90 (i.e., $10 or 10% saving) [varying monetary value] with 5% of cyber security risks [varying risk level].”
Please indicate your choice (between option A and B): _______
Figure 2 shows the design of a scenario-based question in which a subject needs to select a choice between two options.
Scenario-based question
3.2 Variables and Operationalizations
Two independent variables will be considered: monetary value gain and cyber security risk. The monetary value gain is the difference between the full and offering prices of the software. Risk is operationalized as the vulnerability of cyber threats (i.e. we use the percentage of users who reported virus/spyware/malware after downloading the software from this source as a surrogate for risk). We will use the linear search method to identify the threshold level for risk tolerance (i.e., where users are not willing to take any risk for any further discount or monetary value gain).
In the study, subjects will be asked to select one of two options in each scenario given to them. In each of the scenarios, option A remains unchanged, whereas the risk and monetary value (i.e., price) of option B vary. The first scenario begins with comparing the two options shown in Fig. 2: (i) option A ($100 with 0% risk), and (ii) option B ($90 with 5% risk). The subject will make a choice between them. Depending on whether option A or option B is chosen, the next scenario will vary monetary value (M) or risk (R). If option A is chosen for a particular level of risk, then we will decrease the monetary value (i.e., price) by 10 to assess if the subject is willing to take this level of risk at this lower price. If option B is chosen (i.e., the subject is willing to take the current level of risk at the given price), then we will proceed to assess the next higher level of risk. The risk levels will be assessed at 5%, 10%, 20%, and every 10% increment until 90%. We assess risk in every 10% increment but included 5% to increase the sensitivity of risk at a small level. Figure 3 shows a chart that depicts the changes in the series of scenarios given to the subjects.
Series of scenarios presented to subjects
For example: If a subject chooses option A in the first scenario (see Fig. 2), the next scenario of option B given to the subject will be as follows: The risk will remain at 5% and the monetary value will decrease by $10 from $90 to $80 in option B, which means the subject will need to make a choice between the following two options in the second scenario: option A ($100 with 0% risk) and option B ($80 with 5% risk). If the subject chooses A again, the previous step will repeat, and the following two options will be shown in the third scenario: option A ($100 with 0% risk) and option B ($70 with 5% risk). If option A is repeatedly chosen, this process will iterate until the monetary value equals $10 after which no more scenarios will be presented if option A is chosen when option B of monetary value (i.e., price) of $10 at 5% risk is presented. In this case, it can be said that this subject is intolerant of risks, even if the price is low (or the monetary value gain is high). On the other hand, if the subject chooses option A in the first scenario but option B in the second scenario, the monetary value (i.e., price) remains unchanged ($80) but the risk will be increased to the next level, which is 10%. In this case, the subject will be given the following two options in the third scenario: option A ($100 with 0% risk) and option B ($[previous value = 80] with 10% risk).
As another example, if the subject chooses option B in the first scenario (see Fig. 2), the monetary value is fixed at $90 and the risk will increase to 10%. Hence, the next or second scenario will show the following two options: option A ($100 with 0% risk) and option B ($90 with 10% risk). If the subject chooses B again, the previous step will iterate (i.e., risk level is increased) until the subject rejects the risky option and chooses option A.
In general, if the subject chooses option A and the monetary value (i.e., price) equals $10, the experiment ends. The experiment also ends if option B is chosen and risk is 90%.
We will include control variables in our survey as indicated below.
-
Demographic factors
-
Past cyber-attack experience, individual security concerns, Internet habits (potential moderating variables)
4 Expected Contributions
The main contribution of this research is to offer a better understanding of the trade-off decisions that users make between monetary value gains and risks of cyber security threats. The findings of the proposed study will not only provide a distribution of users’ threshold levels for risk tolerance, but will also illustrate whether the distribution of the relationship between monetary value gains and cyber risks of users is linear, concave, or convex. With the knowledge gained from this research, we hope to design better mechanisms and warning systems to mitigate the risks taken by users. Additionally, the findings from this research could be useful for privacy policy design, security warning design, and user interaction design.
References
Bresz, F.P.: People—often the weakest link in security, but one of the best places to start. J. Health Care Compliance 6(4), 57–60 (2004)
Cranor, L.F.: A framework for reasoning about the human in the loop. In: Proceedings of the 1st Conference on Usability, Psychology, and Security, vol. 8, pp. 1–15 (2008)
Jakobsson, M., Ratkiewicz, J.: Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In: Proceedings of the 15th International Conference on World Wide Web, pp. 513–522. ACM (2006)
Darwish, A., Bataineh, E.: Eye tracking analysis of browser security indicators. In: International Conference on Computer Systems and Industrial Informatics, pp. 1–6 (2012)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)
Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 79–90. ACM (2006)
Dong, L., Han, Z., Petropulu, A.P., Poor, H.V.: Improving wireless physical layer security via cooperating relays. IEEE Trans. Sig. Process. 58(3), 1875–1888 (2010)
Wright, R.T., Jensen, M.L., Thatcher, J.B., Dinger, M., Marett, K.: Research note—influence techniques in phishing attacks: an examination of vulnerability and resistance. Inf. Syst. Res. 25(2), 385–400 (2014)
Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM (2008)
Akhawe, D., Felt, A.P.: Alice in Warningland: a large-scale field study of browser security warning effectiveness. In: USENIX Security Symposium, vol. 13, pp. 257–272 (2013)
Felt, A.P., Ainslie, A., Reeder, R.W., Consolvo, S., Thyagaraja, S., Bettes, A., Harris, H., Grimes, J.: Improving SSL warnings: comprehension and adherence. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 2893–2902. ACM (2015)
Smith, S.N., Nah, F.F.-H., Cheng, M.X.: The impact of security cues on user perceived security in e-commerce. In: Tryfonas, T. (ed.) HAS 2016. LNCS, vol. 9750, pp. 164–173. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39381-0_15
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F., Downs, J.: Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 373–382 (2010)
Flores, W.R., Holm, H., Nohlberg, M., Ekstedt, M.: Investigating personal determinants of phishing and the effect of national culture. Inf. Comput. Secur. 23(2), 178–199 (2015)
Goel, S., Williams, K., Dincelli, E.: Got phished? Internet security and human vulnerability. J. Assoc. Inf. Syst. 18(1), 22–44 (2017)
Halevi, T., Lewis, J., Memon, N.: Phishing, personality traits and Facebook. arXiv preprint arXiv:1301.7643 (2013)
Vishwanath, A.: Examining the distinct antecedents of e-mail habits and its influence on the outcomes of a phishing attack. J. Comput.-Mediat. Commun. 20(5), 570–584 (2015)
Kahneman, D., Tversky, A.: Prospect theory: an analysis of decision under risk. Econometrica 47(2), 263–291 (1979)
Tversky, A., Kahneman, D.: Evidential impact of base rates. No. TR-4. Stanford University, Department of Psychology (1981). http://www.dtic.mil/dtic/tr/fulltext/u2/a099501.pdf
Tversky, A., Kahneman, D.: The framing of decisions and the psychology of choice. Science 211(4481), 453–458 (1981)
Rosoff, H., Cui, J., John, R.S.: Heuristics and biases in cyber security dilemmas. Environ. Syst. Decis. 33(4), 517–529 (2013)
Valecha, R., Chen, R., Herath, T., Vishwanath, A., Wang, J.R., Rao, H.R.: Reward-based and risk-based persuasion in phishing emails. In: Proceedings of the 2016 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13, pp. 1–18 (2016)
Helander, M.G., Du, X.: From Kano to Kahneman. A comparison of models to predict customer needs. In: Proceedings of the Conference on TQM and Human Factors, pp. 322–329 (1999)
Schroeder, N.J., Grimaila, M.R., Schroeder, N.: Revealing prospect theory bias in information security decision making. In: Emerging Trends and Challenges in Information Technology Management: Information Resources Management Association International Conference, pp. 176–179 (2006)
Larrick, R.P., Smith, E.E., Yates, J.F.: Reflecting on the reflection effect: disrupting the effects of framing through thought. In: Meetings of the Society of Judgment and Decision Making, November, St. Louis, MO (1992)
Takemura, K.: Influence of elaboration on the framing of decision. J. Psychol. 128(1), 33–39 (1994)
Davis, M.A., Bobko, P.: Contextual effects on escalation processes in public sector decision making. Organ. Behav. Hum. Decis. Process. 37(1), 121–138 (1986)
Chen, J., Gates, C.S., Li, N., Proctor, R.W.: Influence of risk/safety information framing on android app-installation decisions. J. Cogn. Eng. Decis. Mak. 9(2), 149–168 (2015)
Cisco Systems, Inc.: Cisco 2014 annual security report. https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf. Accessed 18 Feb 2014
McCarty, C., Prawitz, A.D., Derscheid, L.E., Montgomery, B.: Perceived safety and teen risk taking in online chat sites. Cyberpsychol. Behav. Soc. Netw. 14(3), 169–174 (2011)
Cox Jr., L.A.: Some limitations of “risk = threat x vulnerability x consequence” for risk analysis of terrorist attacks. Risk Anal. 28(6), 1749–1761 (2008)
Sheng, H., Nah, F., Siau, K.: An experimental study on u-commerce adoption: impact of personalization and privacy concerns. J. Assoc. Inf. Syst. 9(6), 344–376 (2008)
Acknowledgements
This research is supported by National Science Foundation grant CNS/1537538 and the Laboratory for Information Technology at Missouri University of Science and Technology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Zhan, X., Nah, F.FH., Cheng, M.X. (2018). An Assessment of Users’ Cyber Security Risk Tolerance in Reward-Based Exchange. In: Nah, FH., Xiao, B. (eds) HCI in Business, Government, and Organizations. HCIBGO 2018. Lecture Notes in Computer Science(), vol 10923. Springer, Cham. https://doi.org/10.1007/978-3-319-91716-0_34
Download citation
DOI: https://doi.org/10.1007/978-3-319-91716-0_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-91715-3
Online ISBN: 978-3-319-91716-0
eBook Packages: Computer ScienceComputer Science (R0)