The Effects of User Attitude on User Behaviour

a research that examines the attitudinal factors driving desirable user behaviour towards data and information security

Abstract

Many behaviours, ranging from small actions like using identical passwords on multiple platforms to dangerous actions like automatically clicking on spam links can put users at risk. In our paper, we argue that improper user attitudes are contributing to bad user behaviour which increases the risk of security attacks such as data breaching. hence, changing the attitudes and behaviour could be the first step and countermeasure to prevent jeopardizing user security and privacy. We explore numerous studies that show why users possess and maintain bad security attitudes including situational factors, motivation, distrust of security, and perceived lack of control.

Background

As society becomes increasingly intertwined with digital platforms and as more online users mindlessly provide more information and personal data as a commodity to fuel the big data economy, the questions arise: how much do individuals truly comprehend about data privacy and the intricacies of privacy policies? How much do individuals really care about user security, and how deeply do they prioritize user security and value privacy amidst the vast networked digital landscape of the 21st century society? Privacy policies are the backbone of understanding data rights. According to a decade-long privacy study conducted by Carnegie Mellon, reading every privacy policy we ever encounter in a year would take 76 full workdays. Most people probably do not bother to spend time reading the policies. While that is an understandable human aversion toward ennui, this touches on what academics call the privacy paradox. When asked, most people will say they care deeply about privacy, but in reality, their behaviour towards security could show the opposite.

Attitudinal Factor in User Behaviour

User behaviour is a major determinant of security, and a good behaviour that complies with cybersecurity best practices can play an important role in protecting user information security. A study conducted in 2020 delves into predictors for non-compliant behaviours while considering habitual and situational factors. Based on the findings, there’s a strong correlation between existing bad or non-compliant habitual behaviour and the continuation of that behaviour, meaning that users with bad habits are likely to continue (Leering et al.). Additionally, situational factors are capable of assisting the continuation and persistence of the existing bad habit. For example, situational factors like time pressure can strengthen bad habits as users who already engage in non-compliance security practices will often choose to follow through with more non-compliant behaviours under time constraints. Hence, having good security habits to begin with will set a solid foundation for continuing behaviours even if unforeseeable situational factors arise.

However, simply promoting good user behaviour and constraining bad user behaviour does not solve the behavioural problem at its roots because bad behaviour is often due to the users’ attitude toward information security. In fact, users’ motivation towards maintaining their security environment is related to their incentive to comply with the information security policy and security best practices. Without a proper or appropriate attitude, users are not motivated to behave or comply with security-related directives, which puts their privacy and security at risk. In order to improve user behaviour and solve the problem at its roots, it’s important to identify the attitudinal factor that impacts behaviour.

User attitude towards security and privacy compliance can be explained with security capitulation theory, which examines reasons why users would give up on security by turning to bad behaviours (McLeod and Dolezel). In business and psychology, capitulation is a response associated with consistent frustration and helplessness. Canadian researcher, Wrosch et al., proposed a capitulation appraisal model to evaluate the benefits and risks regarding their effort to achieve security (WROSCH et al.). In the model, users who decide to stay committed to security compliances show concerns about security and privacy; on the other hand, users who give up and decide to disengage in security expectations are due to a general lack of concern.

In a recent study, it’s found that the distrust of security, abundant threat notifications, and the increased feeling of vulnerability and susceptibility lead to an attitude of capitulation towards security, which causes bad behaviour and the continuing failure of information security policies (Reitberger and Wetzel). Feelings of capitulation are resulted from a perceived lack of control, such as the perception of data breaching fatigue, which is often experienced by users when they are inured to the frequency and effects of data breaches and they begin to feel less motivated to do anything to protect themselves as they believe data breaching is inevitable (McLeod and Dolezel). Since 2005, there are 9,033 data breaching cases - more than 816 million individual records exposed - that affected U.S. users that were made public (Zorabedian). Just in 2017 alone, there were 1,578 cases reported (“The History of Data Breaches”). A study conducted in 2016 examines consumer response towards the high frequency and vast amount of data breaching cases covered by the media; specifically, the survey conducted looks closely at consumers’ perceived data breach fatigue and the subsequent consumer action. When surveying 998 individuals who were ever exposed to media coverage regarding data breaches, only 4% started taking preventive measures such as using a password manager and 22% took no action at all (Ablon et al.). Overall, there is a statistically significant correlation that frequent data breach disclosures induce data breach fatigue, which causes users to overlook the harm, leaving them the sentiment that data breaching and a loss of privacy is the new norm that drives them to security capitulation (McLeod and Dolezel).

The perceived lack of control is often closely associated with vulnerability experienced by users, which also leads to capitulation (McLeod and Dolezel). Studies have shown that users with highly rated feelings of vulnerability are more likely to generate stronger feelings of capitulation (Sharma and Warkentin). On the other hand, less vulnerable users are much less likely to give up. Vulnerability is intrinsic to security self-efficacy, which deals with users’ perception of their capabilities to perform security-related tasks and protect their information. Protection motivation theory explains the determinants of the perceived threat and perceived vulnerability (McLeod and Dolezel). As demonstrated by a study conducted in 2021, there is a positive relationship between perceived vulnerability and the intention to comply with best practice security behaviours (Reddy). Security self-efficacy positively correlates with security best practices; further, non-compliant behaviours are often attributed to a lack of ability, knowledge, and experience in recognizing the risk and threats at hand (McLeod and Dolezel).

Given the persistent continual defencelessness that’s often enhanced by frequent privacy threat notifications, users will believe all preventive measures are ultimately unproductive and futile; thus, users’ attitude towards information security gradually becomes indifferent as they grow numb and uninterested in recognising the potential security risks. As a result of their attitude, users are inclined to turn to bad habits and behaviours as they completely let go of the control over their own security, quitting any kind of proactive risk management procedures and ignoring all security warnings. In this regard, changing users' attitudes could be the first step or the first countermeasure to prevent compromising user security and privacy.

Case 1

Security experts often highlight that user habits can raise security and privacy concerns. In fact, a report presented by the Ponemon Institute “The 2020 State of Password and Authentication Security Behaviors Report” shows that the security habits of professionals are not so different from individuals without expertise (Ponemon). More than 2000 IT security practitioners (also referred to as IT security respondents) and 563 individual users participated in the survey (Ponemon). Larry Ponemon, CEO of Ponemon, says he "expected people who are in IT and IT security to be more security-smart" but "for the most part, both groups are more similar than they are different (Sheridan)."

Certainly, there are some discrepancies between the two groups. When asked about their concerns about security and privacy, the majority of the IT security professionals chose an increase in government surveillance and censorship, mobile equipment usage, and IoT equipment (Ponemon). On the other hand, individual users were concerned about personal information leakage, especially medical information (Ponemon). About half of the respondents were concerned about mobile equipment and IoT equipment (Ponemon).

However, in the case of the double certification, the two groups were not significantly different. The majority of security experts said they do not use double authentication in business accounts, and the majority of the individual users answered in a similar manner (Ponemon). Likewise, 50 percent of security professionals and 39 percent of individual users responded that they use the same password for important accounts (Ponemon). Both groups said they often share passwords with their colleagues (Ponemon).

In fact, individual users demonstrated better password practices in some cases. After an account takeover attack, 76 percent of individual users said they had changed their password management methods (Ponemon). However, only 65 percent of security professionals responded in the same manner (Ponemon). In terms of password management, the majority of both groups said they rely on memory (Ponemon). There were many cases where memo notes such as post-its were used. The report shows that about 40 percent of both groups use post-its (Ponemon). However, slightly more individual users use browser extensions to auto-fill (Ponemon).

This trend of security professionals adopting poor security habits and reusing passwords after takeover attacks "seems counterintuitive" but points to broader problems, says Jerrod Chong, chief solutions officer at Yubico (Sheridan). Chong explains that if users of all experience levels have similar security habits, the problem is in the people, not professionalism (Sheridan). It also means that security is not the domain of experts, but the domain of everyone. In addition, Chong argues that education or cultural transformation with the intention of changing the entire organization from the top is needed in order to make meaningful changes (Sheridan). He states that "the systems and processes of a large organization make it harder to make a technology [switch] by putting specific mandates on security practices." Organizations often adhere to policies created decades ago, he continues, and those who don't follow the policy are considered outliers.

Case 2

Although numerous consumers have suffered damage from personal information loss due to information leakage and system infringement accidents, studies have shown that dangerous behavior patterns remain unchanged. The study of 500 adults working in general jobs in the United States by the security company OpenVPN reveals that employee behaviors have a direct impact on corporate cybersecurity effectiveness (OpenVPN).

OpenVPN conducted surveys to determine the cause of vulnerability, and the results showed that 25 percent of individuals use the same password for all services or logins (OpenVPN). And 23 percent of individuals admit to clicking on links before verifying whether a link leads to a website they intended to visit (OpenVPN). Both causes are critical defects because they can put the entire organization at risk, not just the individual. According to the study, despite an increase in the number of security training courses and programs, it is insufficient to change the attitude of users (OpenVPN). They still prefer a good password to a safe password which makes them vulnerable to even the most basic attacks.

Users tend to reuse the same password for numerous platforms including internet banking, company account login, e-mail, and social media. In fact, they use the same password to log into a personal device. In this case, the chance of security problems occurring across the platforms increases. One of the best ways to combat this kind of threat is to use a biometric password. According to the survey, 77 percent of individuals trust biometric-based passwords, 62 percent of individuals believe biometric authentication is more powerful than passwords, and only 55 percent of individuals are actually using them (OpenVPN).

Francis Dinha, CEO of OpenVPN, argues that the security issue will remain unsolved because the individuals with security responsibilities are not taking action to practice healthy security habits (Dinha). According to our survey, 60 percent of individuals say their biggest cybersecurity concern is having their personal data compromised (OpenVPN). However, they do not consistently pursue security strategies to prevent data breaches. Dinha explains that this is because “many people feel overwhelmed by the risk (Dinha).” He claims that users are aware of the potential danger but they feel powerless (Dinha). However, unless the users take action, security accidents will continue to occur.

Limitations

As this paper focuses on the attitudinal factor that’s critical to the positive change in user behaviour, we only addressed ways users’ attitude can be negatively influenced using the capitulation theory and we did not mention actions to correct bad attitudes. Thus, we provide motivation for future research to examine the possible measures to improve and eliminate bad attitudes. Moreover, we approached our argument that attitude influences behaviour from a relatively qualitative perspective. Future work could consider seeking clear definitions of how much a positive attitude can translate to or increase good user behaviour. There are also limitations on the level of security good attitudes and good behaviours can bring that this paper does not share a solution to. As different users possess different cognitive capabilities that determine their ability to counter security threats, malicious designers will exploit psychological traits and individual differences to cognitively attack the users, interfering with users’ rational decisions through manipulative and misleading designs. Hence, information security is not guaranteed despite having a proper attitude, best security practices, and compliant behaviour.

Implications

While there are data protection directives from different institutions as well as laws from the EU, such as the General Data Protection Regulation, also known as GDPR, that came into effect on May 2018 with the hope that it will be a gold standard to feasibly check the power of big tech companies by holding the companies accountable for the way they handle and treat user information thereby protecting the users and keep their personal data safe. However, studies have shown that such legal frameworks weren’t well-enforced. Thus, instead of expecting regulations like the GDPR to take effect immediately or hoping the companies that control our data to comply with the privacy framework immediately, users themselves should be motivated to treat security risks with a serious attitude and take actions.

In order to strengthen security attitudes while minimizing gaps in different cognitive capabilities, two methods are suggested. First, provide customized education content considering the propensity and characteristics of users. Analyze the procedures and behaviours that users take in performing their work. Then, increase their effectiveness and efficiency with awareness-raising programs that reflect their work behaviour. Second, some of the biggest reasons why individuals show low interest in information protection are that security-related content is difficult to understand, security is perceived as annoying and uncomfortable, and users have disbelief in potential impact. As many security problems begin with user carelessness, security innovation cannot occur without changing human perception. Therefore, motivational factors that teach individuals the benefits of practicing good security habits should be provided. Additionally, practices to promote user security should be upheld, such as developing the habit of reading privacy policies, which is imperative because what remains unknown has the potential to inflict harm, yet individuals consistently find themselves at risk by giving away various rights concerning the collection, usage, and sharing of their personal data by apps or websites. Transparency is a good thing. Privacy policies empower more people to better understand and control the data shared, but they’re only useful if they are perused and understood.

Conclusion

While many existing researches address the importance of having good user behaviour as well as factors that could influence user behaviour and the positive correlation between good behaviour and user security, there are very few studies conducted that examine the attitudinal factor that drives users to desirable user behaviour. This paper acknowledges the attitudinal factor that essentially guides and actualizes user behaviour and emphasises the importance of a positive user attitude towards information security, thereby encouraging correct user attitude and extending the idea from existing academic knowledge that good user behaviour is critical to user security.