skip to main content
10.1145/2702123.2702249acmconferencesArticle/Chapter ViewAbstractPublication PageschiConference Proceedingsconference-collections
research-article

Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS)

Authors Info & Claims
Published:18 April 2015Publication History

ABSTRACT

Despite the plethora of security advice and online education materials offered to end-users, there exists no standard measurement tool for end-user security behaviors. We present the creation of such a tool. We surveyed the most common computer security advice that experts offer to end-users in order to construct a set of Likert scale questions to probe the extent to which respondents claim to follow this advice. Using these questions, we iteratively surveyed a pool of 3,619 computer users to refine our question set such that each question was applicable to a large percentage of the population, exhibited adequate variance between respondents, and had high reliability (i.e., desirable psychometric properties). After performing both exploratory and confirmatory factor analysis, we identified a 16-item scale consisting of four sub-scales that measures attitudes towards choosing passwords, device securement, staying up-to-date, and proactive awareness.

References

  1. Acquisti, A., and Grossklags, J. Losses, gains, and hyperbolic discounting: An experimental approach to information security attitudes and behavior. In Proceedings of The 2nd Annual Workshop on Economics and Information Security (WEIS '03) (2003).Google ScholarGoogle Scholar
  2. Acquisti, A., and Grossklags, J. Privacy and rationality in individual decision making. IEEE Security & Privacy (January/February 2005), 24--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Bagozzi, R. P., and Yi, Y. On the evaluation of structural equation models. Journal of the academy of marketing science 16, 1 (1988), 74--94.Google ScholarGoogle Scholar
  4. Blais, A.-R., and Weber, E. U. A domain-specific risk-taking (dospert) scale for adult populations. Judgment and Decision Making 1, 1 (2006), 33--47.Google ScholarGoogle Scholar
  5. Bossler, A. M., and Holt, T. J. The effect of self-control on victimization in the cyberworld. Journal of Criminal Justice 38, 3 (2010), 227--236.Google ScholarGoogle ScholarCross RefCross Ref
  6. Buchanan, T., Paine, C., Joinson, A. N., and Reips, U.-D. Development of measures of online privacy concern and protection for use on the internet. Journal of the American Society for Information Science and Technology 58, 2 (2007), 157--165. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Cacioppo, J. T., Petty, R. E., and Feng Kao, C. The efficient assessment of need for cognition. Journal of personality assessment 48, 3 (1984), 306--307.Google ScholarGoogle Scholar
  8. Copes, H., Kerley, K. R., Huff, R., and Kane, J. Differentiating identity theft: An exploratory study of victims using a national victimization survey. Journal of Criminal Justice 38, 5 (2010), 1045--1052.Google ScholarGoogle ScholarCross RefCross Ref
  9. Cranor, L. F. A framework for reasoning about the human in the loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security, USENIX Association (Berkeley, CA, 2008). Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Crowne, D. P., and Marlowe, D. A new scale of social desirability independent of psychopathology. Journal of consulting psychology 24, 4 (1960), 349.Google ScholarGoogle Scholar
  11. DeVellis, R. F. Scale Development: Theory and Applications, 2nd ed., vol. 26 of Applied Social Research Methods Series. Sage Publications, 2003.Google ScholarGoogle Scholar
  12. Egelman, S., Cranor, L. F., and Hong, J. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceeding of The 26th SIGCHI Conference on Human Factors in Computing Systems, CHI '08, ACM (New York, NY, USA, 2008), 1065--1074. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Egelman, S., Jain, S., Portnoff, R. S., Liao, K., Consolvo, S., and Wagner, D. Are you ready to lock? understanding user motivations for smartphone locking behaviors. In Proceedings of the 2014 ACM SIGSAC Conference on Computer & Communications Security, CCS '14, ACM (New York, NY, USA, 2014). Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Everitt, B. S. The Cambridge Dictionary of Statistics. Cambridge University Press, Cambridge, United Kingdom, 2002.Google ScholarGoogle Scholar
  15. Fabrigar, L. R., Wegener, D. T., MacCallum, R. C., and Strahan, E. J. Evaluating the use of exploratory factor analysis in psychological research. Psychological methods 4, 3 (1999), 272.Google ScholarGoogle Scholar
  16. Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android permissions: user attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS '12, ACM (New York, NY, USA, 2012). Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Fornell, C., and Larcker, D. F. Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18, 1 (1981), pp. 39--50.Google ScholarGoogle ScholarCross RefCross Ref
  18. Hair, J. F., Tatham, R. L., Anderson, R. E., and Black, W. Multivariate Data Analysis, 6 ed. Prentice Hall, 2006.Google ScholarGoogle Scholar
  19. Horn, J. L. A rationale and test for the number of factors in factor analysis. Psychometrika 30, 2 (1965), 179--185.Google ScholarGoogle ScholarCross RefCross Ref
  20. Hu, L.-t., and Bentler, P. M. Cutoff criteria for fit indexes in covariance structure analysis: Conventional criteria versus new alternatives. Structural Equation Modeling: A Multidisciplinary Journal 6, 1 (1999), 1--55.Google ScholarGoogle ScholarCross RefCross Ref
  21. Joireman, J., Shaffer, M. J., Balliet, D., and Strathman, A. Promotion orientation explains why future-oriented people exercise and eat healthy evidence from the two-factor consideration of future consequences-14 scale. Personality and Social Psychology Bulletin 38, 10 (2012), 1272--1287.Google ScholarGoogle ScholarCross RefCross Ref
  22. Kumaraguru, P., and Cranor, L. F. Privacy Indexes: A Survey of Westin's Studies. Tech. Rep. Carnegie Mellon University-ISRI-5--138, Carnegie Mellon University, December, 2005. http://reports-archive.adm.cs. cmu.edu/anon/isri2005/abstracts/05--138.html.Google ScholarGoogle Scholar
  23. Malhotra, N. K., Kim, S. S., and Agarwal, J. Internet users' information privacy concerns (iuipc): The construct, the scale, and a causal model. Information Systems Research 15, 4 (December 2004), 336--355. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. McKinley, R. K., Manku-Scott, T., Hastings, A. M., French, D. P., and Baker, R. Reliability and validity of a new measure of patient satisfaction with out of hours primary medical care in the united kingdom: development of a patient questionnaire. British Medical Journal 314, 7075 (1997), 193.Google ScholarGoogle ScholarCross RefCross Ref
  25. Meade, A. W., and Craig, S. B. Identifying careless responses in survey data. Psychological methods 17, 3 (2012), 437.Google ScholarGoogle Scholar
  26. Modic, D., and Lea, S. E. G. How neurotic are scam victims, really? the big five and internet scams. http://ssrn.com/abstract=2448130, September 2012.Google ScholarGoogle Scholar
  27. Moon, B., McCluskey, J. D., and McCluskey, C. P. A general theory of crime and computer crime: An empirical test. Journal of Criminal Justice 38, 4 (2010), 767--772.Google ScholarGoogle ScholarCross RefCross Ref
  28. Mueller, R. O. Basic principles of structural equation modeling: An introduction to LISREL and EQS. Springer, 1996.Google ScholarGoogle ScholarCross RefCross Ref
  29. Netemeyer, R. G., Bearden, W. O., and Sharma, S. Scaling Procedures: Issues and Applications. SAGE Publications, 2003.Google ScholarGoogle ScholarCross RefCross Ref
  30. Ng, B.-Y., Kankanhalli, A., and Xu, Y. C. Studying users' computer security behavior: A health belief perspective. Dec. Sup. Systems 46, 4 (2009), 815--825. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Patton, J. H., Stanford, M. S., et al. Factor structure of the barratt impulsiveness scale. Journal of clinical psychology 51, 6 (1995), 768--774.Google ScholarGoogle Scholar
  32. Peer, E., Vosgerau, J., and Acquisti, A. Reputation as a sufficient condition for data quality on amazon mechanical turk. Behavior Research Methods 45, 4 (December 2013).Google ScholarGoogle Scholar
  33. Raiche, G., Walls, T. A., Magis, D., Riopel, M., and Blais, J.-G. Non-graphical solutions for cattell's scree test. Methodology: European Journal of Research Methods for the Behavioral and Social Sciences 9, 1 (2013), 23.Google ScholarGoogle ScholarCross RefCross Ref
  34. Ray, J. J. Reviving the problem of acquiescent response bias. The J. of Social Psychology 121, 1 (1983), 81--96.Google ScholarGoogle ScholarCross RefCross Ref
  35. Robinson, J. P., Shaver, P. R., and Wrightsman, L. S. Criteria for scale selection and evaluation. In Measures of personality and social psychological attitudes. Academic Press, 1991, ch. 1, 1--16.Google ScholarGoogle ScholarCross RefCross Ref
  36. Saucier, G. Mini-markers: A brief version of goldberg's unipolar big-five markers. Journal of Personality Assessment 63, 3 (1994), 506--516.Google ScholarGoogle ScholarCross RefCross Ref
  37. Scott, S. G., and Bruce, R. A. Decision-making style: The development and assessment of a new measure. Educational and psychological measurement 55, 5 (1995), 818--831.Google ScholarGoogle Scholar
  38. Sherizen, S. Criminological concepts and research findings relevant for improving computer crime control. Computers & Security 9, 3 (1990), 215--222. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J. Analysis of end user security behaviors. Computers & Security 24, 2 (2005), 124--133. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Strahan, R., and Gerbasi, K. C. Short, homogeneous versions of the marlowe-crowne social desirability scale. Journal of clinical psychology (1972).Google ScholarGoogle Scholar
  41. USA Computer Emergency Readiness Team. Tips. https://www.us-cert.gov/ncas/tips. Accessed: September 12, 2014.Google ScholarGoogle Scholar
  42. USA Department of Homeland Security. National Cyber Security Awareness Month 2014. http://www.dhs.gov/ national-cyber-security-awareness-month-2014, September 8 2014. Accessed: September 12, 2014.Google ScholarGoogle Scholar
  43. Verizon. Security. http://www.verizon.com/Support/ Residential/Internet/FiosInternet/General+ Support/Security/Security.htm, 2014. Accessed: September 12, 2014.Google ScholarGoogle Scholar
  44. Wang, L., Fan, X., and Willson, V. L. Effects of nonnormal data on parameter estimates and fit indices for a model with latent and manifest variables: An empirical study. Structural Equation Modeling: A Multidisciplinary Journal 3, 3 (1996), 228--247.Google ScholarGoogle ScholarCross RefCross Ref
  45. Weir, J. P. Quantifying test-retest reliability using the intraclass correlation coefficient and the sem. The Journal of Strength & Conditioning Research 19, 1 (2005), 231--240.Google ScholarGoogle Scholar
  46. Wilson, M., and Hash, J. Building an Information Technology Security Awareness and Training Program. Special Publication 800--50, National Institute of Standards and Technology, Gaithersburg, MD, US, October 2003. http://csrc.nist.gov/publications/ nistpubs/800--50/NIST-SP800--50.pdf.Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Wogalter, M. S. Communication-Human Information Processing (C-HIP) Model. In Handbook of Warnings, M. S. Wogalter, Ed. Lawrence Erlbaum Associates, 2006, 51--61.Google ScholarGoogle Scholar
  48. Woodruff, A., Pihur, V., Consolvo, S., Brandimarte, L., and Acquisti, A. Would a privacy fundamentalist sell their dna for $1000...if nothing bad happened as a result? the westin categories, behavioral intentions, and consequences. In Proceedings of the 2014 Symposium on Usable Privacy and Security, USENIX Association (2014), 1--18.Google ScholarGoogle Scholar

Index Terms

  1. Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS)

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in
          • Published in

            cover image ACM Conferences
            CHI '15: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems
            April 2015
            4290 pages
            ISBN:9781450331456
            DOI:10.1145/2702123

            Copyright © 2015 ACM

            Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 18 April 2015

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article

            Acceptance Rates

            CHI '15 Paper Acceptance Rate486of2,120submissions,23%Overall Acceptance Rate6,138of25,900submissions,24%

            Upcoming Conference

            CHI '24
            CHI Conference on Human Factors in Computing Systems
            May 11 - 16, 2024
            Honolulu , HI , USA

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader