ABSTRACT
Despite the plethora of security advice and online education materials offered to end-users, there exists no standard measurement tool for end-user security behaviors. We present the creation of such a tool. We surveyed the most common computer security advice that experts offer to end-users in order to construct a set of Likert scale questions to probe the extent to which respondents claim to follow this advice. Using these questions, we iteratively surveyed a pool of 3,619 computer users to refine our question set such that each question was applicable to a large percentage of the population, exhibited adequate variance between respondents, and had high reliability (i.e., desirable psychometric properties). After performing both exploratory and confirmatory factor analysis, we identified a 16-item scale consisting of four sub-scales that measures attitudes towards choosing passwords, device securement, staying up-to-date, and proactive awareness.
- Acquisti, A., and Grossklags, J. Losses, gains, and hyperbolic discounting: An experimental approach to information security attitudes and behavior. In Proceedings of The 2nd Annual Workshop on Economics and Information Security (WEIS '03) (2003).Google Scholar
- Acquisti, A., and Grossklags, J. Privacy and rationality in individual decision making. IEEE Security & Privacy (January/February 2005), 24--30. Google ScholarDigital Library
- Bagozzi, R. P., and Yi, Y. On the evaluation of structural equation models. Journal of the academy of marketing science 16, 1 (1988), 74--94.Google Scholar
- Blais, A.-R., and Weber, E. U. A domain-specific risk-taking (dospert) scale for adult populations. Judgment and Decision Making 1, 1 (2006), 33--47.Google Scholar
- Bossler, A. M., and Holt, T. J. The effect of self-control on victimization in the cyberworld. Journal of Criminal Justice 38, 3 (2010), 227--236.Google ScholarCross Ref
- Buchanan, T., Paine, C., Joinson, A. N., and Reips, U.-D. Development of measures of online privacy concern and protection for use on the internet. Journal of the American Society for Information Science and Technology 58, 2 (2007), 157--165. Google ScholarDigital Library
- Cacioppo, J. T., Petty, R. E., and Feng Kao, C. The efficient assessment of need for cognition. Journal of personality assessment 48, 3 (1984), 306--307.Google Scholar
- Copes, H., Kerley, K. R., Huff, R., and Kane, J. Differentiating identity theft: An exploratory study of victims using a national victimization survey. Journal of Criminal Justice 38, 5 (2010), 1045--1052.Google ScholarCross Ref
- Cranor, L. F. A framework for reasoning about the human in the loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security, USENIX Association (Berkeley, CA, 2008). Google ScholarDigital Library
- Crowne, D. P., and Marlowe, D. A new scale of social desirability independent of psychopathology. Journal of consulting psychology 24, 4 (1960), 349.Google Scholar
- DeVellis, R. F. Scale Development: Theory and Applications, 2nd ed., vol. 26 of Applied Social Research Methods Series. Sage Publications, 2003.Google Scholar
- Egelman, S., Cranor, L. F., and Hong, J. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceeding of The 26th SIGCHI Conference on Human Factors in Computing Systems, CHI '08, ACM (New York, NY, USA, 2008), 1065--1074. Google ScholarDigital Library
- Egelman, S., Jain, S., Portnoff, R. S., Liao, K., Consolvo, S., and Wagner, D. Are you ready to lock? understanding user motivations for smartphone locking behaviors. In Proceedings of the 2014 ACM SIGSAC Conference on Computer & Communications Security, CCS '14, ACM (New York, NY, USA, 2014). Google ScholarDigital Library
- Everitt, B. S. The Cambridge Dictionary of Statistics. Cambridge University Press, Cambridge, United Kingdom, 2002.Google Scholar
- Fabrigar, L. R., Wegener, D. T., MacCallum, R. C., and Strahan, E. J. Evaluating the use of exploratory factor analysis in psychological research. Psychological methods 4, 3 (1999), 272.Google Scholar
- Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android permissions: user attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS '12, ACM (New York, NY, USA, 2012). Google ScholarDigital Library
- Fornell, C., and Larcker, D. F. Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18, 1 (1981), pp. 39--50.Google ScholarCross Ref
- Hair, J. F., Tatham, R. L., Anderson, R. E., and Black, W. Multivariate Data Analysis, 6 ed. Prentice Hall, 2006.Google Scholar
- Horn, J. L. A rationale and test for the number of factors in factor analysis. Psychometrika 30, 2 (1965), 179--185.Google ScholarCross Ref
- Hu, L.-t., and Bentler, P. M. Cutoff criteria for fit indexes in covariance structure analysis: Conventional criteria versus new alternatives. Structural Equation Modeling: A Multidisciplinary Journal 6, 1 (1999), 1--55.Google ScholarCross Ref
- Joireman, J., Shaffer, M. J., Balliet, D., and Strathman, A. Promotion orientation explains why future-oriented people exercise and eat healthy evidence from the two-factor consideration of future consequences-14 scale. Personality and Social Psychology Bulletin 38, 10 (2012), 1272--1287.Google ScholarCross Ref
- Kumaraguru, P., and Cranor, L. F. Privacy Indexes: A Survey of Westin's Studies. Tech. Rep. Carnegie Mellon University-ISRI-5--138, Carnegie Mellon University, December, 2005. http://reports-archive.adm.cs. cmu.edu/anon/isri2005/abstracts/05--138.html.Google Scholar
- Malhotra, N. K., Kim, S. S., and Agarwal, J. Internet users' information privacy concerns (iuipc): The construct, the scale, and a causal model. Information Systems Research 15, 4 (December 2004), 336--355. Google ScholarDigital Library
- McKinley, R. K., Manku-Scott, T., Hastings, A. M., French, D. P., and Baker, R. Reliability and validity of a new measure of patient satisfaction with out of hours primary medical care in the united kingdom: development of a patient questionnaire. British Medical Journal 314, 7075 (1997), 193.Google ScholarCross Ref
- Meade, A. W., and Craig, S. B. Identifying careless responses in survey data. Psychological methods 17, 3 (2012), 437.Google Scholar
- Modic, D., and Lea, S. E. G. How neurotic are scam victims, really? the big five and internet scams. http://ssrn.com/abstract=2448130, September 2012.Google Scholar
- Moon, B., McCluskey, J. D., and McCluskey, C. P. A general theory of crime and computer crime: An empirical test. Journal of Criminal Justice 38, 4 (2010), 767--772.Google ScholarCross Ref
- Mueller, R. O. Basic principles of structural equation modeling: An introduction to LISREL and EQS. Springer, 1996.Google ScholarCross Ref
- Netemeyer, R. G., Bearden, W. O., and Sharma, S. Scaling Procedures: Issues and Applications. SAGE Publications, 2003.Google ScholarCross Ref
- Ng, B.-Y., Kankanhalli, A., and Xu, Y. C. Studying users' computer security behavior: A health belief perspective. Dec. Sup. Systems 46, 4 (2009), 815--825. Google ScholarDigital Library
- Patton, J. H., Stanford, M. S., et al. Factor structure of the barratt impulsiveness scale. Journal of clinical psychology 51, 6 (1995), 768--774.Google Scholar
- Peer, E., Vosgerau, J., and Acquisti, A. Reputation as a sufficient condition for data quality on amazon mechanical turk. Behavior Research Methods 45, 4 (December 2013).Google Scholar
- Raiche, G., Walls, T. A., Magis, D., Riopel, M., and Blais, J.-G. Non-graphical solutions for cattell's scree test. Methodology: European Journal of Research Methods for the Behavioral and Social Sciences 9, 1 (2013), 23.Google ScholarCross Ref
- Ray, J. J. Reviving the problem of acquiescent response bias. The J. of Social Psychology 121, 1 (1983), 81--96.Google ScholarCross Ref
- Robinson, J. P., Shaver, P. R., and Wrightsman, L. S. Criteria for scale selection and evaluation. In Measures of personality and social psychological attitudes. Academic Press, 1991, ch. 1, 1--16.Google ScholarCross Ref
- Saucier, G. Mini-markers: A brief version of goldberg's unipolar big-five markers. Journal of Personality Assessment 63, 3 (1994), 506--516.Google ScholarCross Ref
- Scott, S. G., and Bruce, R. A. Decision-making style: The development and assessment of a new measure. Educational and psychological measurement 55, 5 (1995), 818--831.Google Scholar
- Sherizen, S. Criminological concepts and research findings relevant for improving computer crime control. Computers & Security 9, 3 (1990), 215--222. Google ScholarDigital Library
- Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J. Analysis of end user security behaviors. Computers & Security 24, 2 (2005), 124--133. Google ScholarDigital Library
- Strahan, R., and Gerbasi, K. C. Short, homogeneous versions of the marlowe-crowne social desirability scale. Journal of clinical psychology (1972).Google Scholar
- USA Computer Emergency Readiness Team. Tips. https://www.us-cert.gov/ncas/tips. Accessed: September 12, 2014.Google Scholar
- USA Department of Homeland Security. National Cyber Security Awareness Month 2014. http://www.dhs.gov/ national-cyber-security-awareness-month-2014, September 8 2014. Accessed: September 12, 2014.Google Scholar
- Verizon. Security. http://www.verizon.com/Support/ Residential/Internet/FiosInternet/General+ Support/Security/Security.htm, 2014. Accessed: September 12, 2014.Google Scholar
- Wang, L., Fan, X., and Willson, V. L. Effects of nonnormal data on parameter estimates and fit indices for a model with latent and manifest variables: An empirical study. Structural Equation Modeling: A Multidisciplinary Journal 3, 3 (1996), 228--247.Google ScholarCross Ref
- Weir, J. P. Quantifying test-retest reliability using the intraclass correlation coefficient and the sem. The Journal of Strength & Conditioning Research 19, 1 (2005), 231--240.Google Scholar
- Wilson, M., and Hash, J. Building an Information Technology Security Awareness and Training Program. Special Publication 800--50, National Institute of Standards and Technology, Gaithersburg, MD, US, October 2003. http://csrc.nist.gov/publications/ nistpubs/800--50/NIST-SP800--50.pdf.Google ScholarDigital Library
- Wogalter, M. S. Communication-Human Information Processing (C-HIP) Model. In Handbook of Warnings, M. S. Wogalter, Ed. Lawrence Erlbaum Associates, 2006, 51--61.Google Scholar
- Woodruff, A., Pihur, V., Consolvo, S., Brandimarte, L., and Acquisti, A. Would a privacy fundamentalist sell their dna for $1000...if nothing bad happened as a result? the westin categories, behavioral intentions, and consequences. In Proceedings of the 2014 Symposium on Usable Privacy and Security, USENIX Association (2014), 1--18.Google Scholar
Index Terms
Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS)
Recommendations
Examining gender differences in attitudes toward interactive classroom communications systems (ICCS)
An interactive classroom communication system (ICCS) involves the use of remote devices that permit all students in a class to respond to multiple choice questions displayed on a LCD projector. After responses are clicked in, the results are instantly ...
Internet administration of self-report measures commonly used in research on social anxiety disorder: A psychometric evaluation
The Internet has become increasingly popular as a way to administer self-report questionnaires, especially in the field of Internet delivered psychological treatments. Collecting questionnaire data over the Internet has advantages, such as ease of ...
Middle school students' flipped learning readiness in foreign language classrooms
This study surveyed 387 middle school 7th - graders' flipped learning readiness in their English-as-a-foreign-language (EFL) classrooms and explored the effects of personal characteristics on their readiness levels. These personal characteristics ...
Comments