Do active and passive risks have the same predictive power as cybersecurity behaviour?

The growing number of cybercrime and their impact on victims and companies’ lives are considerable. In some cases, cybercrimes are usually the result of a wrong decision made by the user. Schneier (2000) even describes users as the weakest link in the cybersecurity chain. Although the general population seems to be aware of risks while surfing the Internet, their behaviour suggests the opposite due to the growing number of computer crimes. This phenomenon, known as the “privacy paradox,” illustrates the gap between individual security concerns and their actual behaviours. Indeed, despite their knowledge of the risks, individuals will rarely protect their data, such as deleting “cookies” or using an encrypted mailbox.

To guard against this type of crime, it is necessary to consider users’ involvement in the finality of these attempted crimes sent by delinquents. Unfortunately, a vulnerability must have been successfully exploited for cybercrime to be completed, be it a computer or a human. Studies to date have mainly focused on so-called active behaviours (ex: opening a file with an attachment of questionable provenance), being behaviours involving the most risks incurred. On the other hand, passive risks are more inaction behaviours, defined explicitly as giving up an opportunity to act or react to reduce the variance of outcomes (Keinan and Bereby-Meyer, 2012). For example, passive behaviour could be not to fortify our password by adding special characters or numbers.

Despite the trend that categorized asset risks are important factors in predicting internet safety behaviour, researchers Arend, I., Shabtai, A., Idan, T., et al. (2020) wanted to analyze whether passive risks influence cybersecurity behaviour.

To answer their questions, they carried out three studies to establish a global portrait of the situation. Each of them uses the self-assessment approach to study the trend of active and passive risks in cybersecurity. More specifically, the first is to examine whether passive risks predict cybersecurity behaviour intentions while controlling for demographic variables and individuals’ past experiences with online crime. The second study consisted of disentangling the role of active and passive risk-taking in predicting cybersecurity intentions. The latest study aimed to measure passive risk behaviours related to cybersecurity.

The three studies have mainly concluded that passive risk is a better predictor of cyber intentions and behaviours, unlike active risk. Moreover, they demonstrate that the self-report measure of passive but not active risky behaviour is a unique predictor of cybersecurity behaviour intentions. Also, they reveal that the self-reported measures of passive, but not active, risks are significantly correlated with two specific types of behaviour: reading the small print and strengthening their password.

Even so, this study is not without its limitations. Indeed, the three studies did not consider the workload, the performance pressure, or the lack of time that individuals may experience when receiving an email with a malicious attachment. Context has been shown to influence people’s decisions about their behaviour on the Internet, potentially putting them at greater risk (Acquisti, 2004). In addition to its empirical contribution, this study is relevant for all professionals to understand human behaviour in cybersecurity better.

To cite: Arend, I., Shabtai, A., Idan, T., Keinan, R., et Bereby-Meyer, Y. (2020). Passive- and not active-risk tendencies predict cyber security behavior. Computers in Human Behavior, 97.