Professional Documents
Culture Documents
ScienceDirect
journal homepage: www.elsevier.com/locate/cose
article info
abstract
Article history:
We use large-scale survey data from the Eurobarometer 77.2/2012 to explore variability in
Union (EU27). While cyber-security is a high-priority activity for security experts and re-
5 March 2014
searchers, end-users conduct it in the context of their daily lives, as a socially accountable
Keywords:
routine activities. An ecological analysis at country level indicates that societies with
Cyber-security
widespread Internet use support cultures of higher cyber-security. They also expose daily
Cyber-crime
Internet users to higher cyber-crime risks, but this positive correlation is weaker, with
End-users
Romania and Hungary as two notable exceptions of high average exposure with low overall
European Union
Internet use. Given the negative feedback loops between security responses, exposure to
Eurobarometer survey
cyber-crime, and online activity, we find that, at individual level, linear causal modeling on
Cluster analysis
survey data is impractical, and we propose classification analysis as a better tool for
capturing variability. We use K-means cluster analysis to identify five types of end-users
orientation towards security in the context of their activity: explorer, reactive, prudent,
lucky, and occasional users, and we discuss their profiles of online activities and experiences. Prudent users are relatively neglected in public campaigns for Internet security.
Classification analysis is a productive tool for understanding end-users security orientations through survey data and for informing public interventions.
2014 Elsevier Ltd. All rights reserved.
Introduction
End-users are primary characters of the scientific literature on
cyber-security of recent years. Many pieces of research
attempt to measure, illustrate, or explain their low compliance
112
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
overloading, preference for economic optimization, and pursuit of social integration, respectively.
A core issue for describing end-users security behaviors
refers to risk awareness (see a succinct comparison in Table 1).
From the perspective of the lazy user, awareness is mainly a
function of users understanding of online technologies and
risks and, reciprocally, the accessibility of security solutions
(Adams and Sasse, 1999; Albrechtsen and Hovden, 2009;
Besnard and Arief, 2004; Furnell et al., 2007; Furnell et al.,
2006). Lazy end-users are usually portrayed as technically
nave. At the same time, users are vulnerable because they
must allocate scarce cognitive resources to multiple,
competing tasks. Attending to security issues enters in conflict
with attending to other tasks that are also cognitively
demanding, and users need to balance multiple goals: humans
obey least-effort rules because they are cognitive machines
that attempt to cheaply reach flexible objectives rather than to
act perfectly towards fixed targets (Besnard and Arief, 2004).
From the perspective of the economically rational user (Christin
et al., 2012; Herley, 2009), awareness is primarily a function of
experienced personal loss due to cybercrime, as well as of general
information of losses experienced by similar others. Loss is
dependent on activity: different types of online activities may
incur different types of losses; also, the frequency of online
exposure increases the frequency of actual losses that materialize
the risk. An important observation here is that losses are
distributed among different participants to a cybercrime setting,
through various social arrangements. For example, in the case of
hacked banking accounts, losses are distributed between the
bank and the end users e and, consequently, end users are often
protected from cybercrime risks by arrangements that transfer
financial losses to corporate actors. Losses may also be hidden,
appearing more like a minor inconvenience. Moreover, security
measures have non-negligible costs (Herley, 2009; Inglesant and
Sasse, 2010). Users are portrayed as economically rational actors
who estimate risks and protection costs based on their own experiences and those of relevant others, and adjust their protective
behavior to efficiently pursue their activity, as they understand it.
From the perspective of the social user (Weirich and Sasse,
2001), awareness is created through personal experiences, of
self and others, that are socially interpreted through shared folk
Users risk
awareness
Rationality
Bounded, based on
heuristics
Main
springs of action
Reasons for low
compliance
Satisficing on goals
Minimizing effort
Low understanding of
risks and low technical
expertise
Economically
rational users
Economic rationality in
the context of ones own
activity
Awareness is adequate,
reflecting estimated
personal risks
Economical, based on
cost-benefit analysis
Optimizing the pursuit
of preferences
Average end-user losses from
cybercrime are perceived to be low;
Security costs are high; Future
costs and benefits are discounted
Social users
Self-presentation concerns; trustful actors, in
pursuit of concerted activities
Relevant risks are socially defined, through
communication that gives meaning to
personal experiences
Rationality appears as a byproduct of activities
of justification (accounting), using socially
constructed vocabularies
Achieving legitimate goals and maintaining
desired identities in the local social order
Security practices are:
- Obstacles for smooth social organization
- Associated with de-valued identities
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
113
- Given the low technological dependence of Internet navigation from national or other social distinctions, are there
socio-demographic and country-based differences in
users experiences of cyber-crime and security responses?
- What other patterns of variability can we identify in users
experiences of cyber-crime, online activity, and security
measures?
114
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
Country-level variability
Our first level of exploration concerns the descriptive analysis of
country variability in individual experiences of cyber-crime and
security behavior, in relation with Internet use.
Internet use is measured as the proportion of respondents
who declare that they use the Internet once a day or several
times a day. Experiences of cybercrime are measured, for each
individual, as the count of situations where he or she has
encountered this phenomenon, among:
- Identity theft (somebody stealing your personal data and
impersonating you, e.g. shopping under your name);
- Received emails fraudulently asking for money or personal details (including banking or payment information);
- Online fraud where goods purchased were not delivered,
counterfeit or not as advertised;
- Accidentally encountering material which promotes racial
hatred or religious extremism;
115
- Not being able to access online services (e.g. banking services) because of cyber attacks.
Security behavior is measured, for each individual, through
antivirus use and password hygiene. Password hygiene includes two indicators: the use of multiple passwords for
multiple sites, and the count of situations where the user has
changed her password in the last 12 years, among:
-
Web-based e-mail;
Online social networks;
Shopping website (e.g. travel agents);
Online banking websites.
116
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
Ecological level associations suggest, therefore, that societies of intense online activity develop cultures that support
security-oriented behavior. Individual experiences of cybercrime for daily internet users are, as a rule, also enhanced in
countries with intense online activity, but the relationship is
not strong, and Romania and Hungary are notable exceptions.
This correlation reflects the fact that risks materialize with
increased exposure: it is likely that netizens in countries of
widespread online activity also engage in more intense and
more diverse use than daily Internet users in countries of less
Internet popularity. There is also an effect of awareness:
country-level Internet penetration influences public debates on
cyber-crime that could raise users awareness and diagnosis of
security incidents, thus indirectly raising their survey reports.
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
117
Fig. 5 e Distribution of total experience of cybercrime and measures of password change in the EU27 population of Internet
users. Data source: Eurobarometer 77.2 / 2012, authors analysis
We can conclude that there is a relatively low social stratification of exposure to cybercrime and of password hygiene,
when analyzed independently; much of this stratification can
be observed along the lines of age and education categories.
User profiles
Starting from the theoretical understanding and previous
empirical observations that security behaviors, experiences of
cyber-crime, and Internet use are closely related in patterns of
activity, we decided to explore variability of these patterns
through cluster analysis. We used K-Means Cluster to classify
respondents according to behavioral indicators. We have
explored models with 3, 4, and 5 clusters, and we have decided
that the 5-type classification offers the best interpretability
and level of detail, while still comprising sufficiently large
categories of users to be relevant.
We have labeled the five categories such as to capture a key
feature of online orientation: explorer, reactive, prudent,
lucky, and occasional users. A description of the clusters,
including summary evaluations and the numerical estimates,
is presented in Table 5.
Explorer and occasional users represent the ends of a
continuum of activity-exposure-protection: the first have high
levels for all three, while the latter have low levels. The other
three categories represent intermediate types, mostly differentiated by security patterns.
Lucky users represent an interesting empirical category:
they have high frequency of use, with average diversity of
online activities, displaying simultaneously low cyber-crime
experiences and low protection strategies. In other words
they seem to be, well, lucky. Cross-sectional survey data
cannot inform us on the stability of such a situation; it may
well be that they would end up experiencing some situation of
cyber-victimization and then make use of protection strategies, possibly becoming prudent or reactive.
We have differentiated the prudent from the reactive
types according to their observable security orientations. The
prudent mostly choose cautionary measures that also
restrain online activity e such as visiting only trusted websites, and using only their computer. The reactive users
display slightly higher frequency and diversity of online activity, and also slightly higher experiences of cyber-crime;
still, they do not engage in restrictive protection, making
118
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
n.d.). Still, prudent users include a distinctive type of netizens: relatively older, relatively wealthy persons living in societies with high Internet penetration. They are a significant
presence in several European countries. In Table 6 we see that
Denmark, Germany, Luxembourg, Sweden, and The
Netherlands have around 40% of Internet users in the prudent
orientation. As regards their profile, regression results in Table
7 indicates that, when compared with occasional users,
prudent users are on average of similar age and gender, but
more educated, while explorer, reactive and lucky users are
more often male, younger, and also of higher education.
Country-level correlations between the proportions of
users in a certain cluster and measures of Internet penetration
(De Argaez, 2013) are high for explorers (R 0.87), prudent
(R 0.85), and occasional users (R 0.92); they are lower for
lucky (R 0.57) and reactive users (R 0.07).1 The association with country-level estimates of daily internet users is
similarly high (see Fig. 7). This indicates that explorer and
prudent orientations develop concomitantly as two alternative security attitudes in cultures of high Internet penetration,
at the expense of occasional orientations. Unlike explorers
who, when confronted with cybercrime, intensify their protection, prudent users answer experiences of victimization
by withdrawing from online transactions.
This analysis indicates that Internet security campaigns
and other public interventions can address the distinctive
category of prudent users, which comprise a large proportion
of the older and better educated public of societies with high
Internet diffusion. They likely have different typical navigation behaviors than younger users, and specific security
problems besides the risks of careless sharing, online bullying,
and sexual harassment. For this category, public interventions
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
could encourage answers to victimization that enhance protection rather than decrease involvement.
The distinction between secure engagement and cautious
withdrawal from online interactions is rarely highlighted in
public campaigns. For prudent users, this could be an important message e complementing, at attitudinal level, the
awareness and information campaigns that present hazards
and security methods. In a different risk context, the Bedsider.
org birth control campaign (The National Campaign to Prevent
Teen and Unplanned Pregnancy, n.d.) shows situations of
awkward moments during sex, with the encouragement: You
didnt give up on sex. Dont give up on birth control. Messages
for prudent users may mirror this approach, along the lines: if
we persevere in enhancing our offline safety, against incidents and adversity, we can also persevere in the online
environment.
Conclusions
Our study uses large scale, cross-sectional survey data to
explore variability in patterns of Internet use, exposure to
cyber-crime, and security measures.
End-users awareness of risks and their resulting security
actions are part and parcel of their ordinary activities, online
and offline; cyber-security does not have, for users, the highpriority, privileged position it has for security engineers or
researchers. This means that an empirical investigation of
end-users cyber-protection measures must take into account
the larger activity context in which it occurs.
It is important to observe that, unlike other situations
studied by social surveys, which can be modeled through
positive feedback relationships, the three constructs of online
activity, exposure to cyber-crime and security actions are
interdependent in a negative feedback loop. This has methodological implications, rendering causal modeling through
regression analysis impracticable if there are no time benchmarks to differentiate before and after, assisting in the
causal ordering of variables. Due to the superposition of positive and negative reciprocal causal relationships, analysts
would not be able to interpret regression coefficients in unidirectional causal terms.
Through empirical exploration of country-level diversity in
patterns of online activity, cyber-crime exposure, and security
measures, we find that countries with higher proportions of
daily Internet users seem to foster cultures of cyber-security;
ecological correlations between country level internet use
frequency and the incidence of security actions among daily
Internet users are high.
There is also a positive ecological correlation between
country-level frequency of Internet use and exposure to
cybercrime of daily Internet users. Still, this correlation is
weaker. Moreover, Romania and Hungary are clear outliers,
with much higher reported exposures to cyber-crime than
expected, while Greece seems to have a lower exposure than
expected.
A cluster classification of respondents, according to their
patterns of online activity, cyber-crime exposure, and security
measures, yields five empirical types: explorer, reactive,
prudent, lucky, and occasional users. Explorer and
119
Acknowledgments
This article has been supported by the research project
Sociological imagination and disciplinary orientation in
applied social research, with the financial support of ANCS/
UEFISCDI grant no. PN-II-RU-TE-2011-3-0143, contract 14/
28.10.2011. Parts of this work were carried out at the EUROLAB
at GESIS Leibniz Institute for the Social Sciences, May 2013.
We are grateful for the useful anonymous reviews.
120
Appendix
Table 2 e Dataset overview.
Country
Weighted
sample
size
Internet
access:
% monthly
or more
Internet
access:
% daily
Distribution on
categories of age (Row %)
Distribution on
categories of graduation age (Row %)
15e24
25e34
35e44
45e54
55e64
65
15 or
less
16e19
20
No fulltime
education
Still
studying
79.8
81.3
51
57.7
456
582
425
43
.70
.72
.51
.57
.47
.60
.36
.43
14.5
14.6
14.3
18.3
15.2
14.8
15.7
16.1
18.3
18.0
17.7
17.1
18.8
17.5
16.1
19.8
13.3
14.5
15.9
13.3
19.9
20.5
20.3
15.3
25.8
11.4
12.9
20.6
51.9
43.1
55.7
40.1
14.4
35.1
22.5
28.0
.0
.0
.2
.2
7.9
10.4
8.7
11.2
73
586
.68
.47
14.6
17.3
18.3
15.5
16.4
17.7
4.0
70.5
16.5
.0
9.0
90
78
89.4
79.6
83
53
65.4
76.8
58.4
71.7
65.1
90.9
297
62
289
3107
4185
566
541
229
3374
94
184
26
.91
.74
.80
.77
.72
.54
.59
.76
.62
.74
.63
.82
.83
.62
.69
.66
.53
.38
.39
.61
.45
.60
.50
.66
15.2
18.5
14.8
15.0
12.7
16.8
14.5
16.3
11.7
21.0
18.0
14.4
14.3
18.6
14.3
15.8
12.8
16.8
15.9
19.6
13.1
18.9
16.5
15.6
16.8
14.7
15.1
15.5
14.2
18.4
19.8
20.5
21.7
19.4
16.3
21.2
17.8
16.1
17.8
16.9
20.8
15.3
16.7
16.7
15.7
16.7
17.8
18.8
15.7
12.9
17.6
15.9
14.5
13.0
14.5
12.7
14.3
12.5
12.5
13.0
20.3
19.2
20.4
21.0
25.1
19.6
18.6
14.2
23.5
11.6
18.9
17.0
6.3
5.7
11.8
16.1
17.9
27.4
19.4
13.4
33.5
6.3
8.1
14.3
11.3
48.9
26.5
39.0
49.2
36.1
58.0
48.1
39.2
52.8
46.0
29.9
65.7
34.2
49.6
35.0
22.3
23.6
13.6
27.8
20.3
26.6
32.6
43.0
1.9
.0
.0
.3
.0
.5
.2
.0
.3
.1
1.0
.7
14.7
11.2
12.1
9.6
10.7
12.4
8.8
10.6
6.8
14.3
12.2
12.2
69
64.9
55.2
44.1
79.1
72.1
67.2
92.7
92.9
22
2109
526
1187
296
114
2545
507
870
.68
.61
.40
.51
.68
.68
.63
.92
.93
.55
.43
.30
.35
.44
.53
.49
.83
.83
17.3
16.6
16.8
17.6
18.2
13.5
12.1
12.7
14.9
15.9
20.2
13.4
18.9
14.9
18.0
18.0
9.9
12.0
15.8
13.5
18.3
18.7
22.7
17.1
19.1
23.2
21.6
18.7
18.2
18.9
14.5
16.5
17.3
17.7
15.6
18.1
15.7
15.6
13.0
12.6
13.5
14.8
13.0
16.0
15.8
16.6
16.0
19.5
17.6
14.2
19.2
20.1
22.5
17.6
20.7
11.5
54.8
13.6
5.8
15.0
35.5
6.0
6.1
50.3
47.7
23.2
51.7
65.0
47.4
31.5
21.2
31.3
17.2
29.9
10.1
27.1
18.2
24.8
24.5
59.3
48.5
.3
.5
5.5
.0
.0
.5
2.4
.0
.0
11.5
10.5
6.3
7.6
11.1
12.2
6.2
13.6
14.1
83.6
3373
.76
.63
15.8
17.0
15.4
17.4
14.1
20.2
21.7
47.8
22.0
.0
8.6
72.8
26,593
14.4
15.6
17.3
17.5
14.5
20.7
20.5
43.0
26.7
.5
9.3
68.6
53.1
Data sources: Internet penetration indicators: De Argaez (2013); other measures: Eurobarometer 77.2 / 2012, authors analysis
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
Austria
Belgium
Bulgaria
Cyprus
Republic
Czech
Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Ireland
Italy
Latvia
Lithuania
Luxembourg
Malta
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
The
Netherlands
United
Kingdom
Total EU27
Internet penetration
(de Argaez, 2013)
121
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
Table 3 e Country profiles of internet activity, cyber-crime experience and security measures.. Blue figures indicate the top
5 values, while red figures indicate the bottom 5 values.
Table 4 e Multinomial logistic regression models for social stratification of total experience of cybercrime and password
changes in the last 12 months. Significant Exp (B) coefficients indicating odds lower than .75 and higher than 1.5 are
marked with bold characters.
Independent
variables:
Count of
situations:
Gender
Age
Type of
residence
community
Self-positioning
on a 10-step
social ladder:
Masculine vs.
feminine
15e24
25e34
35e44
45e54
55e64
65 and more
(Reference)
Rural area
or village
Small or middle
sized town
Large town (Ref.)
Levels 1
(minimum) to 4
Levels 5e6
Levels 7e10
(Reference)
3e5 situations
Exp (B)
Sig.
Exp (B)
1
Sig. Exp (B) Sig.
3e4 situations
Exp (B)
Sig.
Exp (B)
.001
1.134
.000
1.572
.000
1.819
.002
1.125
.000
1.262
.000
1.526
.001
.000
.000
.000
.016
.
1.351
1.701
1.340
1.321
1.212
.
.000
.000
.000
.000
.006
.
1.929
1.977
1.664
1.551
1.364
.
.000
.000
.000
.000
.104
.
3.807
3.583
2.659
1.753
1.299
.
.000
.000
.014
.099
.534
.
1.713
1.421
1.208
1.136
1.053
.
.000
.000
.000
.000
.069
.
2.854
2.199
1.823
1.685
1.243
.
.000
.000
.000
.000
.002
.
4.118
5.818
3.746
1.952
1.679
.
.000
.791
.000
.792
.001
.786
.000
.777
.000
.732
.000
.621
.027
.906
.000
.812
.010
.843
.615
.977
.000
.788
.124
.907
.
.099
.
.910
.
.366
.
1.069
.
.000
.
.734
.
.000
.
.756
.
.000
.
.743
.
.000
.
.653
.000
.
.862
.
.435
.
.958
.
.000
.
.765
.
.000
.
.822
.
.000
.
.788
.
.000
.
.755
.
122
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
Table 4 e (continued )
Independent
variables:
Count of
situations:
Difficulties
paying
bills in
the previous
year:
Age at
graduation:
Most of
the time
From time
to time
Almost never/
never (Reference)
15 or less
16e19
20 or more
No full time
education
Still studying
(Reference)
Pseudo R-Square
3e5 situations
3e4 situations
Exp (B)
Sig.
Exp (B)
Sig.
Exp (B)
Sig.
.157
.907
.765
1.027
.000
1.650
.224
.915
.082
1.158
.987
.998
.000
.778
.174
.926
.663
1.029
.956
1.003
.331
1.056
.043
.875
.000
.000
.062
.055
.560
.733
1.164
.227
.000
.001
.000
.585
.531
.727
1.460
.697
.105
.252
.001
.595
.788
.887
1.446
1.374
.000
.038
.137
.502
.664
.848
1.132
.708
.000
.000
.488
.097
.530
.621
1.069
.151
.000
.001
.823
.156
.489
.705
1.025
.051
Exp (B)
Table 5 e Cluster analysis results: user classification in security profiles. Method: K-means Cluster.
Cluster label
Explorer
Cluster number
Cluster no. of cases (weighted)
Cluster membership (valid % of Internet users) (Missing
cases: 4.4%
of Internet users)
Summary description
Password hygiene/change
of profile
Reactive
Prudent
Lucky
Occasional
1
2163
12.0%
2
1991
11.1%
3
4576
25.4%
4
4182
23.3%
5
5075
28.2%
High
password
hygiene
High
password
change, low
password
diversity
Low caution
Low
password
hygiene
Low
password
hygiene
Very low
password
hygiene
Low caution
Low caution
High
cybercrime
experience
2.78
Average use
Average
use diversity
High
cybercrime
experience
2.41
Very high
caution
Average use
Average
use diversity
Low
cybercrime
experience
.38
Frequent use
Average use
diversity
Low
cybercrime
experience
.36
Rare use
Low use
diversity
Very low
cybercrime
experience
.16
.57
.10
.22
.08
.04
.52
.32
.61
.15
.19
.76
.22
.39
.11
.05
.80
.28
.90
.14
.18
.39
.88
.21
.41
.54
.91
.12
.31
.19
.23
High caution
Frequent use
High diversity
123
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
Table 5 e (continued )
Cluster label
Cybercrimes can include
many different types
of criminal activity.
How often have you
experienced or been
a victim of
the following
situations?
How often do
you access
the Internet
(for example,
for sending
emails, reading
online news,
chatting with
friends or buying
products online)?
Which of the following
activities do you
do online?
Explorer
Reactive
Prudent
Lucky
Occasional
.13
.13
.05
.09
.07
.70
.44
.44
.38
.16
.20
.18
.11
.13
.08
.26
.21
.13
.17
.10
.21
.19
.13
.13
.08
.01
.04
.11
.84
.03
.10
.21
.65
.06
.15
.21
.59
.01
.02
.05
.92
.29
.30
.35
.05
Online banking
Buying goods or services
(holidays, books, music etc.)
Selling goods or services
Playing games online
Email
Using online social networks
Reading news online
Less likely to buy goods online
Less likely to bank online
Less likely to give personal
information on websites
.83
.89
.55
.57
.60
.68
.57
.59
.17
.19
.40
.42
.99
.74
.85
.13
.11
.66
.19
.31
.91
.69
.62
.22
.16
.26
.24
.27
.95
.43
.68
.19
.16
.66
.24
.33
.91
.72
.70
.15
.12
.17
.05
.16
.64
.28
.48
.19
.16
.19
124
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
Table 6 e Country distribution of Internet users across the five type of security orientations (Row %). The highest 5 values
are marked with blue.
Table 7 e Social profile of the five security orientation types: multinomial logistic regression model.
Explorer model 3
Sig.
Exp(B)
.000
Gender
Age
Reactive model 4
Sig.
Exp(B)
.000
Prudent model 5
Sig.
Exp(B)
.007
Lucky model 6
Sig.
Exp(B)
.002
.000
.000
.000
.000
.000
.001
.
.000
.002
1.642
3.229
4.638
2.817
1.893
1.616
.
.622
.814
.000
.000
.000
.000
.000
.018
.
.000
.018
1.310
6.183
4.524
2.567
1.862
1.438
.
.681
.851
.100
.506
.089
.563
.697
.120
.
.410
.365
1.073
1.071
1.152
.955
.970
1.137
.
1.048
1.051
.000
.000
.000
.000
.000
.000
.
.000
.004
1.303
4.938
3.980
2.087
1.603
1.476
.
.688
.854
.
.000
.000
.
.021
.000
.
.000
.000
.978
.044
.
.
.691
.654
.
.789
.678
.
.212
.398
1.003
.015
.
.
.000
.000
.
.406
.000
.
.000
.000
.118
.029
.
.
.649
.736
.
1.086
.782
.
.460
.642
1.205
.082
.
.
.299
.002
.
.000
.000
.
.000
.000
.047
.005
.
.
.933
.853
.
.696
.550
.
.377
.665
1.244
.067
.
.
.000
.000
.
.169
.000
.
.000
.000
.046
.007
.
.
.688
.707
.
.894
.720
.
.409
.671
1.225
.232
.
Pseudo R-square
Cox and Snell
Nagelkerke
McFadden
.129
.135
.045
c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5
references
Adams A, Sasse MA. Users are not the enemy. Commun ACM
1999;42(12):40e6.
Albrechtsen E, Hovden J. The information security digital divide
between information security managers and users. Comput
Secur 2009;28(6):476e90.
Besnard D, Arief B. Computer security impaired by legitimate
users. Comput Secur 2004;23(3):253e64. http://dx.doi.org/
10.1016/j.cose.2003.09.002.
Bohme R, Moore T. How do consumers react to cybercrime?. In:
2012 eCrime researchers summit. IEEE; 2012a. pp. 1e12.
Bohme R, Moore T. Challenges in empirical security research;
2012 [Retrieved March 01, 2013, from]http://lyle.smu.edu/
wtylerm/courses/econsec/f12/reading/lnse-survey.pdf.
Child Exploitation and Online Protection (CEOP) Centre. (n.d.).
Think U Know? Retrieved November 01, 2013, from http://
www.thinkuknow.co.uk/.
Christin N, Egelman S, Vidas T, Grossklags J. Its all about the
Benjamins: an empirical study on incentivizing users to ignore
security advice. In: Danezis G, editor. Financial cryptography
and data security SE e 2, vol. 7035. Berlin, Heidelberg:
Springer; 2012. pp. 16e30.
De Argaez E. Internet Usage in Europe. Internet World Stats; 2013.
Retrieved November 01, 2013, fromhttp://www.
internetworldstats.com/stats4.htm.
Eames T. Mind reader shocks strangers in internet security
campaign. Digit Spy; 2012. Retrieved November 01, 2013,
fromhttp://www.digitalspy.co.uk/fun/news/a408811/mindreader-shocks-strangers-in-internet-security-campaignvideo.html.
European Commission. Eurobarometer 77.2 March 2012 Dataset.
Brussels, Cologne: TNS OPINION & SOCIAL (Producer),
Brussels and GESIS Data Archive, Cologne; 2012. http://
dx.doi.org/10.4232/1.11482.
European Commission. Eurobarometer 77.2 Basic Bilingual
Questionnaire. Brussels, Cologne: TNS OPINION & SOCIAL
(Producer), Brussels and GESIS Data Archive, Cologne; 2012.
Furnell SM, Bryant P, Phippen AD. Assessing the security
perceptions of personal Internet users. Comput Secur
2007;26(5):410e7.
Furnell SM, Jusoh A, Katsabas D. The challenges of understanding
and using security: a survey of end-users. Comput Secur
2006;25(1):27e35.
Herley C. So long, and no thanks for the externalities. In:
Proceedings of the 2009 workshop on new security paradigms
workshop e NSPW 09. New York, New York, USA: ACM Press;
2009. p. 133.
125