c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

Available online at www.sciencedirect.com

ScienceDirect
journal homepage: www.elsevier.com/locate/cose

Nothing ventured, nothing gained. Profiles of

online activity, cyber-crime exposure, and security
measures of end-users in European Union
 zvan Rughinis b
Cosima Rughinis a,*, Ra
a
b

 gureanu 9, Bucharest 010181, Romania

University of Bucharest, Schitu Ma
University Politehnica of Bucharest, Splaiul Independentei 313, Office EF303, Bucharest 060042, Romania

article info

abstract

Article history:

We use large-scale survey data from the Eurobarometer 77.2/2012 to explore variability in

Received 14 September 2013

online activity, cyber-crime exposure, and security measures of end-users in European

Received in revised form

Union (EU27). While cyber-security is a high-priority activity for security experts and re-

5 March 2014

searchers, end-users conduct it in the context of their daily lives, as a socially accountable

Accepted 20 March 2014

and resource-limited activity. We argue that end-users security behaviors should be

analyzed in relation to their experiences of online victimization, in the context of their

Keywords:

routine activities. An ecological analysis at country level indicates that societies with

Cyber-security

widespread Internet use support cultures of higher cyber-security. They also expose daily

Cyber-crime

Internet users to higher cyber-crime risks, but this positive correlation is weaker, with

End-users

Romania and Hungary as two notable exceptions of high average exposure with low overall

European Union

Internet use. Given the negative feedback loops between security responses, exposure to

Eurobarometer survey

cyber-crime, and online activity, we find that, at individual level, linear causal modeling on

Cluster analysis

survey data is impractical, and we propose classification analysis as a better tool for
capturing variability. We use K-means cluster analysis to identify five types of end-users
orientation towards security in the context of their activity: explorer, reactive, prudent,
lucky, and occasional users, and we discuss their profiles of online activities and experiences. Prudent users are relatively neglected in public campaigns for Internet security.
Classification analysis is a productive tool for understanding end-users security orientations through survey data and for informing public interventions.
2014 Elsevier Ltd. All rights reserved.

Introduction
End-users are primary characters of the scientific literature on
cyber-security of recent years. Many pieces of research
attempt to measure, illustrate, or explain their low compliance

with security rules. There are three main portrayals of end

users, accounting for this apparently irrational behavior. There
are the cognitively lazy users, operating within a bounded
rationality, under heuristics that overvalue present comfort at
the expense of protection against future risks. There are also
the economically rational users, balancing their own costs

* Corresponding author. Tel.: 40 213112168, 40 722953341 (mobile); fax: 40 213158391.

E-mail addresses: cosima.rughinis@gmail.com, cosima.rughinis@sas.unibuc.ro (C. Rughinis), razvan.rughinis@cs.pub.ro (R.
Rughinis).
http://dx.doi.org/10.1016/j.cose.2014.03.008
0167-4048/ 2014 Elsevier Ltd. All rights reserved.

112

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

and benefits of security advice and deciding on what appears to

security experts as a low level of compliance. Last but not least,
there are the social users e also the prototypical victims of
social engineering e that are attuned to the social organization
of their activity, in which security requirements are just one
small part of a wide landscape of social norms of trust and
coordination that orient action.
We start from this classification of users models in security
scientific literature and we highlight shared assumptions that
can orient research. We then examine the empirical diversity of
user profiles in the European Union (EU 27, without including
Croatia that became a member in 2013), using the Eurobarometer 77.2/2012 cross-sectional dataset (European
Commission, 2012a). The article is structured as follows: the
next section discusses theoretical implications of current
research on end-users security practices, focusing on the
interdependence between risk awareness and response, experiences of personal loss due to cyber-crime, and users activity.
We then formulate research questions and we discuss the
methodology of survey-based research and our specific choice
of methods. We present research results, comparing linear
causal modeling of behavior with classification analysis. We
then conclude the paper, discuss its strengths and limitations,
and we propose fruitful avenues for further survey research.

Theoretical perspectives: models of end-users in

security research
Users may be analyzed through various theoretical perspectives. We discuss below three models that orient investigations by directing attention to different aspects
deemed relevant for users actions: the lazy user, the
economically rational user, and the social user. These
models are ideal types useful for analytical purposes, rather
than empirical categories; a persons behavior may be interpreted in relation to each theoretical perspective. Authors
usually privilege one model over the others, but also include
considerations from elsewhere. All three models accommodate risk-averse and risk-seeking behaviors, but propose
different constraints on users activity: avoidance of cognitive

overloading, preference for economic optimization, and pursuit of social integration, respectively.
A core issue for describing end-users security behaviors
refers to risk awareness (see a succinct comparison in Table 1).
From the perspective of the lazy user, awareness is mainly a
function of users understanding of online technologies and
risks and, reciprocally, the accessibility of security solutions
(Adams and Sasse, 1999; Albrechtsen and Hovden, 2009;
Besnard and Arief, 2004; Furnell et al., 2007; Furnell et al.,
2006). Lazy end-users are usually portrayed as technically
nave. At the same time, users are vulnerable because they
must allocate scarce cognitive resources to multiple,
competing tasks. Attending to security issues enters in conflict
with attending to other tasks that are also cognitively
demanding, and users need to balance multiple goals: humans
obey least-effort rules because they are cognitive machines
that attempt to cheaply reach flexible objectives rather than to
act perfectly towards fixed targets (Besnard and Arief, 2004).
From the perspective of the economically rational user (Christin
et al., 2012; Herley, 2009), awareness is primarily a function of
experienced personal loss due to cybercrime, as well as of general
information of losses experienced by similar others. Loss is
dependent on activity: different types of online activities may
incur different types of losses; also, the frequency of online
exposure increases the frequency of actual losses that materialize
the risk. An important observation here is that losses are
distributed among different participants to a cybercrime setting,
through various social arrangements. For example, in the case of
hacked banking accounts, losses are distributed between the
bank and the end users e and, consequently, end users are often
protected from cybercrime risks by arrangements that transfer
financial losses to corporate actors. Losses may also be hidden,
appearing more like a minor inconvenience. Moreover, security
measures have non-negligible costs (Herley, 2009; Inglesant and
Sasse, 2010). Users are portrayed as economically rational actors
who estimate risks and protection costs based on their own experiences and those of relevant others, and adjust their protective
behavior to efficiently pursue their activity, as they understand it.
From the perspective of the social user (Weirich and Sasse,
2001), awareness is created through personal experiences, of
self and others, that are socially interpreted through shared folk

Table 1 e Three theoretical models of end-users as security actors.

Cognitively lazy
users
Portrayal focus

Technical navete, due

to multiple objectives

Users risk
awareness

Awareness is dim, risks

are underestimated

Rationality

Bounded, based on
heuristics

Main
springs of action
Reasons for low
compliance

Satisficing on goals
Minimizing effort
Low understanding of
risks and low technical
expertise

Economically
rational users
Economic rationality in
the context of ones own
activity
Awareness is adequate,
reflecting estimated
personal risks
Economical, based on
cost-benefit analysis
Optimizing the pursuit
of preferences
Average end-user losses from
cybercrime are perceived to be low;
Security costs are high; Future
costs and benefits are discounted

Social users
Self-presentation concerns; trustful actors, in
pursuit of concerted activities
Relevant risks are socially defined, through
communication that gives meaning to
personal experiences
Rationality appears as a byproduct of activities
of justification (accounting), using socially
constructed vocabularies
Achieving legitimate goals and maintaining
desired identities in the local social order
Security practices are:
- Obstacles for smooth social organization
- Associated with de-valued identities

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

models (Wash, 2010). Moreover, users do not behave according to

formal rules and procedures, but their actions are highly
contextual e which is both good and bad news for designers of
security systems, since rules are broken, but, at the same time,
context often provides valuable information (Odlyzko, 2003). Social actors are accountable for their actions of taking security
measures or not, in a given context, and in a given situation of
interaction. Appearing untrustworthy, paranoid, or geekish are
identity damages that actors seek to avoid by behaviors that
display trust and social competence, from an interactional
perspective, and that are, at the same time, security liabilities.
Considerations of the social organization of loss are also important in this perspective, as well as considerations concerning the
social organization of responsibility: users may not always be
held responsible for security failures, which could be attributed to
the organization as a whole, to the equipment itself, to the attackers special proficiency, to a stochastic phenomenon (failures
are bound to happen now and then), or to the security department. Losses and risks only appear as relevant for the actor
through social activity, in which events happen, are interpreted,
and blame and merit is assigned. Users are portrayed as trustful
social actors and skilled managers of self-presentation.
For our subsequent analysis we derive insights from all
three models. Each of these perspectives have elements that
draw our attention to the fact that awareness of cyber-crime
and resulting security actions are dependent on users concrete experiences of loss, are socially organized, and are
bound to users broader activities. Users attend to risks and
take security measures as regular rather than exceptional
actions, conducted in competition and in concert with other
activities. Security measures are not justifiable per se e
although it may seem so to security engineers and researchers. Users need to be able to account for these actions,
in their social groups, as reasonable responses to recognized
risks, and as competent decisions of their own, rather than as
mechanically obeying external directives or acting out of fear.
Therefore, it is to be expected that users differ in their security
behaviors systematically, depending on the social organization of their activity, especially on the frequency and intensity
of exposure to personal loss, both direct and indirect, on
available justifications for their security behavior to significant others, and on the resources of technical expertise which
they can access to devise an economical solution.
Large survey datasets are valuable resources to explore
systematic variability in individual behavior. We have started
from this research goal, using the Eurobarometer 77.2/2012 to
seek patterns in individuals experiences of cyber-crime and
measures of protection. This dataset has not been analyzed in
the scientific literature to date, to our knowledge, with the
notable exception of Bohme and Moore (2012), which we
discuss below. We take this opportunity to discuss critically
some options in the design and analysis of survey datasets
concerning security behavior, and to propose improvements
for large scale population research.
Eurobarometer surveys are particularly valuable in order to
explore variability in behavior between social categories and
between countries. Moreover, variables included in the questionnaire usually allow for additional causal and classificatory
analyses that search for topic-specific variability. Therefore,
we aim to address the following research questions:

113

- Given the low technological dependence of Internet navigation from national or other social distinctions, are there
socio-demographic and country-based differences in
users experiences of cyber-crime and security responses?
- What other patterns of variability can we identify in users
experiences of cyber-crime, online activity, and security
measures?

Surveying cyber-security: methodological issues

Exploring co-variability between socio-demographic and
country variables and other behaviors of interest is the strong
point of large, cross-national surveys such as the Eurobarometer. This type of analysis is relatively straightforward
and usually generates interesting findings with low interpretation challenges.
Eurobarometer data, as well as survey data generally, is also
used for causal modeling, in search of relevant predictors for a
given outcome. Since survey data is often cross-sectional, being
collected at a single time point for each individual, causal
modeling is approximated through correlational analysis,
lacking a before e after structure. The dependent and independent variables are established as effect and cause through
researchers decision, on theoretical considerations; regression
models provide then estimates of association, which are interpreted as estimates of influence. This approximation of influence through association, therefore, works when:
- There is a theoretically reasonable way to establish causal
priority between various types of variables such as experiences, beliefs, knowledge, attitudes, behaviors, and so on;
- There are clues to temporal precedence, helping the analyst to cast variables as cause or effect. Some variables,
as gender, age, school education, and other sociodemographics, are considered inherently anterior to any
contemporary measure of effect, and thus are easily
posited as causes. For other variables a theoretically justified temporal ordering is more difficult to accomplish.
The difficulty arises because, in many situations, it is
reasonable to anticipate reciprocal influences between experiences, beliefs, knowledge, and behaviors. In such a case of
interdependency, causal analysis is still possible if there are
mutually reinforcing relationships - that is, a pattern of positive
feedback, such that a certain experience leads to a certain type
of knowledge and belief structure that leads to actions that
reproduce those experiences, and so forth. For example, church
attendance supports religious belief, personal experiences of
religious intervention and relationship, and religiously-based
charity, while these, in turn, support church attendance; this
makes it easy to model each of them as a function of the others
(see, for example, a typical model in Hoge and Yang, 1994).
Reciprocally, causal analysis on cross-sectional data is
difficult, if not outright impossible, when there is a pattern of
negative feedback: a specific experience generates knowledge,
intent, and action to prevent that experience. This is the case
for experiences of cyber-crime and security behavior: experiences induce protective behavior that, in turn, contributes to
decrease risk experiences, which, in turn, contribute to

114

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

decrease protective behavior, and so on. In Fig. 1 we have

sketched a model of mutual influences between several variables describing security experiences and behavior, adapted
to the Eurobarometer 77.2 indicators.
In Fig. 1 we have used round forms to indicate Eurobarometer constructs that are relatively subjective, such as
knowledge, awareness, and concerns, and square forms that
indicate constructs which are rather behavioral, such as type
and frequency of online activity, experiences of cyber-crime,
survey answers, and security measures taken by individuals.
We have also used dashed lines to indicate expected negative
influences, and continuous lines to indicate expected positive
influences. For example: increased online activity, in domains
where money is at stake (online banking or commerce) gives
rise to increased cyber-crime experience, on average, since
increased exposure leads to a higher chance that risks would
materialize. Experiences of victimization increase awareness
and knowledge of cyber-crime, which, in turn, increase users
security concerns and security measures. Finally, closing the
feedback loop, enhanced security measures decrease cybercrime experiences. Security measures can also directly
decrease online activity, if protection relies on constraints (only
using ones own computer, avoiding unknown sites, etc.), thus
indirectly decreasing experiences of loss. As a side connection,
awareness of cyber-crime is also an influence on reported experiences and security measures in surveys (Bohme and Moore,
2012b): respondents may interpret different events in their online life as security breaches or not, and they may not even
notice them, if they are not familiar with a specific vocabulary
that labels and explains such events.
The direct methodological implication of such a negative
feedback loop situation is that causal modeling becomes
impossible, if time marks are not present. For example, if we
statistically regress cyber-crime experiences on security
measures, what sort of coefficient can we expect? Security at
time 1 is a reaction to cyber-crime experience at time 0, which
indicates a positive association; at the same time, security at
time 1 decreases experience at time 2, which indicates a
negative association. If measures do not take time succession
into account, regression coefficients superpose the positive
and negative associations, and statistical estimates confound
the two distinctive, reciprocal influences.
This is precisely the problem which confronts Bohme and
Moore (2012a), who attempt to verify causal hypotheses

concerning the influence of cybercrime experiences on online

activity, and the influence of security concerns on online activity, among others. Such research questions constrain the analyst
to find those models in which experiences of crime have negative associations with the dependent measures of online activity, since it is not theoretically reasonable to conceive of
experiences of cybercrime as encouraging online activity. In
empirical models, based on Eurobarometer data, such unexpected positive associations can still be found, because of the
reversed causal influences: increased activity influences positively exposure to risk, and thus experiences of crime. Various
models generate either positive or negative coefficients for these
relationships, depending on the relative strength of the two
reciprocal, inverse relationships. Therefore, independently of
the resulting sign, we argue that these coefficients cannot be
interpreted causally, because they are the result of a feedback
loop combining reciprocal causal relationships that cannot be
disentangled.
A similar problem occurs if one attempts to compare
causally related predictors, omitting causal relationships between them. Bohme and Moore (2012a) argue, for example, that
concern and experience with cybercrime both reduce online
participation, but more so for those expressing concern, and
conclude that since experiencing cybercrime is relatively rare,
this calls into question the value of raising awareness to
cybercrime. If the association between experience of crime
and online activity appears to be lower than the association
between concern and online activity, when both are included
in a single equation, this is at least partially because the influence of crime experiences is mediated by concern. The
comparison actually involves the full influence of concern and
the residual influence of crime experiences. Therefore, a path
model would be more adequate than a single regression
equation to estimate the relative influence of crime experiences and of concern due to other influences, such as exposure
to mass media accounts.
Overall, causal modeling based on survey data is confronted
with difficulties in disambiguating causal influences. Difficulties of causal specification are insurmountable in situations
of mutual influence in negative feedback loops. This is why we
chose, in this work, to use a classification analysis that groups
respondents in clusters of similar patterns of online activity,
experience of cyber-crime, and protection measures. Classifying users has the advantage of identifying relevant variability
in the data, while acknowledging mutual influences that
cannot be empirically disambiguated through statistical analysis. We also conduct regression analysis in order to compare
the predictive power of socio-demographic distinctions for
security-related behaviors and experiences, on the one hand,
and for individual membership in the analytically defined
clusters, on the other hand. Last but not least, we realize a
descriptive exploration of country-level variability in experiences of cyber-crime and security measures of end-users.

Data and methods

Fig. 1 e A model of feedback loops in security experiences

and behavior.

We conduct a secondary analysis of the Eurobarometer 77.2/

2012 dataset at EU27 level; individual cases are weighted to
render a representative sample for the population of the 27

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

member states of 2012. Country sample sizes range between

1000 and 1075, with the following exceptions: Republic of
Cyprus (503), Luxembourg (506), Malta (499), United Kingdom
(1305), Germany (1532). Table 2 presents weighted sample
sizes, measures of internet penetration and access, and
country-level distributions on categories of age and categories
of age at graduation (the only available measure of educational achievement).
The BravaisePearson correlation between country-level
external measures of Internet penetration (De Argaez, 2013)
and survey-based measures of Internet access (% who access
the Internet monthly or more) (Table 2) is 0.92, thus supporting criterion-related validity of dataset estimates.
We are limited, in the choice of variables, to those present
in the dataset. In the questionnaire (European Commission,
2012b) we have found:
- Indicators of Internet activity, both concerning type and
frequency;
- Indicators of experiences of cyber-crime, of securityoriented actions, as well as subjective variables: security
concerns and awareness of cybercrime from mass-media
exposure.
An overview of country-level distribution for Internet activity, cyber-crime experience and security measures for daily
net users is presented in Table 3.
Measurement of knowledge of cyber-security is notably
absent. Also, although there are indicators of cyber-crime
experience, there are no estimates of personal loss resulting
from these events, in terms of money, time, reputation, or
other resources.

Results and discussion

We present research results starting from country level variability, then going to socio-demographic stratification, and
then to the identification of specific patterns through statistical construction of profiles.

Country-level variability
Our first level of exploration concerns the descriptive analysis of
country variability in individual experiences of cyber-crime and
security behavior, in relation with Internet use.
Internet use is measured as the proportion of respondents
who declare that they use the Internet once a day or several
times a day. Experiences of cybercrime are measured, for each
individual, as the count of situations where he or she has
encountered this phenomenon, among:
- Identity theft (somebody stealing your personal data and
impersonating you, e.g. shopping under your name);
- Received emails fraudulently asking for money or personal details (including banking or payment information);
- Online fraud where goods purchased were not delivered,
counterfeit or not as advertised;
- Accidentally encountering material which promotes racial
hatred or religious extremism;

115

- Not being able to access online services (e.g. banking services) because of cyber attacks.
Security behavior is measured, for each individual, through
antivirus use and password hygiene. Password hygiene includes two indicators: the use of multiple passwords for
multiple sites, and the count of situations where the user has
changed her password in the last 12 years, among:
-

Web-based e-mail;
Online social networks;
Shopping website (e.g. travel agents);
Online banking websites.

Table 5 includes more details on the precise formulations of

these items in the questionnaire (European Commission,
2012b).
We correlate country-level proportions of daily Internet
users with indicators of security behavior and cyber-crime
exposure (Table 3), to identify, at ecological level, if higher
Internet use contributes to the creation of social environments
and cultures relevant for individual security experiences.
Since people who use Internet rarely or not at all are less
likely to encounter cyber-crime and to take security measures,
the estimated correlation between the proportion of daily users
and the incidence of cyber-crime and password change in the
total population would be an artificially inflated measure of
country-level online environments and security cultures,
respectively. Therefore, we have computed cybercrime exposure and incidence of security measures only for the segment of
daily Internet users, for each country, thus controlling covariability induced through similar frequency of online activity.
Fig. 2 displays the positive association, at ecological level,
between the proportion of daily Internet users, on X axis, and
password change rates among daily users, on Y axis (the
Pearson correlation coefficient is 0.64). Bubble size indicates the
average count of situations of password change in the last 12
months for daily users, which is also positively correlated with
proportions of daily use, at ecological level (Pearson correlation
is 0.74). It appears that countries where online activities are
pervasive also encourage password hygiene among netizens. In
Fig. 3 we observe a similar relationship between Internet activity and antivirus use (Pearson correlation is 0.71).
We observe a positive but weaker relationship at ecological
level between country level of Internet use and average
experience of cybercrime among daily Internet users (see
Fig. 4; Pearson correlation coefficient is 0.32 for all data, and
0.55 if Romania and Hungary are excluded). There are two
interesting particularities. On the one hand, Romania and
Hungary are visibly outliers, with far higher levels of reported
cybercrime experience than their expected position, given
their low proportion of daily Internet users. Actually, Romania
has the highest reported experience of cybercrime among the
EU 27 countries, and is the second-lowest in reported Internet
use, after Portugal. Greece also seems to have an outlying
position, with lower than expected reported cybercrime rates.
Still, even if we exclude Romania, Hungary, and Greece as
outliers, the association between experienced cybercrime and
country patterns of use is weaker than the associations concerning security measures (Pearson correlation is 0.50).

116

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

Social stratification of risks and protection

Fig. 2 e Scatterplot of country-level average Internet use

(X-axis) and proportion of daily users that use different
passwords for different sites (Y-axis), with bubble width
indicating average count of situations of password change
in the last 12 months. Ecological level Pearson correlations:
daily use and total password change: R [ 0.64; daily use
and different passwords: R [ 0.74. Data source:
Eurobarometer 77.2 / 2012, authors analysis

Ecological level associations suggest, therefore, that societies of intense online activity develop cultures that support
security-oriented behavior. Individual experiences of cybercrime for daily internet users are, as a rule, also enhanced in
countries with intense online activity, but the relationship is
not strong, and Romania and Hungary are notable exceptions.
This correlation reflects the fact that risks materialize with
increased exposure: it is likely that netizens in countries of
widespread online activity also engage in more intense and
more diverse use than daily Internet users in countries of less
Internet popularity. There is also an effect of awareness:
country-level Internet penetration influences public debates on
cyber-crime that could raise users awareness and diagnosis of
security incidents, thus indirectly raising their survey reports.

Fig. 3 e Scatterplot of country-level average Internet use

and antivirus use for daily Internet users. Ecological level
Pearson correlation: 0.71. Data source: Eurobarometer 77.2
/ 2012, authors analysis

Table 4 presents a multinomial logistic regression model for

two dependent variables: total experience of cybercrime
(measured as a count of situations in which the respondent
has experienced online victimization), and measures of
password changing (measured as a count of situations in
which the respondent has changed his or her password, in the
last 12 months).
As it can be seen in Fig. 5 below, the two variables are not
normally distributed. We have recoded them into ordinal
variables with 4 categories: 0 (no encountered situation at all),
1 situation, 2 situations, 3 or more situations. The reference
category for both models is 0 (no experience of cybercrime, no
password changing in the last 12 months).
We estimate multinomial logistic regression models in
Model 1 (Nagelkerke Pseudo R-Square 0.06) and Model 2
(Nagelkerke Pseudo R-Square 0.07), using only sociodemographic predictors. Exp(B) coefficients indicate how
much the odds of having a specific value (a number of situations) for the dependent variable increase or decrease against
the probability of having a count of situations of 0 (0 is the
reference category), as a function of the independent
predictors.
While there are several statistically significant coefficients,
reflecting the large sample size, the overall predictive power of
the models is low. The largest effect sizes can be found for age:
when compared with people aged 65 and more, the odds of
young persons aged 15e34 to have been in 3e5 cases of net
victimizations rather than none are almost 2; their odds of
having changed the password in 3e4 situations rather than
none are more than 4. Educational achievement, as measured
by age at graduation, is also a relatively strong predictor.

Fig. 4 e Country level scatterplot of average Internet use

and experience of cybercrime. Ecological level Pearson
correlation: 0.32 for all data points, and 0.50 without
Romania, Hungary, and Greece. Data source:
Eurobarometer 77.2 / 2012, authors analysis.

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

117

Fig. 5 e Distribution of total experience of cybercrime and measures of password change in the EU27 population of Internet
users. Data source: Eurobarometer 77.2 / 2012, authors analysis

We can conclude that there is a relatively low social stratification of exposure to cybercrime and of password hygiene,
when analyzed independently; much of this stratification can
be observed along the lines of age and education categories.

User profiles
Starting from the theoretical understanding and previous
empirical observations that security behaviors, experiences of
cyber-crime, and Internet use are closely related in patterns of
activity, we decided to explore variability of these patterns
through cluster analysis. We used K-Means Cluster to classify
respondents according to behavioral indicators. We have
explored models with 3, 4, and 5 clusters, and we have decided
that the 5-type classification offers the best interpretability
and level of detail, while still comprising sufficiently large
categories of users to be relevant.
We have labeled the five categories such as to capture a key
feature of online orientation: explorer, reactive, prudent,
lucky, and occasional users. A description of the clusters,
including summary evaluations and the numerical estimates,
is presented in Table 5.
Explorer and occasional users represent the ends of a
continuum of activity-exposure-protection: the first have high
levels for all three, while the latter have low levels. The other
three categories represent intermediate types, mostly differentiated by security patterns.
Lucky users represent an interesting empirical category:
they have high frequency of use, with average diversity of
online activities, displaying simultaneously low cyber-crime
experiences and low protection strategies. In other words
they seem to be, well, lucky. Cross-sectional survey data
cannot inform us on the stability of such a situation; it may
well be that they would end up experiencing some situation of
cyber-victimization and then make use of protection strategies, possibly becoming prudent or reactive.
We have differentiated the prudent from the reactive
types according to their observable security orientations. The
prudent mostly choose cautionary measures that also
restrain online activity e such as visiting only trusted websites, and using only their computer. The reactive users
display slightly higher frequency and diversity of online activity, and also slightly higher experiences of cyber-crime;
still, they do not engage in restrictive protection, making

more use of password change as a security measure. Like

explorers, who score a maximum on all types of security
measures, reactive users change passwords frequently,
probably as a reaction to, or prevention against intrusions;
unlike explorers, they attend less to other security advice,
such as using different passwords or using antivirus software.
It is also interesting to examine the variability, between
clusters, of reported decreases in online activity. Respondents
have answered whether concern about security issues made
you change the way you use the Internet through decreasing
Internet banking, online purchases, and communication of
personal information on the Internet. This question uses respondents subjective assessments to tap into the causal influence of online victimization on Internet activity. We can see
that there are relatively low proportions of users who have reported decreasing their Internet banking or online purchases,
in all five clusters. This provides some evidence to the fact that
users tend to maintain their online activities, even when faced
with insecurity, reacting with increased caution rather than
displacing online with offline activities. There is substantial
variability in the communication of personal information: explorer and prudent users report substantially more caution.
Fig. 6 illustrates the specific contours of activity, experiences and security measures for the five clusters. For example,
explorer and prudent users are similar through their intense
activity, but differ in their reaction to cybercrime: the first
intensify password hygiene, while the latter withdraw from
online transactions.
The proportion of each orientation at country level is
described in Table 6. We observe considerable country-level
diversity. For example, explorers make up 2% of Romanian
population of Internet users, and 26% of Finnish population.
Lucky users are most frequently found in Latvia, Italy and
Malta e while, interestingly, Latvia and Malta also have top
values for reactive users. Occasional users, protected from
cybercrime by inactivity, are most frequent in Bulgaria,
Romania, Hungary and Greece.
Table 7 explores the socio-demographic variability of user
profiles, through a multinomial logistic regression model.
Exp(B) coefficients indicate how much the odds of belonging in
a specific profile (the dependent variable) increase against the
probability of belonging to the occasional user category. As
expected, for example, respondents that are men and are
relatively young (aged 15e34) are much more likely to be

118

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

Fig. 6 e Profiles of end-users cyber-security activity and

experiences, EU27. Data source: Eurobarometer 77.2 / 2012,
authors analysis

explorers rather than occasional users, in comparison with

women, respectively with respondents aged 65 and more.
Statistical significance of coefficients is indicated by the Sig.
column, while bold figures mark odds ratios that are either
higher than 1.5, or lower than 0.7, thus indicating a relatively
strong positive or negative influence.
Overall, socio-demographic variables account for about
13% of variation in cluster membership, according to Cox and
Snell Pseudo R-Square estimates. Therefore, we can conclude
that cluster membership is better predicted by sociodemographic characteristics than simply experience of
cybercrime or password hygiene, which, as we have seen in
Models 1 and 2, are explained in proportion of 6% and 7% of
variance, respectively. We take this higher proportion of statistically explained variance to indicate that user profiles that
combine activity, exposure and security responses are better
suited to capture individual co-variability than single behavioral constructs.

Applicability: implications for internet security

public policies
The main field of applicability for large-scale survey analysis
consists in recommendations for public policy. A typical form
of survey-based proposals relies on the identification of causal
factors that influence the phenomenon of interest and may be
amenable for intervention. As we discuss in Section Surveying
cyber-security: methodological issues, exemplifying with
Bohme and Moore (2012a), this approach is potentially confounding because of negative feedback loops between experiences of cybercrime and security measures.
A second form of recommendation, better suited to
Internet security survey data, relies on the identification of
respondent types with specific profiles. Our segmentation
draws attention to a category that has been largely ignored in
Internet security campaigns: the prudent users.
Many campaigns that promote safety online are targeting
young users of explorer and lucky orientations, focusing on
careless sharing behaviors (for example Eames, 2012; Internet
Safety Coalition, n.d.; The Anti-Phishing Working Group e
APWG; National Cyber Security Alliance e NCSA, n.d.), or
children and parents (for example Child Exploitation and
Online Protection (CEOP) Centre, n.d.; Ogilvy & Mather Sofia,

Fig. 7 e Proportion of explorers (Y axis) and proportion of

prudent users (bubble width) as a function of the
proportion of internet daily users (X axis), EU27 countries.
Data source: Eurobarometer 77.2 / 2012, authors analysis

n.d.). Still, prudent users include a distinctive type of netizens: relatively older, relatively wealthy persons living in societies with high Internet penetration. They are a significant
presence in several European countries. In Table 6 we see that
Denmark, Germany, Luxembourg, Sweden, and The
Netherlands have around 40% of Internet users in the prudent
orientation. As regards their profile, regression results in Table
7 indicates that, when compared with occasional users,
prudent users are on average of similar age and gender, but
more educated, while explorer, reactive and lucky users are
more often male, younger, and also of higher education.
Country-level correlations between the proportions of
users in a certain cluster and measures of Internet penetration
(De Argaez, 2013) are high for explorers (R 0.87), prudent
(R 0.85), and occasional users (R 0.92); they are lower for
lucky (R 0.57) and reactive users (R 0.07).1 The association with country-level estimates of daily internet users is
similarly high (see Fig. 7). This indicates that explorer and
prudent orientations develop concomitantly as two alternative security attitudes in cultures of high Internet penetration,
at the expense of occasional orientations. Unlike explorers
who, when confronted with cybercrime, intensify their protection, prudent users answer experiences of victimization
by withdrawing from online transactions.
This analysis indicates that Internet security campaigns
and other public interventions can address the distinctive
category of prudent users, which comprise a large proportion
of the older and better educated public of societies with high
Internet diffusion. They likely have different typical navigation behaviors than younger users, and specific security
problems besides the risks of careless sharing, online bullying,
and sexual harassment. For this category, public interventions

Since proportions for all clusters sum up to 100% for each

country, if some correlations are positive, others are negative. It is
noteworthy that both correlations for explorer and prudent
users are large and positive.

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

could encourage answers to victimization that enhance protection rather than decrease involvement.
The distinction between secure engagement and cautious
withdrawal from online interactions is rarely highlighted in
public campaigns. For prudent users, this could be an important message e complementing, at attitudinal level, the
awareness and information campaigns that present hazards
and security methods. In a different risk context, the Bedsider.
org birth control campaign (The National Campaign to Prevent
Teen and Unplanned Pregnancy, n.d.) shows situations of
awkward moments during sex, with the encouragement: You
didnt give up on sex. Dont give up on birth control. Messages
for prudent users may mirror this approach, along the lines: if
we persevere in enhancing our offline safety, against incidents and adversity, we can also persevere in the online
environment.

Conclusions
Our study uses large scale, cross-sectional survey data to
explore variability in patterns of Internet use, exposure to
cyber-crime, and security measures.
End-users awareness of risks and their resulting security
actions are part and parcel of their ordinary activities, online
and offline; cyber-security does not have, for users, the highpriority, privileged position it has for security engineers or
researchers. This means that an empirical investigation of
end-users cyber-protection measures must take into account
the larger activity context in which it occurs.
It is important to observe that, unlike other situations
studied by social surveys, which can be modeled through
positive feedback relationships, the three constructs of online
activity, exposure to cyber-crime and security actions are
interdependent in a negative feedback loop. This has methodological implications, rendering causal modeling through
regression analysis impracticable if there are no time benchmarks to differentiate before and after, assisting in the
causal ordering of variables. Due to the superposition of positive and negative reciprocal causal relationships, analysts
would not be able to interpret regression coefficients in unidirectional causal terms.
Through empirical exploration of country-level diversity in
patterns of online activity, cyber-crime exposure, and security
measures, we find that countries with higher proportions of
daily Internet users seem to foster cultures of cyber-security;
ecological correlations between country level internet use
frequency and the incidence of security actions among daily
Internet users are high.
There is also a positive ecological correlation between
country-level frequency of Internet use and exposure to
cybercrime of daily Internet users. Still, this correlation is
weaker. Moreover, Romania and Hungary are clear outliers,
with much higher reported exposures to cyber-crime than
expected, while Greece seems to have a lower exposure than
expected.
A cluster classification of respondents, according to their
patterns of online activity, cyber-crime exposure, and security
measures, yields five empirical types: explorer, reactive,
prudent, lucky, and occasional users. Explorer and

119

occasional users are the poles of a continuum: explorers

navigate frequently and diversely, experience often instances
of online malicious behavior, and take frequent and diverse
security measures. Occasional users do little of all of the
above. The other types range in between: lucky users reflect
the stochastic nature of cyber-crime, that allows around one
quarter or EU27 Internet users to navigate the Internet
frequently, without harm, and carelessly. Prudent and reactive users witness victimization but respond to it differently:
the former adopt restrictive, cautious online behaviors, while
the latter react through password change with little additional, systematic protection.
Cluster membership is better predicted by a set of sociodemographic variables than either exposure to cyber-crime
or password hygiene taken by themselves. We conclude that
the identification of cyber-security profiles is a productive way
of providing meaningful interpretations of users actions, and
to link them to social contexts.
There is considerable scope for improving such a classification based on survey data. The Eurobarometer 77.2 dataset
notably lacks measures of security knowledge, which could
highlight important variability with policy relevance. Estimates of personal loss (in terms of time, money or reputation)
due to cybercrime are also missing, although personal loss is a
construct of high importance in understanding users security
behaviors. Another potentially useful distinction would
separate users that have experienced losses at work from
those that have experienced losses in private online activities,
in order to estimate the aggregate relevance of organizational
policies concerning individual responsibility for cybersecurity. Last but not least, such a study could be improved
through more detailed examination of security and online
activity, and by introducing time benchmarks, such as asking
users to report distinctly on several successive 3- or 6-month
intervals.
Survey-based identification of distinctive types of users is a
valuable resource for public interventions. Specifically, prudent users comprise a significant proportion of societies with
high Internet penetration, including older, better educated
persons that are active online. Their concerns and experiences may not be addressed by current Internet security
campaigns, which mostly target parents and young users
from the explorer and lucky orientations.
We conclude that profiles of interdependent online activity, cyber-crime exposure, and security measures are valuable
constructs for empirical investigation and public policy
design, and they provide better tools than linear causal
modeling in the field of survey research on end-users security
behaviors.

Acknowledgments
This article has been supported by the research project
Sociological imagination and disciplinary orientation in
applied social research, with the financial support of ANCS/
UEFISCDI grant no. PN-II-RU-TE-2011-3-0143, contract 14/
28.10.2011. Parts of this work were carried out at the EUROLAB
at GESIS Leibniz Institute for the Social Sciences, May 2013.
We are grateful for the useful anonymous reviews.

120

Appendix
Table 2 e Dataset overview.
Country

Weighted
sample
size

Internet
access:
% monthly
or more

Internet
access:
% daily

Distribution on
categories of age (Row %)

Distribution on
categories of graduation age (Row %)

15e24

25e34

35e44

45e54

55e64

65

15 or
less

16e19

20

No fulltime
education

Still
studying

79.8
81.3
51
57.7

456
582
425
43

.70
.72
.51
.57

.47
.60
.36
.43

14.5
14.6
14.3
18.3

15.2
14.8
15.7
16.1

18.3
18.0
17.7
17.1

18.8
17.5
16.1
19.8

13.3
14.5
15.9
13.3

19.9
20.5
20.3
15.3

25.8
11.4
12.9
20.6

51.9
43.1
55.7
40.1

14.4
35.1
22.5
28.0

.0
.0
.2
.2

7.9
10.4
8.7
11.2

73

586

.68

.47

14.6

17.3

18.3

15.5

16.4

17.7

4.0

70.5

16.5

.0

9.0

90
78
89.4
79.6
83
53
65.4
76.8
58.4
71.7
65.1
90.9

297
62
289
3107
4185
566
541
229
3374
94
184
26

.91
.74
.80
.77
.72
.54
.59
.76
.62
.74
.63
.82

.83
.62
.69
.66
.53
.38
.39
.61
.45
.60
.50
.66

15.2
18.5
14.8
15.0
12.7
16.8
14.5
16.3
11.7
21.0
18.0
14.4

14.3
18.6
14.3
15.8
12.8
16.8
15.9
19.6
13.1
18.9
16.5
15.6

16.8
14.7
15.1
15.5
14.2
18.4
19.8
20.5
21.7
19.4
16.3
21.2

17.8
16.1
17.8
16.9
20.8
15.3
16.7
16.7
15.7
16.7
17.8
18.8

15.7
12.9
17.6
15.9
14.5
13.0
14.5
12.7
14.3
12.5
12.5
13.0

20.3
19.2
20.4
21.0
25.1
19.6
18.6
14.2
23.5
11.6
18.9
17.0

6.3
5.7
11.8
16.1
17.9
27.4
19.4
13.4
33.5
6.3
8.1
14.3

11.3
48.9
26.5
39.0
49.2
36.1
58.0
48.1
39.2
52.8
46.0
29.9

65.7
34.2
49.6
35.0
22.3
23.6
13.6
27.8
20.3
26.6
32.6
43.0

1.9
.0
.0
.3
.0
.5
.2
.0
.3
.1
1.0
.7

14.7
11.2
12.1
9.6
10.7
12.4
8.8
10.6
6.8
14.3
12.2
12.2

69
64.9
55.2
44.1
79.1
72.1
67.2
92.7
92.9

22
2109
526
1187
296
114
2545
507
870

.68
.61
.40
.51
.68
.68
.63
.92
.93

.55
.43
.30
.35
.44
.53
.49
.83
.83

17.3
16.6
16.8
17.6
18.2
13.5
12.1
12.7
14.9

15.9
20.2
13.4
18.9
14.9
18.0
18.0
9.9
12.0

15.8
13.5
18.3
18.7
22.7
17.1
19.1
23.2
21.6

18.7
18.2
18.9
14.5
16.5
17.3
17.7
15.6
18.1

15.7
15.6
13.0
12.6
13.5
14.8
13.0
16.0
15.8

16.6
16.0
19.5
17.6
14.2
19.2
20.1
22.5
17.6

20.7
11.5
54.8
13.6
5.8
15.0
35.5
6.0
6.1

50.3
47.7
23.2
51.7
65.0
47.4
31.5
21.2
31.3

17.2
29.9
10.1
27.1
18.2
24.8
24.5
59.3
48.5

.3
.5
5.5
.0
.0
.5
2.4
.0
.0

11.5
10.5
6.3
7.6
11.1
12.2
6.2
13.6
14.1

83.6

3373

.76

.63

15.8

17.0

15.4

17.4

14.1

20.2

21.7

47.8

22.0

.0

8.6

72.8

26,593

14.4

15.6

17.3

17.5

14.5

20.7

20.5

43.0

26.7

.5

9.3

68.6

53.1

Data sources: Internet penetration indicators: De Argaez (2013); other measures: Eurobarometer 77.2 / 2012, authors analysis

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

Austria
Belgium
Bulgaria
Cyprus
Republic
Czech
Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Ireland
Italy
Latvia
Lithuania
Luxembourg
Malta
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
The
Netherlands
United
Kingdom
Total EU27

Internet penetration
(de Argaez, 2013)

121

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

Table 3 e Country profiles of internet activity, cyber-crime experience and security measures.. Blue figures indicate the top
5 values, while red figures indicate the bottom 5 values.

Data source: Eurobarometer 77.2 / 2012, authors analysis

Table 4 e Multinomial logistic regression models for social stratification of total experience of cybercrime and password
changes in the last 12 months. Significant Exp (B) coefficients indicating odds lower than .75 and higher than 1.5 are
marked with bold characters.
Independent
variables:

Count of
situations:

Model 1: Count of situations

of victimization.
Reference category 0
Sig.

Gender
Age

Type of
residence
community

Self-positioning
on a 10-step
social ladder:

Masculine vs.
feminine
15e24
25e34
35e44
45e54
55e64
65 and more
(Reference)
Rural area
or village
Small or middle
sized town
Large town (Ref.)
Levels 1
(minimum) to 4
Levels 5e6
Levels 7e10
(Reference)

Model 2: Count of situations

of password
change reference category 0

3e5 situations

Exp (B) Sig.

Exp (B)

Sig.

Exp (B)

1
Sig. Exp (B) Sig.

3e4 situations

Exp (B)

Sig.

Exp (B)

.001

1.134

.000

1.572

.000

1.819

.002

1.125

.000

1.262

.000

1.526

.001
.000
.000
.000
.016
.

1.351
1.701
1.340
1.321
1.212
.

.000
.000
.000
.000
.006
.

1.929
1.977
1.664
1.551
1.364
.

.000
.000
.000
.000
.104
.

3.807
3.583
2.659
1.753
1.299
.

.000
.000
.014
.099
.534
.

1.713
1.421
1.208
1.136
1.053
.

.000
.000
.000
.000
.069
.

2.854
2.199
1.823
1.685
1.243
.

.000
.000
.000
.000
.002
.

4.118
5.818
3.746
1.952
1.679
.

.000

.791

.000

.792

.001

.786

.000

.777

.000

.732

.000

.621

.027

.906

.000

.812

.010

.843

.615

.977

.000

.788

.124

.907

.
.099

.
.910

.
.366

.
1.069

.
.000

.
.734

.
.000

.
.756

.
.000

.
.743

.
.000

.
.653

.000
.

.862
.

.435
.

.958
.

.000
.

.765
.

.000
.

.822
.

.000
.

.788
.

.000
.

.755
.

(continued on next page)

122

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

Table 4 e (continued )
Independent
variables:

Count of
situations:

Model 1: Count of situations

of victimization.
Reference category 0
1
Sig. Exp (B) Sig.

Difficulties
paying
bills in
the previous
year:
Age at
graduation:

Most of
the time
From time
to time
Almost never/
never (Reference)
15 or less
16e19
20 or more
No full time
education
Still studying
(Reference)

Pseudo R-Square

Model 2: Count of situations

of password
change reference category 0

3e5 situations

3e4 situations

Exp (B)

Sig.

Exp (B)

Sig.

Exp (B)

Sig. Exp (B)

Sig.

.157

.907

.765

1.027

.000

1.650

.224

.915

.082

1.158

.987

.998

.000

.778

.174

.926

.663

1.029

.956

1.003

.331

1.056

.043

.875

.000
.000
.062
.055

.560
.733
1.164
.227

.000
.001
.000
.585

.531
.727
1.460
.697

.105
.252
.001
.595

.788
.887
1.446
1.374

.000
.038
.137
.502

.664
.848
1.132
.708

.000
.000
.488
.097

.530
.621
1.069
.151

.000
.001
.823
.156

.489
.705
1.025
.051

Cox and Snell: .057; Nagelkerke: .062; McFadden:

.024

Exp (B)

Cox and Snell: .060; Nagelkerke: .067; McFadden:

.027

Data source: Eurobarometer 77.2 / 2012, authors analysis.

Table 5 e Cluster analysis results: user classification in security profiles. Method: K-means Cluster.
Cluster label

Explorer

Cluster number
Cluster no. of cases (weighted)
Cluster membership (valid % of Internet users) (Missing
cases: 4.4%
of Internet users)
Summary description
Password hygiene/change
of profile

Caution when accessing

the Internet
Frequency of use
Diversity of use
Experience of cybercrime

Have you changed your

password to
access to any of
the following
online services
during the
past 12 months?
Has concern
about security
issues made
you change
the way
you use the
Internet
in any of
the
following ways?

Count of password change

situations in the last
12 months [0e4]:
Web-based e-mail/Online social
networks/Shopping website
(e.g. travel agents)/Online
banking websites
Changing security settings
(e.g. your browser,
online social media,
search engine, etc.)
Only visit websites
you know and trust
Use different passwords for
different sites
Do not open emails from
people you dont know
Only use your own computer
Have installed
antivirus software

Reactive

Prudent

Lucky

Occasional

1
2163
12.0%

2
1991
11.1%

3
4576
25.4%

4
4182
23.3%

5
5075
28.2%

High
password
hygiene

High
password
change, low
password
diversity
Low caution

Low
password
hygiene

Low
password
hygiene

Very low
password
hygiene

Low caution

Low caution

High
cybercrime
experience
2.78

Average use
Average
use diversity
High
cybercrime
experience
2.41

Very high
caution
Average use
Average
use diversity
Low
cybercrime
experience
.38

Frequent use
Average use
diversity
Low
cybercrime
experience
.36

Rare use
Low use
diversity
Very low
cybercrime
experience
.16

.57

.10

.22

.08

.04

.52

.32

.61

.15

.19

.76

.22

.39

.11

.05

.80

.28

.90

.14

.18

.39
.88

.21
.41

.54
.91

.12
.31

.19
.23

High caution
Frequent use
High diversity

123

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

Table 5 e (continued )
Cluster label
Cybercrimes can include
many different types
of criminal activity.
How often have you
experienced or been
a victim of
the following
situations?

How often do
you access
the Internet
(for example,
for sending
emails, reading
online news,
chatting with
friends or buying
products online)?
Which of the following
activities do you
do online?

Has concern about

security
issues made
you change
the way you use
the Internet in
any of the following ways?

Explorer

Reactive

Prudent

Lucky

Occasional

Identity theft (somebody stealing

your personal data and
impersonating
you, e.g. shopping
under your name)
Received emails fraudulently
asking for
money or personal
details (including
banking or payment information)
Online fraud where goods
purchased
were not delivered,
counterfeit or not
as advertised
Accidentally encountering
material
which promotes racial hatred or
religious extremism
Not being able to access online
services (e.g. banking services)
because of cyber attacks
Once a week, or less often
Several times a week
Once a day
More than once a day

.13

.13

.05

.09

.07

.70

.44

.44

.38

.16

.20

.18

.11

.13

.08

.26

.21

.13

.17

.10

.21

.19

.13

.13

.08

.01
.04
.11
.84

.03
.10
.21
.65

.06
.15
.21
.59

.01
.02
.05
.92

.29
.30
.35
.05

Online banking
Buying goods or services
(holidays, books, music etc.)
Selling goods or services
Playing games online
Email
Using online social networks
Reading news online
Less likely to buy goods online
Less likely to bank online
Less likely to give personal
information on websites

.83
.89

.55
.57

.60
.68

.57
.59

.17
.19

.40
.42
.99
.74
.85
.13
.11
.66

.19
.31
.91
.69
.62
.22
.16
.26

.24
.27
.95
.43
.68
.19
.16
.66

.24
.33
.91
.72
.70
.15
.12
.17

.05
.16
.64
.28
.48
.19
.16
.19

Data source: Eurobarometer 77.2 / 2012, authors analysis

124

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

Table 6 e Country distribution of Internet users across the five type of security orientations (Row %). The highest 5 values
are marked with blue.

Data source: Eurobarometer 77.2 / 2012, authors analysis

Table 7 e Social profile of the five security orientation types: multinomial logistic regression model.
Explorer model 3
Sig.

Exp(B)

.000
Gender
Age

Masculine vs. feminine

Aged 15e24
25e34
35e44
45e54
55e64
Aged 65 and more
Type of residence
Rural area or village
community
Small or middle
sized town
Large town
Self-positioning on a
Levels 1 (minimum) to 4
10-step social ladder: Levels 5e6
Levels 7e10
Difficulties paying
Most of the time
bills in
From time to time
the previous year:
Almost never/never
Age at graduation:
Graduated at 15 or less
Graduated 16e19
Graduated 20
No full time education
Still studying

Reactive model 4
Sig.

Exp(B)

.000

Prudent model 5
Sig.

Exp(B)

.007

Lucky model 6
Sig.

Exp(B)

.002

.000
.000
.000
.000
.000
.001
.
.000
.002

1.642
3.229
4.638
2.817
1.893
1.616
.
.622
.814

.000
.000
.000
.000
.000
.018
.
.000
.018

1.310
6.183
4.524
2.567
1.862
1.438
.
.681
.851

.100
.506
.089
.563
.697
.120
.
.410
.365

1.073
1.071
1.152
.955
.970
1.137
.
1.048
1.051

.000
.000
.000
.000
.000
.000
.
.000
.004

1.303
4.938
3.980
2.087
1.603
1.476
.
.688
.854

.
.000
.000
.
.021
.000
.
.000
.000
.978
.044
.

.
.691
.654
.
.789
.678
.
.212
.398
1.003
.015
.

.
.000
.000
.
.406
.000
.
.000
.000
.118
.029
.

.
.649
.736
.
1.086
.782
.
.460
.642
1.205
.082
.

.
.299
.002
.
.000
.000
.
.000
.000
.047
.005
.

.
.933
.853
.
.696
.550
.
.377
.665
1.244
.067
.

.
.000
.000
.
.169
.000
.
.000
.000
.046
.007
.

.
.688
.707
.
.894
.720
.
.409
.671
1.225
.232
.

Pseudo R-square
Cox and Snell
Nagelkerke
McFadden

.129
.135
.045

c o m p u t e r s & s e c u r i t y 4 3 ( 2 0 1 4 ) 1 1 1 e1 2 5

references

Adams A, Sasse MA. Users are not the enemy. Commun ACM
1999;42(12):40e6.
Albrechtsen E, Hovden J. The information security digital divide
between information security managers and users. Comput
Secur 2009;28(6):476e90.
Besnard D, Arief B. Computer security impaired by legitimate
users. Comput Secur 2004;23(3):253e64. http://dx.doi.org/
10.1016/j.cose.2003.09.002.
Bohme R, Moore T. How do consumers react to cybercrime?. In:
2012 eCrime researchers summit. IEEE; 2012a. pp. 1e12.
Bohme R, Moore T. Challenges in empirical security research;
2012 [Retrieved March 01, 2013, from]http://lyle.smu.edu/
wtylerm/courses/econsec/f12/reading/lnse-survey.pdf.
Child Exploitation and Online Protection (CEOP) Centre. (n.d.).
Think U Know? Retrieved November 01, 2013, from http://
www.thinkuknow.co.uk/.
Christin N, Egelman S, Vidas T, Grossklags J. Its all about the
Benjamins: an empirical study on incentivizing users to ignore
security advice. In: Danezis G, editor. Financial cryptography
and data security SE e 2, vol. 7035. Berlin, Heidelberg:
Springer; 2012. pp. 16e30.
De Argaez E. Internet Usage in Europe. Internet World Stats; 2013.
Retrieved November 01, 2013, fromhttp://www.
internetworldstats.com/stats4.htm.
Eames T. Mind reader shocks strangers in internet security
campaign. Digit Spy; 2012. Retrieved November 01, 2013,
fromhttp://www.digitalspy.co.uk/fun/news/a408811/mindreader-shocks-strangers-in-internet-security-campaignvideo.html.
European Commission. Eurobarometer 77.2 March 2012 Dataset.
Brussels, Cologne: TNS OPINION & SOCIAL (Producer),
Brussels and GESIS Data Archive, Cologne; 2012. http://
dx.doi.org/10.4232/1.11482.
European Commission. Eurobarometer 77.2 Basic Bilingual
Questionnaire. Brussels, Cologne: TNS OPINION & SOCIAL
(Producer), Brussels and GESIS Data Archive, Cologne; 2012.
Furnell SM, Bryant P, Phippen AD. Assessing the security
perceptions of personal Internet users. Comput Secur
2007;26(5):410e7.
Furnell SM, Jusoh A, Katsabas D. The challenges of understanding
and using security: a survey of end-users. Comput Secur
2006;25(1):27e35.
Herley C. So long, and no thanks for the externalities. In:
Proceedings of the 2009 workshop on new security paradigms
workshop e NSPW 09. New York, New York, USA: ACM Press;
2009. p. 133.

125

Hoge DR, Yang F. Determinants of religious giving in American

denominations: data from two nationwide surveys. Rev
Religious Res 1994;36(2):123e48. Retrieved from, http://
www.purdue.edu/crcs/itemPublications/articles/Hoge-Yang.
pdf.
Inglesant PG, Sasse MA. The true cost of unusable password
policies. In: Proceedings of the 28th international conference
on Human factors in computing systems e CHI 10. New York,
New York, USA: ACM Press; 2010. pp. 383e92.
Internet Safety Coalition. (n.d.). Beware what you share. Retrieved
November 01, 2013, from http://www.internetsafetypartners.
org/.
Odlyzko A. Economics, psychology, and sociology of security. In:
Wright R, editor. Financial Cryptography SE e 13, vol. 2742.
Berlin, Heidelberg: Springer; 2003. pp. 182e9.
Ogilvy & Mather Sofia. (n.d.). Internet Safety Campaign: BRIDGE
Print Ad. Retrieved November 01, 2013, from http://www.
coloribus.com/adsarchive/prints/internet-safety-campaignbridge-12921755/.
The Anti-Phishing Working Group e APWG; National Cyber
Security Alliance e NCSA. (n.d.). Stop. Think. Connect.
Retrieved November 01, 2013, from http://stopthinkconnect.
org/get-involved/resources/.
The National Campaign to Prevent Teen and Unplanned
Pregnancy. (n.d.). Bedsider Birth Control Campaign.
Bedsider.org. Retrieved November 01, 2013, from http://www.
youtube.com/watch?voHPtXGnFMrg.
Wash R. Folk models of home computer security. In: Proceedings
of the Sixth Symposium on Usable Privacy and Security e
SOUPS 10. New York, NY: ACM Press; 2010. pp. 1e16.
Weirich D, Sasse MA. Pretty good persuasion. In: Proceedings of
the 2001 workshop on New security paradigms e NSPW 01.
New York, NY: ACM Press; 2001. p. 137.
Cosima Rughinis is Professor at the Department of Sociology,
University of Bucharest, and Editor-in-Chief of Journal of
Comparative Research in Anthropology and Sociology - Compaso.
She obtained a Ph.D. in Sociology at University of Bucharest, in
2005. Her research interests include: online collaborative communities, quantification and survey research, and the rhetoric of
inquiry in social and human sciences.
 zvan Rughinis is Professor at the Faculty of Automatic ConRa
trol and Computers, University Politehnica of Bucharest, and
founding member of TechLounge, tech-lounge.ro. He obtained a
Ph.D. in Computer Science at University Politehnica of Bucharest, in 2005. His research focuses on computer and wireless
sensor networks, security issues, and computer supported
collaborative learning.