Modelling pyschological and behavioural economics factors

The factors described in the previous section can be best understood with reference to a larger, long-standing literature that attempts to model human behaviour and decision-making in psychological or behavioural economics terms. These two disciplines have established approaches to conducting behavioural research in cybersecurity and cyber risk. Psychological models of behaviour typically recognise that behaviour is often planned and behavioural intention is typically influenced by attitudes towards that behaviour. They also recognise that these attitudes are influenced by our social environment (perceived “norms”).

In contrast, behavioural economics models of behaviour typically acknowledge that decision-making is not entirely rational and people will show different biases in their decision-making in risky environments. They also discern that seemingly irrational behaviours can sometimes result when people are presented with overwhelming amounts of information or too many cognitive demands. In these circumstances, people might find shortcuts, or “heuristics”, as a means to cope with this. We expand on the pyschological approaches in Section 3.4 and on the behavorial economics approaches in Section 3.5.

Psychological models

In this section we present several psychological models of human behaviour and decisionmaking and the key insights for cyber insurance and/or cybersecurity that can be obtained from them. We first introduce the Theory of Planned Behaviour (TPB), which is the foundation of Protection Motivation Theory (PMT) and a family of related models. We then briefly review PMT, which was already introduced in Chapter 2. It is the dominant model used for studying cybersecurity behaviour in the psychology literature. This is in part because the emphasis on threat appraisals and coping appraisals is particularly useful within

Theory of Planned Behaviour (Ajzen and Madden, 1986; Ajzen, 1991)

Figure 3.1: Theory of Planned Behaviour (Ajzen and Madden, 1986; Ajzen, 1991)

the cybersecurity context. We also present three additional models that build on Protection Motivation Theory: Herath and Rao (2009)’s combination of PMT and the TPB; the Extended Parallel Process Model (EPPM); and the Health Belief Model.

Theory of Planned Behaviour

As mentioned, many human behaviour and decision-making models derive from the Theory of Planned Behaviour (Ajzen and Madden, 1986; Ajzen, 1991), shown in Figure 3.1. TPB captures the ways that attitudes and beliefs drive behavioural intentions which, in turn, drive behaviour. Beliefs include both subjective norms, or an individual’s belief that a key person or group of people will support their engaging in a particular behaviour, and perceived behavioural control, or an individual’s belief in their own competence to engage in a particular behaviour.

In cyber insurance terms, this implies that encouraging people to adopt positive attitudes towards cyber insurance (e.g. increasing the perceived benefits compared to the perceived costs) could bolster their intentions to engage in better cybersecurity practices, potentially including cyber insurance uptake. In addition, raising normative beliefs (e.g. the belief that others think that cyber insurance is a good idea) is likely to improve cyber insurance adoption. To date, relatively little research on cyber insurance has used TPB as an explicit model, but it is commonly used as a model for predicting security compliance.

Protection Motivation Theory

Protection Motivation Theory is a model of risk assessment and behaviour change and, as noted, is derived from the Theory of Planned Behaviour and has been the primary psychological model used for studying cybersecurity behaviour. Since we already introduced PMT in Chapter 2, we will not reproduce it here but simply recapitulate its three central components: sources of information, threat appraisal (which is influenced by severity and vulnerability), and coping appraisal (which is influenced by response efficacy and self-efficacy).

According to PMT, when assessing a threat there are four factors that decision makers take into account and that drive their behaviour: (i) severity, or the perceived severity of the threat, (ii) vulnerability, or the perceived probability of its occurrence, (iii) response efficacy, or the perceived efficacy of the response to the threat, and (iv) self-efficacy, or decision makers’ perception of their ability to respond effectively.

Protection Motivation Theory and the Theory of Planned Behaviour combined

Herath and Rao (2009) used a combination of Protection Motivation Theory and the Theory of Planned Behaviour to develop a predictive model of employee information security compliance intentions. More specifically, they used a set of constructs from PMT together with constructs from the TPB, and also incorporated factors known to directly affect organisational commitment. Based on this, they created a survey tool to examine the factors affecting employees’ intentions to comply with their organisations’ information security policies.

They found that, among PMT constructs, response efficacy and self-efficacy had a direct and significant impact on employee security compliance intentions and also found that social influence played an important role. In contrast, they found that response cost and security concern (i.e. concern about security threats) did not play a significant role in employee security compliance intentions. While this finding was surprising at the time, it now sits comfortably with a much larger set of studies that suggest that the coping appraisal component of PMT is the most important predictor of cybersecurity behaviour.

This suggests that behavioural interventions that use fear as a motivator are unlikely to be successful when used in isolation, which is interesting given the propensity of organisational and governmental cybersecurity campaigns to use threat imagery. The implications for cyber insurance are also important, as threat messages would seem less likely to drive cyber insurance uptake than messages about the importance of cyber insurance in driving response efficacy. Where threat messages are used, they should be accompanied by clear guidance on the relevance of available cyber insurance products.

< Prev   CONTENTS   Source   Next >