The benefits of combining psychological and behavioural economics approaches

In this final sect ion we review some of the key lessons learned from a combination of psychological and behavioural economics models and consider the implications for both improving cybersecurity behaviour and the uptake of cyber insurance.

Cybersecurity compliance and cyber insurance uptake

Recent indicators suggest that research on cybersecurity behaviours and cyber insurance uptake would benefit from a combination of psychological and behavioural economics approaches. There is evidence that using PMT as an underlying behavioural model, coupled with constructs drawn from behavioural economics, can be beneficial in understanding organisational behaviour. A study by Bulgurcu et al. (2010) assessed the rationality-based factors associated with information security policy compliance, but also drew upon the TPB in evaluating the role of normative beliefs and individual self-efficacy in assessing the costs and benefits of compliance. Self-efficacy was indeed an important predictor, but they

Sample display screen, which presents the recommended cybersecurity strategy options as expected values framed as losses and includes a recommendation message

Figure 3.4: Sample display screen, which presents the recommended cybersecurity strategy options as expected values framed as losses and includes a recommendation message

Sample display screen, which presents the cybersecurity products and cyber insurance options along with the price of each in VC

Figure 3.5: Sample display screen, which presents the cybersecurity products and cyber insurance options along with the price of each in VC

Sample display screen, which shows the payout for a subject who took out a cyber insurance policy and experienced a cyber attack

Figure 3.6: Sample display screen, which shows the payout for a subject who took out a cyber insurance policy and experienced a cyber attack

also found three broad classes of beliefs that influenced compliance: the benefits of compliance, the costs of compliance, and the costs of non-compliance. The authors argued that the motivational factors associated with information security policy compliance are important and that employees’ cost-benefit assessments can be shaped by appropriate security training and awareness programmes.

Other psychological and economic constructs and models are also useful. A recent organisational paper on cybersecurity policy compliance draws upon both the psychological contract and rational choice literature in predicting behaviour (Han et al., 2017). The former is a large psychological literature describing the kinds of unwritten expectations employees have of the workplace and in this sense draws on the “shadow security” approach, in that the actual expectations of staff within the workplace are socially constructed. Their work is also interesting in that, yet again, the perceived benefits, rather than the costs, are what drive cybersecurity compliance behaviour.

A similar approach is adopted by Li et al. (2018), again using Rational Choice Theory to explore the underlying cost-benefit analysis of adopting good cybersecurity behaviours in the workplace, but this time adding a “procedural justice” construct as a further predictor of the extent to which employees are likely to adhere to cybersecurity policies. They also add an individual characteristic, “low self-control,” in their study. This last component is interesting, as psychometric scales measuring a range of personality indicators are increasingly being adopted as a means to assess individual factors in poor compliance behaviour. In our own approaches, again adopting a combined psychology and behavioural economics ethos, we have sometimes used established measures of impulsivity and risk aversion (such as those of Jeske et al. (2016) and van Bavel et al. (2019)).

Such approaches are gaining ground, with greater prominence given to both psychological and behavioural economics models in EU guidance and policymaking (ENISA, 2019). Some authors, including de Bruijn and Janssen (2017), have argued that policymaking in cybersecurity is a “sea of paradoxes,” in part because of the highly complex ecosystem that exists, which we discussed more fully in Chapter 2. They note that these paradoxes complicate the communication and framing of cybersecurity and argue that there is a greater need for theoretical framing of research. Using Prospect Theory as a backdrop, they call for evidence-based message framing strategies, including recognition of the need to avoid excessive use of fear appeals (as described in Section 3.4.4 on the Extended Parallel Process Model) and the need for messages to be framed in ways that are personally relevant to the recipient. This move away from fear appeals as a cornerstone of behaviour change towards a focus on building up appropriate competencies to manage threats at every level of the organisation is an important trend in cybersecurity research and is relevant to cyber insurance, where the ability to respond to threats appropriately can help to improve the resilience of an organisation. However, improving cybersecurity competence requires that employees at all levels take some responsibility for their actions and engage with training and awareness initiatives, even though they are busy with other tasks. For this reason, we end this chapter with a final reflection on incentives for behaviour change in this space.

 
Source
< Prev   CONTENTS   Source   Next >