Vulnerabilities to online cyber-related crime are typically the result of poor decisions on the part of users. To date, research on risk-taking behavior applied to cyber-security situations has concentrated mainly on the risks that stem from active behavioral choices (e.g., opening an attachment from an unknown sender). However, risk may result from the failure to implement an action (e.g., not strengthening a password). These two types of risk have been differentiated and termed active- and passive-risk behaviors. We conducted two studies (Study 1 and Study 2) that examine how self-reported active- and passive-risk behaviors predict cyber-security behavioral intentions. In Study 3, we examine how active and passive risk relate to actual cyber-security behavior. The results show that cyber-security behavioral intentions and actual cyber behaviors are significantly correlated with self-reported individual differences in passive-risk behavior but not in active-risk behavior. We discuss the theoretical and practical implications of these findings.
Critical success factors for security education, training and awareness (SETA) programme effectiveness: an empirical comparison of practitioner perspectives
Cyber security has never been more important than it is today in an ever more connected and pervasive digital world....