Nothing ventured, nothing gained. Profiles of online activity, cyber-crime exposure, and security measures of end-users in European Union

We use large-scale survey data from the Eurobarometer 77.2/2012 to explore variability in online activity, cyber-crime exposure, and security measures of end-users in European Union (EU27). While cyber-security is a high-priority activity for security experts and researchers, end-users conduct it in the context of their daily lives, as a socially accountable and resource-limited activity. We argue that end-users’ security behaviors should be analyzed in relation to their experiences of online victimization, in the context of their routine activities. An ecological analysis at country level indicates that societies with widespread Internet use support cultures of higher cyber-security. They also expose daily Internet users to higher cyber-crime risks, but this positive correlation is weaker, with Romania and Hungary as two notable exceptions of high average exposure with low overall Internet use. Given the negative feedback loops between security responses, exposure to cyber-crime, and online activity, we find that, at individual level, linear causal modeling on survey data is impractical, and we propose classification analysis as a better tool for capturing variability. We use K-means cluster analysis to identify five types of end-users’ orientation towards security in the context of their activity: ‘explorer’, ‘reactive’, ‘prudent’, ‘lucky’, and ‘occasional’ users, and we discuss their profiles of online activities and experiences. ‘Prudent’ users are relatively neglected in public campaigns for Internet security. Classification analysis is a productive tool for understanding end-users’ security orientations through survey data and for informing public interventions.