Skip to main content

Perceptions of security behaviours in bank employees

A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing​

Details

Citation A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing Dan Conway, Ronnie Taib, Mitch Harris, Kun Yu, Shlomo Berkovsky, and Fang Chen, Data61 - CSIRO

Abstract​

Staff behaviour as important to information security breaches. Cognitive models and health psychology models to predict staff response to security threats.

Research style​

In-depth semi structured interviews with open and closed questions in financial services institution under strict anonymity.

Findings​

Association between highly visible security procedures and low perceptions of vulnerability – poor security practices Self efficacy – strong determinant of staff.

Intro​

IBM’s 2014 Cyber Security Intelligence Index claims that β€˜human error’ implicated in over 95% of significant data breaches. Technical solutions alone are insufficient to address the growing threat to networks and data from cyber criminals and hostile entities FAILURE TO COMPLY with IS policies – focus on user education and usability security trade off.

  1. Difficulties in complying with password policies
  2. Giving away too much personal information when not required
  3. Ignoring warning messages

THE PROBLEM:​

  1. Raising user knowledge of cyber threats to influence user behaviour
  • However, attacks can pass below threshold of awareness
  • For example, attackers understand and exploit cognitive biases and weaknesses of human information processing. This enables bypassing of deep info processing. Increasing sophistication of phishing attacks bypass conscious thinking by user and elicit shallow automatic behaviours. Knowledge is not enough as engagement with deeper thought processing is important.

RELATED RESEARCH – General Findings:​

  • Users often make poor decisions regarding privacy (Acquisit et al)
  • People cannot detect well-crafted phishing emails (Dhamaja et al)
  • Users do not respond to security indications such as status bar warnings
  • Users often disclose more information online than they need to
  • Users are often willing to sacrifice privacy for small rewards

THE PROBLEM WITH CURRENT SOLUTIONS:​

  1. Assumed that educating the user will fix the problem so apply training and education campaigns. However – these tend to be ineffective at changing behaviour. This leads some authors to argue that technical solutions are only effective way to safeguard systems.
  2. Stephanou showed that while education/training campaigns have measurable impact on staff knowledge of the desired behaviours, they are not necessarily correlated with actual subsequent behaviour suggesting that education is necessary but does not mitigate against victimisation.

RELATED RESEARCH - COGNITIVE MODEL APPROACH:​

Variables: Threat Self-Efficacy (SE) and perceived Vulnerability (V) identified in this study as major determinants. These can predict deployment of protective behaviours more so than knowledge alone.

  1. Understanding users mental models and constructs. Samaya et al – 3500 participants across 7 countries. User self-confidence in being able to respond to security threats predicted good cyber security behaviour 4x better than knowledge of cyber threats alone. Identification of cognitive constructs that drive behavioural models promises a better response.

  2. Health Psychology deals specifically with behaviour styles in situations of uncertainty and in response to poorly understood threats. E.g. eating sensibly, losing weight and exercising. – analogous to deploying strong and different passwords on every system you use.

  3. Theory of Reasoned Action (TRA), Beliefs about a behaviour and evaluations of the outcome of a behaviour lead to attitudes towards the behaviour. Interaction between this and social influences result in the behaviour manifesting. Specifically: Variables such as locus of control, self-efficacy, and response-efficacy. These are significant predictors of behavioural intentions.

  4. Protection Motivation Theory (PMT) How people respond to fear. Communication that induces fear creates a threat appraisal process mediated by above mentioned variables plus response costs. This influences the attitude and nature of response to threat.

  5. Dual Route models of information processing – Heuristic Systematic Model (HSM) Users engage in little elaborative deep information processing when scanning emails and rely on shallow info processing based on calls to authority (email from boss), urgency cues (fine if not received …) and social proof. Fast decision. Users scan sender and subject line and do not use their knowledge about these cues. So malformed email addresses (type-jacking) escape attention. So people use simple heuristic rules e.g. this email is marked urgent, this is a reputable brand etc.

METHOD​

Qualitative research based on grounded theory approach. Identified variables from theories above. 38 Items Knowledge:

History:​

  1. How Previous phishing or fraud victimisation influences future behaviour
  • mixed results from research – some say it increases attention to deceptive elements in emails. Vishwanath et al – education and exposure without direct experience led to better behaviour. Bohe found that ecommerce fraud expereince led to reduced online purchasing behaviours. Victimisation experience has been found by Yu to influence fear generally but not of online scams. Hence fear dependent on nature of crime.

Practices:​

System usability vs restrictive security procedures. Post and Kagan – increased complexity and diversity in user generated passwords led to increasing cognitive demands and risky behaviours e.g. writing passwords down.

Contexts:​

Focus on staff practices around email as the primary vector fo phishing attacks.

Attentional models – variables: workload, attentional resources and task demands are important determinants of phishing victimisation.

Mark et al. showed cognitive overload and stress in relation to some of the ways emails are used. Users who process in batches at particularly times, or check constantly or respond to notifications.

Vishwanath et al found that the more emails engaged with daily significantly increased likelihood of falling for phishing. i.e. too many emails. Culture: (added term)

Punishment for poor security behaviour is thought to be only weakly predictive when there are means to neutralise effects of non compliance.

Dodge et al – leaders that lead by example and adopt good IS protocols themselves influence others.

Flores et al – transformation leadership – involving subordinates in decision making and driving change – major predictor of IS awareness and influence on intrinsic beliefs and intentions.

Ifinedo – Social Bond Theory – 4 constructs of attachment – organisations values, commitment to organisations goals, involvement in organisations goals and personal norms Identity:

Ajzen’s Theory of Planned Behaviour​

Motivation has a causal relationship with elaborative processing.

However, Floyd et al showed that self efficacy was not correlated with chances of elaborative processing in evaluating phishing emails. – Level of involvement was.

Results​

Emails: pattern of scanning email bulletins. At all levels, users responded positively to receiving periodic information about info sec. Presentation of information: Short text based communication.– based on real-life scenarios. What happens if you do this and how to avoid it. Being a victim: Where people demonstrated strong technical competency, they were more willing to share their story with the desire to help others avoid what happened to them. Where people felt less technical adept they were more likely to stay quiet. Experience of email practices Scanning mailboxes – β€œyou look at the subject header and if you’re not called out in the subject as action – you don’t look at it.” I look at the subject line and who sent it to decide whether I need to look at it straight away.