Susceptibility and resilience to cyber threat: Findings from a scenario decision program to measure secure and insecure computing behavior

Interest in the individual differences underlying end user computer security behavior has led to the development of a multidisciplinary field of research known as behavioral information security. An important gap in knowledge and the motivation for this research is the development of ways to measure secure and insecure cyber behavior for research and eventually practice. Here we report a study designed to develop a technique for assessing secure and insecure cyber behavior for broad research use. The Susceptibility and Resilience to Cyber Threat (SRCT) is an immersive scenario decision program. The SRCT measures susceptibility to cyber threat and malicious behavior as well protective resilience actions via participant responses/decisions to emails, interactions with security dialogs, and computer actions in a real-world simulation. Data were collected from a sample of 190 adults (76.3% female), between the ages of 18–61 (mean age = 26.12). Personality, behavioral tendencies, and cognitive preferences were measured with standard previously validated protocols and self-report measures. Factor analysis suggested a 5 item secure actions scale and a 9 item insecure actions scale as viable to extract from the SRCT responses. Statistically analyzable distributions of secure and insecure cyber behaviors were obtained, and these subscales demonstrated acceptable internal consistency as hypothesized. Associations between SRCT scales and other indices of cyber behavior, as well as self-reported personality, were lower than predicted, suggesting that past research reporting links between self-reports of personality and self-reported cyber-behavior may be overestimating the links for actual cyber actions. However, our exploratory analyses suggest discrepancies between self-report and actions in the SRCT may be an interesting avenue to explore. Overall, results were consistent with theorizing and suggest the technique is viable as a construct measure in future research or as an outcome variable in experimental intervention designs.