Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk

Published in The 6th International Conference on Science of Cyber Security - SciSec 2024, 2024

This paper challenges the conventional assumption in cy-bersecurity that users act as rational actors. Despite numerous technical solutions, awareness campaigns, and organizational strategies aimed at bolstering cybersecurity, these often overlook the prevalence of non-rational user behavior. Our study, involving a survey of 208 participants, empirically demonstrates this aspect. We found that a significant portion of users (55.3%) would accept a substantial risk (35%) to click on a potentially malicious link or attachment. This propensity increases to 61% when users are led to believe there is a 65% chance of facing no adverse consequences. To address this irrationality, we explored the efficacy of nudging mechanisms within email systems. Our qualitative user study revealed that incorporating a simple colored nudge in the email in-box can notably enhance the ability of users to discern malicious emails, improving decision-making accuracy by an average of 10%.

Recommended citation: Braun, O., Hörnemann, J., Pohlmann, N., Theis, D., Urban, T., Große-Kampmann, M. (2024 August). Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk. In Proceedings of the 6th International Conference on Science of Cyber Security - SciSec 2024 /files/longterm.pdf