Risk as affect: the affect heuristic in cybersecurity

Paul Van Schaik, Karen Renaud, Chris Wilson, Jurjen Jansen, Joseph Onibokun

Research output: Contribution to journalArticle

Abstract

Risk perception is an important driver of netizens' (Internet
users') cybersecurity behaviours, with a number of factors influencing
its formation. It has been argued that the affect heuristic can be a
source of variation in generic risk perception. However, a major
shortcoming of the supporting research evidence for this assertion is
that the central construct, affect, has not been measured or analysed.
Moreover, its influence in the cybersecurity domain has not yet been
tested. The contribution of the research reported in this paper is thus:
firstly, to test the affect heuristic while measuring its three
constructs: affect, perceived risk and perceived benefit and, secondly,
to test its impact in the cybersecurity domain. By means of two
carefully designed studies (N = 63 and N = 233), we provide evidence for
the influence of the affect heuristic on risk perception in the
cybersecurity domain. We conclude by identifying directions for future
research into the role of affect and its impact on cybersecurity risk
perception.
Original languageEnglish
JournalComputers and Security
Publication statusPublished - 14 Jan 2020

Fingerprint

Risk perception
heuristics
evidence
driver

Bibliographical note

Paul van Schaik, PhD, is a Professor in the Department of Psychology at Teesside University, United Kingdom. His research interests focus on applied cognitive psychology and include the psychology of human–computer interaction, information security and information privacy, technology acceptance, user experience, and the psychology of judgement and decision-making, and complex/big-data analysis.
Contact details: Prof. Paul van Schaik PhD, Department of Psychology, Sport and Exercise, School of Social Sciences, Humanities and Law, Teesside University, Middlesbrough, TS1 3BA, United Kingdom. E-mail: P.Van-Schaik@tees.ac.uk.

Karen Renaud, PhD, is a Scottish Computing Scientist and working on all aspects of Human-Centred Security and Privacy. She is Professor of Cyber Security at Abertay University in Dundee, Scotland. She was educated at the Universities of Pretoria, South Africa and Glasgow. Her research been funded by the Association of Commonwealth Universities, the Royal Society, the Royal Academy of Engineers and the Fulbright Commission. She is particularly interested in deploying behavioural science techniques to improve security behaviours, and in encouraging end-user privacy-preserving behaviours. Her research approach is multi-disciplinary, essentially learning from other, more established, fields and harnessing methods and techniques from other disciplines to understand and influence cyber security behaviours. Karen is associate editor for Transactions on Computer Forensics and Security, Information Technology and People, the International Journal of Human Computer Studies and the Journal of Intellectual Capital.
Contact details: Division of Cyber Security, School of Design & Informatics, Abertay University, Kydd Building, Bell Street, Dundee, DD1 1HG. E-mail: k.renaud@abertay.ac.uk

Jurjen Jansen, PhD, is a senior researcher at the Cybersafety Research Group of NHL Stenden University of Applied Sciences and the Dutch Police Academy. In 2018, he obtained his PhD in behavioural information security from the Open University of the Netherlands. His research interests include human aspects of information security, cybercrime, victimization, human-computer interaction and behavioural change.
Contact details: Cybersafety Research Group, NHL Stenden University of Applied Science and the Dutch Police Academy, Rengerslaan 8-10, 8917 DD Leeuwarden, the Netherlands. E-mail: j.jansen@nhl.nl.

Joseph Onibokun, PhD, is a senior e-marketing analyst at Sainsburys Bank, Edinburgh, United Kingdom. In 2012, he obtained his PhD on the topic of the acceptance of social networks from Teesside University, United Kingdom. His research interests are in human-computer interaction and behavioural computer security.
Contact details: Sainsburys Bank, 3 Lochside Avenue, Edinburgh Park, EH12 9DG, United Kingdom. E-mail: joseph.onibokun@yahoo.co.uk

Cite this

@article{c51623710da54329a900e3c29b48aed8,
title = "Risk as affect: the affect heuristic in cybersecurity",
abstract = "Risk perception is an important driver of netizens' (Internetusers') cybersecurity behaviours, with a number of factors influencingits formation. It has been argued that the affect heuristic can be asource of variation in generic risk perception. However, a majorshortcoming of the supporting research evidence for this assertion isthat the central construct, affect, has not been measured or analysed.Moreover, its influence in the cybersecurity domain has not yet beentested. The contribution of the research reported in this paper is thus:firstly, to test the affect heuristic while measuring its threeconstructs: affect, perceived risk and perceived benefit and, secondly,to test its impact in the cybersecurity domain. By means of twocarefully designed studies (N = 63 and N = 233), we provide evidence forthe influence of the affect heuristic on risk perception in thecybersecurity domain. We conclude by identifying directions for futureresearch into the role of affect and its impact on cybersecurity riskperception.",
author = "{Van Schaik}, Paul and Karen Renaud and Chris Wilson and Jurjen Jansen and Joseph Onibokun",
note = "Paul van Schaik, PhD, is a Professor in the Department of Psychology at Teesside University, United Kingdom. His research interests focus on applied cognitive psychology and include the psychology of human–computer interaction, information security and information privacy, technology acceptance, user experience, and the psychology of judgement and decision-making, and complex/big-data analysis. Contact details: Prof. Paul van Schaik PhD, Department of Psychology, Sport and Exercise, School of Social Sciences, Humanities and Law, Teesside University, Middlesbrough, TS1 3BA, United Kingdom. E-mail: P.Van-Schaik@tees.ac.uk. Karen Renaud, PhD, is a Scottish Computing Scientist and working on all aspects of Human-Centred Security and Privacy. She is Professor of Cyber Security at Abertay University in Dundee, Scotland. She was educated at the Universities of Pretoria, South Africa and Glasgow. Her research been funded by the Association of Commonwealth Universities, the Royal Society, the Royal Academy of Engineers and the Fulbright Commission. She is particularly interested in deploying behavioural science techniques to improve security behaviours, and in encouraging end-user privacy-preserving behaviours. Her research approach is multi-disciplinary, essentially learning from other, more established, fields and harnessing methods and techniques from other disciplines to understand and influence cyber security behaviours. Karen is associate editor for Transactions on Computer Forensics and Security, Information Technology and People, the International Journal of Human Computer Studies and the Journal of Intellectual Capital. Contact details: Division of Cyber Security, School of Design & Informatics, Abertay University, Kydd Building, Bell Street, Dundee, DD1 1HG. E-mail: k.renaud@abertay.ac.uk Jurjen Jansen, PhD, is a senior researcher at the Cybersafety Research Group of NHL Stenden University of Applied Sciences and the Dutch Police Academy. In 2018, he obtained his PhD in behavioural information security from the Open University of the Netherlands. His research interests include human aspects of information security, cybercrime, victimization, human-computer interaction and behavioural change. Contact details: Cybersafety Research Group, NHL Stenden University of Applied Science and the Dutch Police Academy, Rengerslaan 8-10, 8917 DD Leeuwarden, the Netherlands. E-mail: j.jansen@nhl.nl. Joseph Onibokun, PhD, is a senior e-marketing analyst at Sainsburys Bank, Edinburgh, United Kingdom. In 2012, he obtained his PhD on the topic of the acceptance of social networks from Teesside University, United Kingdom. His research interests are in human-computer interaction and behavioural computer security. Contact details: Sainsburys Bank, 3 Lochside Avenue, Edinburgh Park, EH12 9DG, United Kingdom. E-mail: joseph.onibokun@yahoo.co.uk",
year = "2020",
month = "1",
day = "14",
language = "English",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier",

}

Risk as affect: the affect heuristic in cybersecurity. / Van Schaik, Paul; Renaud, Karen; Wilson, Chris; Jansen, Jurjen; Onibokun, Joseph.

In: Computers and Security, 14.01.2020.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Risk as affect: the affect heuristic in cybersecurity

AU - Van Schaik, Paul

AU - Renaud, Karen

AU - Wilson, Chris

AU - Jansen, Jurjen

AU - Onibokun, Joseph

N1 - Paul van Schaik, PhD, is a Professor in the Department of Psychology at Teesside University, United Kingdom. His research interests focus on applied cognitive psychology and include the psychology of human–computer interaction, information security and information privacy, technology acceptance, user experience, and the psychology of judgement and decision-making, and complex/big-data analysis. Contact details: Prof. Paul van Schaik PhD, Department of Psychology, Sport and Exercise, School of Social Sciences, Humanities and Law, Teesside University, Middlesbrough, TS1 3BA, United Kingdom. E-mail: P.Van-Schaik@tees.ac.uk. Karen Renaud, PhD, is a Scottish Computing Scientist and working on all aspects of Human-Centred Security and Privacy. She is Professor of Cyber Security at Abertay University in Dundee, Scotland. She was educated at the Universities of Pretoria, South Africa and Glasgow. Her research been funded by the Association of Commonwealth Universities, the Royal Society, the Royal Academy of Engineers and the Fulbright Commission. She is particularly interested in deploying behavioural science techniques to improve security behaviours, and in encouraging end-user privacy-preserving behaviours. Her research approach is multi-disciplinary, essentially learning from other, more established, fields and harnessing methods and techniques from other disciplines to understand and influence cyber security behaviours. Karen is associate editor for Transactions on Computer Forensics and Security, Information Technology and People, the International Journal of Human Computer Studies and the Journal of Intellectual Capital. Contact details: Division of Cyber Security, School of Design & Informatics, Abertay University, Kydd Building, Bell Street, Dundee, DD1 1HG. E-mail: k.renaud@abertay.ac.uk Jurjen Jansen, PhD, is a senior researcher at the Cybersafety Research Group of NHL Stenden University of Applied Sciences and the Dutch Police Academy. In 2018, he obtained his PhD in behavioural information security from the Open University of the Netherlands. His research interests include human aspects of information security, cybercrime, victimization, human-computer interaction and behavioural change. Contact details: Cybersafety Research Group, NHL Stenden University of Applied Science and the Dutch Police Academy, Rengerslaan 8-10, 8917 DD Leeuwarden, the Netherlands. E-mail: j.jansen@nhl.nl. Joseph Onibokun, PhD, is a senior e-marketing analyst at Sainsburys Bank, Edinburgh, United Kingdom. In 2012, he obtained his PhD on the topic of the acceptance of social networks from Teesside University, United Kingdom. His research interests are in human-computer interaction and behavioural computer security. Contact details: Sainsburys Bank, 3 Lochside Avenue, Edinburgh Park, EH12 9DG, United Kingdom. E-mail: joseph.onibokun@yahoo.co.uk

PY - 2020/1/14

Y1 - 2020/1/14

N2 - Risk perception is an important driver of netizens' (Internetusers') cybersecurity behaviours, with a number of factors influencingits formation. It has been argued that the affect heuristic can be asource of variation in generic risk perception. However, a majorshortcoming of the supporting research evidence for this assertion isthat the central construct, affect, has not been measured or analysed.Moreover, its influence in the cybersecurity domain has not yet beentested. The contribution of the research reported in this paper is thus:firstly, to test the affect heuristic while measuring its threeconstructs: affect, perceived risk and perceived benefit and, secondly,to test its impact in the cybersecurity domain. By means of twocarefully designed studies (N = 63 and N = 233), we provide evidence forthe influence of the affect heuristic on risk perception in thecybersecurity domain. We conclude by identifying directions for futureresearch into the role of affect and its impact on cybersecurity riskperception.

AB - Risk perception is an important driver of netizens' (Internetusers') cybersecurity behaviours, with a number of factors influencingits formation. It has been argued that the affect heuristic can be asource of variation in generic risk perception. However, a majorshortcoming of the supporting research evidence for this assertion isthat the central construct, affect, has not been measured or analysed.Moreover, its influence in the cybersecurity domain has not yet beentested. The contribution of the research reported in this paper is thus:firstly, to test the affect heuristic while measuring its threeconstructs: affect, perceived risk and perceived benefit and, secondly,to test its impact in the cybersecurity domain. By means of twocarefully designed studies (N = 63 and N = 233), we provide evidence forthe influence of the affect heuristic on risk perception in thecybersecurity domain. We conclude by identifying directions for futureresearch into the role of affect and its impact on cybersecurity riskperception.

M3 - Article

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

ER -