Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity Risk Perception and Communication

361 views

Published on

Research into Cultural Theory, White Male Effect, and more. We show high level of concern about cybercrime among US adults and first evidence of White Male Effect in cyber risk perception.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Cybersecurity Risk Perception and Communication

  1. 1. Cybersecurity Risk Perception and Communication: Cultural Theory, White Male Effect, and more Lysa Myers and Stephen Cobb Security Researchers, ESET
  2. 2. Why research the intersection of cyber, risk, and communication? • Studies show that perceptions of risk differ • There’s too much risk in information systems • Understanding risk perception may help to: • Improve risk communication • Reduce risk creation
  3. 3. Cybersecurity can be approached as a risk management problem • Reduce the amount of risk and the problem gets easier to manage • One way to reduce risk is reduce the number of vulnerabilities
  4. 4. Risk is the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability • NIST Special Publication 800-30 What is risk, in this context?
  5. 5. Consider 3 major sources of information system vulnerability People and companies that make products with holes in People that don’t practice proper cyber hygiene Organizations that don’t do security properly ASSORTED CORPORATE LOGOS
  6. 6. 3 sources of information system vulnerability People and companies that make products with holes in People that don’t practice proper cyber hygiene Organizations that don’t do security properly What do all three have in common? THEY DO NOT HEED EXPERTS!
  7. 7. Failure to heed the experts? • When it comes to assessing technology risks • This is not a new problem • Consider nuclear energy • Or climate change 97% of actively publishing climate scientists agree: Climate-warming trends over the past century are extremely likely due to human activities.
  8. 8. Failure to heed the experts? • When it comes to assessing technology risks • This is not a new problem • Consider nuclear energy • Or climate change 97% of actively publishing climate scientists agree: Climate-warming trends over the past century are extremely likely due to human activities.
  9. 9. Failure to heed the experts? • When it comes to assessing technology risks • This is not a new problem • Consider nuclear energy • Or climate change 97% of actively publishing climate scientists agree: Climate-warming trends over the past century are extremely likely due to human activities.
  10. 10. Failure to heed the experts? 97% of actively publishing climate scientists agree: Climate-warming trends over the past century are extremely likely due to human activities. Yet the % of US adults who think climate change is due to human activity has never broken 50%
  11. 11. Why do people reject expert advice? • Do they not understand the science? • Don’t they have all the facts? • Is it a religious thing? • Are they stupid, or what? • Yes, it could be “or what?”
  12. 12. Cultural theory argues that risks are defined, perceived, and managed according to principles that inhere in particular forms of social organization. • Tansey and Rayner Why do people reject expert advice?
  13. 13. Communitarianism GRID Hierarchy GROUP Individualism Egalitarianism After Douglas, Wildavsky, Flynn, Slovic, Kahan, etc.
  14. 14. Communitarianism GRID Hierarchy GROUP Individualism Egalitarianism After Douglas, Wildavsky, Flynn, Slovic, Kahan, etc. Hierarchical Individualist Hierarchical Communitarianist Egalitarian Individualist Egalitarian Communitarianist Community
  15. 15. Rating risks from a variety of hazards (1994 edition)
  16. 16. Rating risks from a variety of hazards (1994 edition) When risk ratings were broken down by gender and ethnicity they revealed an interesting “White Male Effect” White Male Effect
  17. 17. A clear gender difference in risk perception 2.0 2.5 3.0 3.5 4.0 Female Male High Low Risk
  18. 18. White males saw less risk across the board 2.0 2.5 3.0 3.5 4.0 White Male White Female Nonwhite Male Nonwhite Female High Low Risk
  19. 19. What is the White Male Effect? • On aggregate, white males see less risk in technology • Than white females, non-white females, non-white males • But the people who were doing the study were white males with serious concerns about risk • And information security professionals “get” risk, yet (ISC)2 Workforce Study says we’re mostly male (and mostly white) • So what is going on with these survey results?
  20. 20. Dude, they’re skewed • Some white males (30%) drastically underestimate risk, relative to the mean • Group-Grid-wise, they are Hierarchical Individualists • As a group they tend to have more education and higher household incomes • Also tend to be politically conservative GRID Hierarchy Community GROUP Individualism Egalitarianism Hierarchical Individualist Hierarchical Communi- tarianist Egalitarian Individualist Egalitarian Communi- tarianist
  21. 21. But there is good skew too E.g. some white males are very concerned about global warming. For more examples see: CulturalCognition.net
  22. 22. Let’s find out if WME affects perception of risks from information technology • We asked people to rate 15 technology hazards • including some arising from digital technology • If WME exists with respect to these “cyber-risks” • Can we use the results to improve risk communication • to developers, IT professionals, CEOs, boards? • If no WME, can we still learn something useful?
  23. 23. global warming private gun ownership medical X-rays air pollution "fracking" genetically modified foods nuclear power motor vehicle accidents disposal of hazardous wastes in landfill government monitoring of emails and web searches theft or exposure of private data criminals hacking into computer systems corporate computer network failures companies accumulating your personal data artificial intelligence We selected 9+6 hazards
  24. 24. Presenting the risk of certain hazards • As individuals and as a society, we face a number of possible hazards. Some threaten people’s health, safety, or financial well-being directly. Others indirectly threaten health, safety, or financial well-being through the damage they can impose on the environment or the economy. The next set of questions asks how much risk you think the following items pose to human health, safety, or prosperity. In each case you can answer from "No risk at all" to "Very high risk”.
  25. 25. Criminal hacking tops US risk list 2 3 4 5 6 (n=740) High Low Risk
  26. 26. Cyber hazard risks relative to other risks Medical X-rays Artificial Intelligence Gun ownership GM food Network failures Nuclear power Fracking Gov data monitoring Accumulating PII Global warming Motor vehicles PII theft/exposure Hazardous waste Air pollution Criminal hacking Higher risk
  27. 27. Sanity check: before our main study we surveyed US adults to see if concern about cyber risks was real • Do you think problems with technology, like computer hacking and network outages, pose a risk to your security and well-being? 0% 10% 20% 30% 40% Almost no risk Slight risk Moderate risk High risk
  28. 28. We also looked to see if there was a male effect • And there was 0% 10% 20% 30% 40% Almost no risk Slight risk Moderate risk High risk Female Male (n=847)
  29. 29. For all of our 9+6 hazards, women see more risk 2 3 4 5 6 Female Male (n=740) High Low Risk
  30. 30. For all of our 9+6 hazards, women see more risk 2 3 4 5 6 Female Male (n=740) High Low Risk
  31. 31. Women see more risk in “cyber” hazards Medical X-rays Artificial Intelligence Gun ownership GM food Nuclear power Fracking Network failures Gov data monitoring Accumulating PII Global warming Motor vehicles Hazardous waste PII theft/exposure Air pollution Criminal hacking Male Female (n=740)
  32. 32. On average, white people see less risk 2 3 4 5 6 White Nonwhite (n=710) High Low Risk
  33. 33. And the White Male Effect is there, but… 2 3 4 5 6 White Male White Female Non-white Male Non-white Female (n=710) High Low Risk
  34. 34. Mixed signals in cyber 3 4 5 6 White Male White Female Non-white Male Non-white Female (n=710)
  35. 35. Notable differences in cultural alignment of cyber risk
  36. 36. Hierarchical individualists and criminal hacking risk
  37. 37. What does it all mean (1/4)? • Some white males underestimate some cyber risks relative to the mean • In organizations where those white males make most technology-related decisions • Greater gender and ethnic diversity could improve cyber-risk sensitivity • In general: Greater gender and ethnic diversity in technology company boardrooms could: • Reduce the number of vulnerabilities shipped • Improve risk assessment and security posture
  38. 38. Cyber risk perception also varies by age 0% 10% 20% 30% 40% 50% 60% 70% 18-29 30-44 45-59 60+ Criminal hacking PII exposure Percentage of survey respondents who rated risk “high” or “very high” for (n=740)
  39. 39. And remember education and income? 0% 10% 20% 30% 40% 50% 60% 70% No degree Degree 0% 10% 20% 30% 40% 50% 60% 70% Uncertified P-certified 0% 10% 20% 30% 40% 50% 60% 70% Under $75K Over $75K Percentage of people who rated criminal hacking as high risk or very high risk
  40. 40. What does it all mean (2/4)? • The effectiveness with which cyber-risk is communicated may be improved through better understanding of Culture Theory • Consider: the Cultural Cognition Project
  41. 41. Cultural cognition • the tendency of individuals to conform their beliefs about disputed matters of fact… to values that define their cultural identities. • CulturalCognition.net
  42. 42. Cultural cognition and communication • Considering the power of cultural alignment to influence risk perception, independent of factors such as education and intelligence, suggests new ways of communicating risk • Presenting information “in a manner that affirms rather than threatens people's values” (Cohen) • Making sure that sound information is “vouched for by a diverse set of experts” (Kahan) • Reducing polarization by presenting advocates with diverse values on both sides of the issue (Kahan)
  43. 43. What does this all mean (3/4)? • Companies that rely on the use and adoption of information technology should be very concerned about the public’s perception of cyber-risks Global warming Motor vehicles PII theft/exposure Hazardous waste Air pollution Criminal hacking
  44. 44. What does it all mean (4/4)? • We can probably do better at communicating risk when we have a better understanding of why risk perceptions vary • So let’s do more research on this…
  45. 45. Thank you! Lysa.Myers@ESET.com Stephen.Cobb@ESET.com www.WeLiveSecurity.com

×