Abstract
This paper describes an exploratory investigation into the feasibility of predictive analytics of user behavioral data as a possible aid in developing effective user models for adaptive cybersecurity. Partial least squares structural equation modeling is applied to the domain of cybersecurity by collecting data on users’ attitude towards digital security, and analyzing how that influences their adoption and usage of technological security controls. Bayesian-network modeling is then applied to integrate the behavioral variables with simulated sensory data and/or logs from a web browsing session and other empirical data gathered to support personalized adaptive cybersecurity decision-making. Results from the empirical study show that predictive analytics is feasible in the context of behavioral cybersecurity, and can aid in the generation of useful heuristics for the design and development of adaptive cybersecurity mechanisms. Predictive analytics can also aid in encoding digital security behavioral knowledge that can support the adaptation and/or automation of operations in the domain of cybersecurity. The experimental results demonstrate the effectiveness of the techniques applied to extract input data for the Bayesian-based models for personalized adaptive cybersecurity assistance.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
References
Abdullah, F., Ward, R., Ahmed, E.: Investigating the influence of the most commonly used external variables of tam on students’ perceived ease of use (peou) and perceived usefulness (pu) of e-portfolios. Comput. Hum. Behav. 63, 75–90 (2016)
Addae, J., Radenkovic, M., Sun, X., Towey, D.: An augmented cybersecurity behavioral research model. In: Computer Software and Applications Conference (COMPSAC), 2016 IEEE 40th Annual, pp. 602–603. IEEE (2016)
Addae, J.H., Brown, M., Sun, X., Towey, D., Radenkovic, M.: Measuring attitude towards personal data for adaptive cybersecurity. Inf. Comput. Secur. 25(5), 560–579 (2017)
Ahn, J.-H., Ezawa, K.J.: Decision support for real-time telemarketing operations through bayesian network learning. Decis. Support Syst. 21(1), 17–27 (1997)
Akiki, P.A., Bandara, A.K., Yu, Y.: Adaptive model-driven user interface development systems. ACM Comput. Surv. 47(1), 9 (2015)
Alavi, M., Joachimsthaler, E.A.: Revisiting dss implementation research: a meta-analysis of the literature and suggestions for researchers. Mis Q. 16, 95–116 (1992)
Alharbi, S., Drew, S.: Using the technology acceptance model in understanding academics’ behavioural intention to use learning management systems. Int. J. Adv. Comput. Sci. Appl. 5(1), 143–155 (2014)
Amin, H.: Internet banking adoption among young intellectuals. J. Internet Bank. Commer. 12(3), 1–13 (2007)
Anwar, M., He, W., Ash, I., Yuan, X., Li, L., Xu, L.: Gender difference and employees’ cybersecurity behaviors. Comput. Hum. Behav. 69, 437–443 (2017)
Ardissono, L., Gena, C., Torasso, P., Bellifemine, F., Difino, A., Negro, B.: User modeling and recommendation techniques for personalized electronic program guides. In: Ardissono, L., Kobsa, A., Maybury, M. (eds.) Personalized Digital Television, pp. 3–26. Springer, New York (2004)
Bélanger, F., Carter, L.: Trust and risk in e-government adoption. The Journal of Strategic Information Systems 17(2), 165–176 (2008)
Bordo, V.: Overview of User Acceptance Testing (UAT) for Business Analysts (BAs). https://www.scriHrBbd.com/document/155942082/Overview-of-User-Acceptance-Testing-UAT-for-Business-Analysts-HrBBAs (2010). Accessed 2 May 2019
Bostrom, R.P., Olfman, L., Sein, M.K.: The importance of learning style in end-user training. MIS Q. 17, 101–119 (1990)
Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016)
Bunt, A., Conati, C., McGrenere, J.: What role can adaptive support play in an adaptable system? In: Proceedings of the 9th International Conference on Intelligent User Interfaces, pp. 117–124. ACM (2004)
Calisir, F., Altin Gumussoy, C., Bayraktaroglu, A.E., Karaali, D.: Predicting the intention to use a web-based learning system: perceived content quality, anxiety, perceived system quality, image, and the technology acceptance model. Hum. Factors Ergon. Manuf. Serv. Ind. 24(5), 515–531 (2014)
Cambazoglu, V., Thota, N.: Computer science students’ perception of computer network security. In: Learning and Teaching in Computing and Engineering (LaTiCE), pp. 204–207. IEEE, Los Alamitos (2013)
Canongia, C., Mandarino Jr., R.: Cybersecurity: The new challenge of the information society. In: Merkel, M., Wolfe, K., DeMarco, A. (eds.) Concepts, Methodologies, Tools, and Applications, Crisis Management, p. 60. IGI Global, Hershey, PA (2013)
Castaneda, J.A., Frías, D.M., Rodríguez, M.A.: Antecedents of internet acceptance and use as an information source by tourists. Online Inf. Rev. 33(3), 548–567 (2009)
Cavelty, M.D.: Breaking the cyber-security dilemma: aligning security needs and removing vulnerabilities. Sci. Eng. Ethics 20(3), 701–715 (2014)
Chang, P. V.: The validity of an extended technology acceptance model (TAM) for predicting intranet/portal usage, Master Thesis, University of North Carolina (2004)
Chang, A. J.-T.: Roles of perceived risk and usefulness in information system security adoption. In: 2010 IEEE International Conference on Management of Innovation and Technology (ICMIT), pp. 1264–1269. IEEE (2010)
Chau, P.Y.: Influence of computer attitude and self-efficacy on it usage behavior. J. Organ. End User Comput. 13(1), 26 (2001)
Chellappa, R.K., Sin, R.G.: Personalization versus privacy: an empirical examination of the online consumer’s dilemma. Inf. Technol. Manag. 6(2), 181–202 (2005)
Cheung, J., Li, S., Totolici, A., Zheng, P.: Usability Analysis of Sophos Antivirus. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.625.9214&rep=rep1&type=pdf (2001). Accessed 2 May 2019
Chin, W.W., Marcolin, B.L., Newsted, P.R.: A partial least squares latent variable modeling approach for measuring interaction effects: results from a Monte Carlo simulation study and an electronic-mail emotion/adoption study. Inf. Syst. Res. 14(2), 189–217 (2003)
Church, L.: End User Security: The democratisation of security usability. 1st international workshop on Security and Human Behaviour. https://www.researchgate.net/profile/Luke_Church/publication/228851094_End_User_Security_The_democratisation_of_security_usability/links/0c96052a117ae3a4f5000000/End-User-Security-The-democratisation-of-security-usability.pdf (2008). Accessed 2 May 2019
Compeau, D., Higgins, C.A., Huff, S.: Social cognitive theory and individual reactions to computing technology: a longitudinal study. MIS Q. 23, 145–158 (1999)
Conklin, W.: Computer Security Behaviors Of Home PC Users: A Diffusion of Innovation Approach. The University of Texas at San Antonio, San Antonio (2006)
Coventry, L., Briggs, P., Blythe, J., Tran, M.: Using behavioural insights to improve the public’s use of cyber security best practices. Gov. UK report (2014)
Craigen, D., Diakun-Thibault, N., Purse, R.: Defining cybersecurity. Technol. Innov. Manag. Rev. 4(10), 13–21 (2014)
Crossler, R., Bélanger, F.: An extended perspective on individual security behaviors: protection motivation theory and a unified security practices (usp) instrument. ACM SIGMIS Database Database Adv. Inf. Syst. 45(4), 51–71 (2014)
Dai, B., Forsythe, S., Kwon, W.-S.: The impact of online shopping experience on risk perceptions and online purchase intentions: does product category matter? J. Electron. Commer. Res. 15(1), 13 (2014)
Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 13, 319–340 (1989)
Davis, F.D.: User acceptance of information technology: system characteristics, user perceptions and behavioral impacts. Int. J. Man Mach. Stud. 38(3), 475–487 (1993)
Davis, F.D., Bagozzi, R.P., Warshaw, P.R.: User acceptance of computer technology: a comparison of two theoretical models. Manag. Sci. 35(8), 982–1003 (1989)
Dillon, A.: User Acceptance of Information Technology. Taylor and Francis, London (2001)
Ellis, G.: NAE grand challenges for engineering. IEEE Eng. Manag. Rev. 1(37), 3 (2009)
EU: Attitudes on data protection and electronic identity in the european union. Eurobarometer Special Surveys, 359 (2011)
Featherman, M.S., Pavlou, P.A.: Predicting e-services adoption: a perceived risk facets perspective. Int. J. Hum. Comput. Stud. 59(4), 451–474 (2003)
Forsythe, S.M., Shi, B.: Consumer patronage and risk perceptions in internet shopping. J. Bus. Res. 56(11), 867–875 (2003)
Forsythe, S., Liu, C., Shannon, D., Gardner, L.C.: Development of a scale to measure the perceived benefits and risks of online shopping. J. Interact. Mark. 20(2), 55–75 (2006)
Furnell, S., Clarke, N.: Power to the people? The evolving recognition of human aspects of security. Comput. Secur. 31(8), 983–988 (2012)
Garson, D.: Partial Least Squares: Regression and Path Modeling. Statistical Publishing Associates, Asheboro, NC (2012)
Gefen, D., Straub, D.W.: The relative importance of perceived ease of use in is adoption: a study of e-commerce adoption. J. Assoc. Inf. Syst. 1(1), 8 (2000)
Gefen, D., Karahanna, E., Straub, D.W.: Trust and tam in online shopping: an integrated model. MIS Q. 27(1), 51–90 (2003)
Gelman, A., Carlin, J.B., Stern, H.S., Dunson, D.B.: Bayesian Data Analysis, vol. 2. CRC Press, Boca Raton (2014)
Gratian, M., Bandi, S., Cukier, M., Dykstra, J., Ginther, A.: Correlating human traits and cyber security behavior intentions. Comput. Secur. 73, 345–358 (2018)
Haddadi, H., Howard, H., Chaudhry, A., Crowcroft, J., Madhavapeddy, A., Mortier, R.: Personal data: thinking inside the box. arXiv preprint arXiv:1501.04737 (2015)
Hair, J.F., Black, W.C., Babin, B.J., Anderson, R.E.: Multivariate Data Analysis, 7th edn. Prentice-Hall Inc, Upper Saddle River (2010)
Hair, J.F., Ringle, C.M., Sarstedt, M.: PLS-SEM: indeed a silver bullet. J. Mark. Theory Pract. 19(2), 139–152 (2011)
Hair Jr., J.F., Hult, G.T.M., Ringle, C., Sarstedt, M.: A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). Sage Publications, Thousand Oaks (2016)
Hasan, B.: Delineating the effects of general and system-specific computer self-efficacy beliefs on is acceptance. Inf. Manag. 43(5), 565–571 (2006)
Heckerman, D., Geiger, D., Chickering, D.M.: Learning Bayesian networks: the combination of knowledge and statistical data. Mach. learn. 20(3), 197–243 (1995)
Henseler, J., Hubona, G., Ray, P.A.: Using pls path modeling in new technology research: updated guidelines. Ind. Manag. Data Syst. 116(1), 2–20 (2016)
Herath, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inf. Syst. 18(2), 106–125 (2009)
Hof, H.-J.: User-centric IT security-how to design usable security mechanisms. arXiv preprint arXiv:1506.07167 (2015)
Holden, H., Rada, R.: Understanding the influence of perceived usability and technology self-efficacy on teachers’ technology acceptance. J. Res. Technol. Educ. 43(4), 343–367 (2011)
Hong, W., Thong, J.Y., Wai-Man Wong, K.-Y.T.: Determinants of user acceptance of digital libraries: an empirical examination of individual differences and system characteristics. J. Manag. Inf. Syst. 18(3), 97–124 (2002)
Howe, A.E., Ray, I., Roberts, M., Urbanska, M., Byrne, Z.: The psychology of security for the home computer user. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 209–223. IEEE (2012)
Huth, D.: A pattern catalog for GDPR compliant data protection. In: PoEM Doctoral Consortium, pp. 34–40 (2017)
Igbaria, M., Zinatelli, N., Cragg, P., Cavaye, A.L.: Personal computing acceptance factors in small firms: a structural equation model. MIS Q. 21, 279–305 (1997)
Izquierdo-Yusta, A., Olarte-Pascual, C., Reinares-Lara, E.: Attitudes toward mobile advertising among users versus non-users of the mobile internet. Telemat. Inform. 32(2), 355–366 (2015)
Jacoby, J., Kaplan, L.: The components of perceived risk. Adv. Consum. Res. 3, 382–383 (1972)
Jason, B., Calitz, A., Greyling, J.: The evaluation of an adaptive user interface model. In: Proceedings of the 2010 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists, pp. 132–143. ACM (2010)
Jeyaraj, A., Rottman, J.W., Lacity, M.C.: A review of the predictors, linkages, and biases in it innovation adoption research. J. Inf. Technol. 21(1), 1–23 (2006)
Juarez-Ramirez, R., Navarro-Almanza, R., Gomez-Tagle, Y., Licea, G., Huertas, C., Quinto, G.: Orchestrating an adaptive intelligent tutoring system: towards integrating the user profile for learning improvement. Proc. Soc. Behav. Sci. 106, 1986–1999 (2013)
Judson, R., Elloumi, F., Setzer, R.W., Li, Z., Shah, I.: A comparison of machine learning algorithms for chemical toxicity classification using a simulated multi-scale data model. BMC Bioinform. 9(1), 241 (2008)
Kainda, R., Flechais, I., Roscoe, A.: Security and usability: analysis and evaluation. In: ARES’10 International Conference on Availability, Reliability, and Security, 2010, pp. 275–282. IEEE (2010)
Kaplan, L.B., Szybillo, G.J., Jacoby, J.: Components of perceived risk in product purchase: a cross-validation. J. Appl. Psychol. 59(3), 287 (1974)
Kim, J.W., Lee, B.H., Shaw, M.J., Chang, H.-L., Nelson, M.: Application of decision-tree induction techniques to personalized advertisements on internet storefronts. Int. J. Electron. Commer. 5(3), 45–62 (2001)
Koller, D., Friedman, N., Getoor, L., Taskar, B.: Graphical models in a nutshell. http://www.seas.upenn.edu/taskar/pubs/gms-srl07.pdf (2007)
Kuflik, T., Kay, J., Kummerfeld, B.: Challenges and solutions of ubiquitous user modeling. In: Ubiquitous Display Environments, pp. 7–30. Springer (2012)
Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M.A., Pham, T.: A real-word evaluation of anti-phishing training. Technical report, Carnegie Mellon University (2009)
LaRose, R., Rifon, N., Liu, S., Lee, D.: Understanding online safety behavior: a multivariate model. In: The 55th Annual Conference of the International Communication Association, New York city (2005)
LaRose, R., Rifon, N.J., Enbody, R.: Promoting personal responsibility for internet safety. Commun. ACM 51(3), 71–76 (2008)
Lee, M.-C.: Factors influencing the adoption of internet banking: an integration of tam and tpb with perceived risk and perceived benefit. Electron. Commer. Res. Appl. 8(3), 130–141 (2009)
Lee, Y., Kozar, K.A.: An empirical investigation of anti-spyware software adoption: a multitheoretical perspective. Inf. Manag. 45(2), 109–119 (2008)
Lin, W.-S.: Perceived fit and satisfaction on web learning performance: is continuance intention and task-technology fit perspectives. Int. J. Hum. Comput. Stud. 70(7), 498–507 (2012)
Lin, J.C.-C., Lu, H.: Towards an understanding of the behavioural intention to use a web site. Int. J. Inf. Manag. 20(3), 197–208 (2000)
Liu, B., Andersen, M.S., Schaub, F., Almuhimedi, H., Zhang, S.A., Sadeh, N., Agarwal, Y., Acquisti, A.: Follow my recommendations: A personalized privacy assistant for mobile app permissions. In: Twelfth Symposium on Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2016), pp. 27–41 (2016)
Lu, H.-P., Hsu, C.-L., Hsu, H.-Y.: An empirical study of the effect of perceived risk upon intention to use online applications. Inf. Manag. Comput. Sec. 13(2), 106–120 (2005)
Lu, J., Lu, C., Yu, C.-S., Yao, J.E.: Exploring factors associated with wireless internet via mobile technology acceptance in mainland china. Commun. IIMA 3(1), 9 (2014)
Madsen, A.L., Jensen, F., Kjaerulff, U.B., Lang, M.: The hugin tool for probabilistic graphical models. Int. J. Artif. Intell. Tools 14(03), 507–543 (2005)
Maguire, M.: Context of use within usability activities. Int. J. Human Comput. Stud. 55(4), 453–483 (2001)
Mezhoudi, N., Medina, J.L.P., Khaddam, I., Vanderdonckt, J.: Context-awareness meta-model for user interface runtime adaptation. Int. J. Softw. Eng. 2 (2015)
Milne, G.R., Labrecque, L.I., Cromer, C.: Toward an understanding of the online consumer’s risky behavior and protection practices. J. Consum. Aff. 43(3), 449–473 (2009)
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, New York (2011)
Morris, M.G., Venkatesh, V.: Age differences in technology adoption decisions: implications for a changing work force. Pers. Psychol. 53(2), 375–403 (2000)
Mun, Y.Y., Hwang, Y.: Predicting the use of web-based information systems: self-efficacy, enjoyment, learning goal orientation, and the technology acceptance model. Int. J. Hum Comput. Stud. 59(4), 431–449 (2003)
Nadkarni, S., Shenoy, P.P.: A causal mapping approach to constructing bayesian networks. Decis. Support Syst. 38(2), 259–281 (2004)
Ng, B.-Y., Rahim, M.: A socio-behavioral study of home computer users’ intention to practice security. In: PACIS 2005 Proceedings, p. 20 (2005)
Nielsen, J.: Usability Engineering. Elsevier, Amsterdam (1994)
Nielsen, T.D., Jensen, F.V.: Bayesian Networks and Decision Graphs. Springer (2009)
Notario, N., Crespo, A., Martín, Y.-S., Del Alamo, J.M., Le Métayer, D., Antignac, T., Kung, A., Kroener, I., Wright, D.: Pripare: integrating privacy best practices into a privacy engineering methodology. In: Security and Privacy Workshops (SPW), 2015 IEEE, pp. 151–158. IEEE (2015)
Omidosu, J., Ophoff, J.: A theory-based review of information security behavior in the organization and home context. In: 2016 International Conference on Advances in Computing and Communication Engineering (ICACCE), pp. 225–231. IEEE (2016)
Özkan, S., Bindusara, G., Hackney, R.: Facilitating the adoption of e-payment systems: theoretical constructs and empirical analysis. J. Enterp. Inf. Manag. 23(3), 305–325 (2010)
Parsons, K., McCormac, A., Butavicius, M., Ferguson, L.: Human factors and information security: individual, culture and security environment. Report, DTIC Document (2010)
Pearson, S.: Privacy, Security and Trust in Cloud Computing, Book Section 1, pp. 9–13. Springer, Berlin (2013)
Pituch, K.A., Lee, Y.-K.: The influence of system characteristics on e-learning use. Comput. Educ. 47(2), 222–244 (2006)
Raghu, T., Kannan, P., Rao, H.R., Whinston, A.B.: Dynamic profiling of consumers for customized offerings over the internet: a model and analysis. Decis. Support Syst. 32(2), 117–134 (2001)
Rainie, L., Kiesler, S., Kang, R., Madden, M., Duggan, M., Brown, S., Dabbish, L.: Anonymity, Privacy, and Security Online. Pew Research Center, Washington, DC (2013)
Ramayah, T.: Doing e-research with e-library: determinants of perceived ease of use of e-library. Int. J. Technol. Knowl. Soc. 1(4), 71–82 (2006)
Ringle, C.M., Wende, S., Becker, J.-M.: Smartpls 3. SmartPLS GmbH, Boenningstedt (2015). http://www.smartpls.com
Ross, R.S., Johnson, L.A.: Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans. National Institute of Standards and Technology, Gaithersburg (2010)
Sakellaropoulos, G., Nikiforidis, G.: Prognostic performance of two expert systems based on bayesian belief networks. Decis. Support Syst. 27(4), 431–442 (2000)
Sarstedt, M., Henseler, J., Ringle, C.M.: Multigroup Analysis in Partial Least Squares (PLS) Path Modeling: Alternative Methods and Empirical Results, pp. 195–218. Emerald Group Publishing Limited, Bingley (2011)
Schneier, B.: Secrets and lIes: Digital Security in a Networked World. Wiley, New York (2011)
Schwartz, A.M.: Cybersecurity, innovation, and the internet economy. Report (2011)
Shaughnessy, P., Livingston, G.: Evaluating the causal explanatory value of Bayesian network structure learning algorithms. Research Paper, 13 (2005)
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., Downs, J.: Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 373–382. ACM (2010)
Shin, D.-H.: Towards an understanding of the consumer acceptance of mobile wallet. Comput. Hum. Behav. 25(6), 1343–1354 (2009)
Suh, B., Han, I.: The impact of customer trust and perception of security control on the acceptance of electronic commerce. Int. J. Electron. Commer. 7(3), 135–161 (2003)
Sun, H., Zhang, P.: The role of moderating factors in user technology acceptance. Int. J. Hum. Comput. Stud. 64(2), 53–78 (2006)
Tenenhaus, M., Vinzi, V.E., Chatelin, Y.-M., Lauro, C.: PLS path modeling. Comput. Stat. Data Anal. 48(1), 159–205 (2005)
Thong, J.Y., Hong, W., Tam, K.-Y.: Understanding user acceptance of digital libraries: what are the roles of interface characteristics, organizational context, and individual differences? Int. J. Hum. Comput. Stud. 57(3), 215–242 (2002)
Thong, J.Y., Hong, W., Tam, K.Y.: What leads to user acceptance of digital libraries? Commun. ACM 47(11), 78–83 (2004)
Topa, I., Karyda, M.: Identifying factors that influence employees’ security behavior for enhancing isp compliance. In: International Conference on Trust and Privacy in Digital Business, pp. 169–179. Springer (2015)
Tsai, H.-Y.S., Jiang, M., Alhabash, S., LaRose, R., Rifon, N.J., Cotten, S.R.: Understanding online safety behaviors: a protection motivation theory perspective. Comput. Secur. 59, 138–150 (2016)
Tsanas, A., Xifara, A.: Accurate quantitative estimation of energy performance of residential buildings using statistical machine learning tools. Energy Build. 49, 560–567 (2012)
Urbach, N., Ahlemann, F.: Structural equation modeling in information systems research using partial least squares. J. Inf. Technol. Theory Appl. 11(2), 5 (2010)
Venkatesh, V., Davis, F.D.: A theoretical extension of the technology acceptance model: four longitudinal field studies. Manag. Sci. 46(2), 186–204 (2000)
Venkatesh, V., Morris, M.G.: Why don’t men ever stop to ask for directions? Gender, social influence, and their role in technology acceptance and usage behavior. MIS Q. 24, 115–139 (2000)
Venkatesh, V., Morris, M.G., Davis, G.B., Davis, F.D.: User acceptance of information technology: toward a unified view. MIS Q. 27, 425–478 (2003)
Whitten, A., Tygar, J. D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: Proceedings of the 8th Conference on USENIX Security Symposium—Volume 8, SSYM’99, pp. 14–14, Berkeley, CA, USA. USENIX Association (1999)
Wong, T.: On the usability of firewall configuration. In: Symposium on Usable Privacy and Security (2008)
Woon, I., Tan, G.-W., Low, R.: A protection motivation theory approach to home wireless security. In: ICIS 2005 Proceedings, p. 31 (2005)
Xu, D.J.: The influence of personalization in affecting consumer attitudes toward mobile advertising in china. J. Comput. Inf. Syst. 47(2), 9–19 (2006)
Xu, D.J., Liao, S.S., Li, Q.: Combining empirical experimentation and modeling techniques: a design research approach for personalized mobile advertising applications. Decis. Support Syst. 44(3), 710–724 (2008)
Yiu, C.S., Grant, K., Edgar, D.: Factors affecting the adoption of internet banking in hong kong-implications for the banking sector. Int. J. Inf. Manag. 27(5), 336–351 (2007)
Zurko, M.E., Simon, R.T.: User-centered security. In: Proceedings of the 1996 Workshop on New Security Paradigms, NSPW ’96, pp. 27–33, New York, NY, USA. ACM (1996)
Acknowledgements
The authors acknowledge the financial support from the International Doctoral Innovation Centre (IDIC), Ningbo Education Bureau, Ningbo Science and Technology Bureau, China’s MoST and The University of Nottingham. This work was also supported by the Horizon Digital Economy Research, UK.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A Survey instrument, descriptions and references for measured items
A Survey instrument, descriptions and references for measured items
Part 1—Demographic Profile/External Variables
Essential for defining personal aspects of users in specific contexts (Lu et al. 2005, Juárez-Ramírez et al. 2013).
Individual differences—demographics | Options |
|---|---|
Gender | A. Male |
What is your gender? | B. Female |
C. Prefer not to say | |
Age | A. 18–24 years |
In which category is your age? | B. 25–34 years |
C. 35–44 years | |
D. 45–64 years | |
E. 65–74 years | |
F. 75 years or older | |
Education | A. 12th grade or less (no diploma) |
What is the highest degree or level of education you have completed? | B. High school diploma |
If currently enrolled, mark the previous grade or highest degree received. | C. Some college, no degree |
D. Associate or technical degree | |
E. Bachelor’s degree | |
F. Graduate degree/professional | |
Employment status | A. Employed for wages |
B. Self-employed | |
C. Out of work and looking for work | |
D. Out of work but not currently looking for work | |
E. A homemaker | |
F. A student | |
G. Retired | |
H. Unable to work | |
Income | A. Less than $10,999 |
What category best describes your annual household income? | B. $11,000 to $49,999 |
C. $50,000 to 99,999 | |
D. $100,000 or more | |
Ethnicity | A. Arab |
How would you classify yourself? | B. Asian/Pacific Islander |
C. African/black | |
D. Caucasian/white | |
E. Hispanic | |
F. Latino | |
G. Multiracial | |
H. Other:\(\ldots \ldots \ldots \ldots \ldots \ldots \ldots \ldots \) |
Physical environment/location | A. Home: |
Please indicate how often you use a notebook computer in the following locations | B. Apartment Lounge: |
C. Friend’s house: | |
D. Coffee Shop: | |
E. Students Residence Halls: | |
F. Classrooms/lecture Halls | |
G. Other:\(\ldots \ldots \ldots \ldots \ldots \ldots \ldots \ldots \) | |
Experience and/or frequency of use | A. not at all |
The set of questions here will be used to deter-mineusers level of experience with web browser security settings as well as actualusage (Chang 2004; Ng and Rahim 2005) | B. once/week |
How many times do you use web browsers during a week? | C. several times/week |
D. Less than once/day | |
E. Once/day | |
F. 2–3/day | |
G. Several times/day | |
Which of the following web browsers are you most familiar with? | A. Internet Explorer |
B. Google Chrome | |
C. Firefox | |
D. Other:\(\ldots \ldots \ldots \ldots \ldots \ldots \ldots \ldots \) | |
Which of the following web browser design do you prefer and/or find enjoyable to use? | A. Internet Explorer |
B. Google Chrome | |
C. Firefox | |
D. Other:\(\ldots \ldots \ldots \ldots \ldots \ldots \ldots \ldots \) | |
How often do you change security settings on your web browser? | A. not at all |
B. Once/week | |
C. Several times/week | |
D. Less than once/day | |
E. Once/day | |
F. 2–3/day | |
G. Several times/day | |
Domain Knowledge(DK) | 5-point Likert scale type strongly agree—strongly disagree |
Adapted from Milne et al. (2009) | |
DK_1: I have hadsignificant experience with configuring my browser security settings in thepast | |
DK_2: I am knowledgeable about cybersecurity and privacy related technologies | |
DK_3: I am skilled at avoiding dangers while browsing the internet |
Individual Differences—Descriptive Charateristics
SE and SBCL are PMT constructs used to examine the mediating effects of participant’s protection motivation on cybersecurity behaviors. The set of questions here are used to examine users level of experience with their preferred web browser as well as exposure to web browser security issues and protection motivation levels (Chang 2004; Ng and Rahim 2005). SE items are adapted from the instrument developed and empirically validated by (Compeau et al. 1999) while SBCL items are adapted from (Herath and Rao 2009).
Self-Efficacy (SE)
I could optimize my web browser security settings \(\dots \)
SE_1: \(\dots \) if I had only the web browser manuals for reference.
SE_2: \(\dots \) if I had seen someone else doing it before trying it myself (Reverse Coded)
SE_3: \(\dots \) if there was no one around to tell me what to do as I go
Security Breach Concern Level (SBCL)
SBCL_1: Cybersecurity issues affects me directly
SBCL_2: Cybersecurity threats are exaggerated (Reverse Coded)
SBCL_3: I think cybersecurity issues should be taken seriously
SBCL_4: Security breaches are only targeted at organizations (Reverse Coded)
System Characteristics (SC)—SC assesses participants view on the user-friendliness of their preferred web browser and are measured using items from (Thong et al. 2002, 2004). The construct is used to elicit individual preferences in terms of the Design, Terminology/ Language and Navigation of the browser security interface/ user interactions with the following items:
IC_1: I understand the terms used on my preferred browser security interfaces
IC_2: Layout of the browser security interface is clear and consistent
IC_3: The sequence of screens for security settings are difficult to navigate (Reverse Coded)
IC_4: Security functions are well depicted by buttons and symbols
Part 2 (A)—User Perceptions (TAM & PMT)
Perceived Ease of Use (PEOU)—is “the degree to which an individual believes that using a particular system would be free of physical and mental effort (Davis 1989).” Likert type statements were adapted from previously validated measurement inventory of TAM variables and rephrased for web browser security settings (Davis et al. 1989; Lu et al. 2014; Thong et al. 2002; Venkatesh and Davis 2000).
PEOU_1: Learning to configure a browser security settings is easy for me
PEOU_2: Interacting with the interface for web browser security settings does not require a lot of my mental effort
PEOU_3: My interaction with web browser security settings is clear and understandable
PEOU_4: I find it easy to optimize my web browser security to the level of protection I want for my computer and privacy
Perceived Usefulness (PU)—which is also adapted from TAM’s scale items is the degree to which a person believes web browser security settings would improve their protection against cyber-attacks (Davis 1989).
PU_1: Web browser security functionalities gives me greater control over my safety and privacy online
PU_2: Overall, I find browser security settings useful in protecting my computer from cyber attacks
PU_3: Optimising my browser security settings gives me peace of mind when I am working with the internet
PU_4: The sensitive nature of information I search for and/or store on my personal computer requires me to optimize my web browser security settings
Perceived Risk (PR)—Questionnaire items for perceived risk was adapted from (Lu et al. 2005). Their research findings indicate that perceived risk indirectly impacts intentions to use an online application under security threats.
PR_1: Security functionalities embedded in web browsers are not adequate for preventing cyber attacks
PR_2: It is important to optimize browser security when visiting sites that requires data input
PR_3: I can make mistake whiles configuring my browser settings which can cause damage to my computer
Value for Personalization (VFP)—in this study VFP refers to the level of appreciation that a user has for all types of personalization possibilities within cyberspace. Items were adapted from the value of online personalisation scale developed and validated by Chellappa and Sin (2005).
VFP_1: I value online applications that are personalized based on information that is collected automatically (such as IP address, pages viewed, access time) but cannot identify me as an individual.
VFP_2: I value products and services that are personalized on information that I have voluntarily given out (such as age range, salary range, Zip Code) but cannot identify me as an individual.
VFP_3: I value application interfaces that are personalized for the device (e.g. desktop, mobile phone, tablet, etc.), browser (e.g. Internet explorer, Chrome, Firefox, etc.) and operating system (e.g. Windows, Unix) that I use.
Part 2 (B)—Attitude to Personal Data (APD)
To minimize survey fatigue, the APD scale adopted from (Addae et al. 2017) is simplified based overall cluster membership predictor importance of the APD factors as well as reliability score of the measured items.
Protection
PDP_1: I regularly look out for new policies on personal data protection
PDP_2: I consider the privacy policy of institutions where I give out such personal details
PDP_3: I don’t always optimize my privacy settings when I create an online profile (Reverse Coded)
Awareness
PDA_1: Such details about me are of value to external organizations
PDA_2: Researchers don’t need my consent to access my personal details (Reverse Coded)
PDA_3: Data collection organizations need to disclose the way the data are collected processed and used.
Privacy Concern
PRI_1: I am sensitive about giving out information regarding my preferences
PRI_2: I am concerned about anonymous information (information collected automatically but cannot be used to identify me, such as my computer, network information, operating system, etc.) that is collected about me.
Part 3—Cybersecurity behavioral Intentions
Personalized Cybersecurity Adoption Intention (BI)—Items used to examine participants’ general attitude to personalized adaptive web browser security are adapted from (Lu et al. 2014; Ng and Rahim 2005).
BI_1: I am likely to accept personalized browser security update notification
BI_2: It is possible that I will allow adjustments to my web browser security settings to improve my safety online
BI_3: I am certain that I will pay attention to cybersecurity alerts tailored to my personal preference
Actual Cybersecurity behavior (ACB)—Items determining user interaction with web browser security settings were selected and adapted from the list of strategies people adopt to protect themselves online identified by (Rainie et al. 2013).
ACB_1: I have used service that allows me to browse the web anonymously
ACB_2: I don’t set my browser to disable or turn off cookies (Reverse Coded)
ACB_3: I regularly clear cookies and browser history while I use the internet
ACB_4: I sometimes encrypt my communications while using the internet
Part 4—Components of personalization
Items were adapted from (Xu et al. 2008) to acquire participants’ ratings of the personalization dimensions identified for the purposes of building a BN-based model for adaptive cybersecurity.
User preference
1. Please indicate the importance of the following user interface characteristics to be considered in personalizing your web browser security and privacy settings:
-
a
Language
-
b
Presentation style (popup, icon change etc.)
-
c
Navigation style (buttons, drop down etc.)
-
d
Level of Information (Detailed vs. simplified)
-
e
Others (please specify)
Adaptive Cybersecurity
2. Please indicate the importance of the following characteristics of an adaptive cybersecurity to be considered in personalizing your web browser security and privacy settings.
-
a
User Effort Required
-
b
Benefit of the security configuration
-
c
Cost of the automated configuration
-
d
Others (please specify)
Context
3. Please indicate the importance of the following contextual factors , which should be taken into consideration in personalizing your web browser security and privacy settings.
-
a
Browser Type
-
b
Enabled Browser Extensions
-
c
Location
-
d
Time
-
e
Others (please specify)
User Goals/Needs
3. Please indicate the importance of the following user actions, which should be taken into consideration in personalizing your web browser security and privacy settings.
-
a
Active Browsing session
-
b
Browser History
-
c
Explicit security/privacy queries
-
d
Previous acceptance of personalized cybersecurity
-
e
Others (please specify)
Rights and permissions
About this article
Cite this article
Addae, J.H., Sun, X., Towey, D. et al. Exploring user behavioral data for adaptive cybersecurity. User Model User-Adap Inter 29, 701–750 (2019). https://doi.org/10.1007/s11257-019-09236-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11257-019-09236-5