How do non experts think about cyber attack consequences?
Information and Computer Security
ISSN: 2056-4961
Article publication date: 14 April 2022
Issue publication date: 20 October 2022
Abstract
Purpose
Nonexperts do not always follow the advice in cybersecurity warning messages. To increase compliance, it is recommended that warning messages use nontechnical language, describe how the cyberattack will affect the user personally and do so in a way that aligns with how the user thinks about cyberattacks. Implementing those recommendations requires an understanding of how nonexperts think about cyberattack consequences. Unfortunately, research has yet to reveal nonexperts’ thinking about cyberattack consequences. Toward that end, the purpose of this study was to examine how nonexperts think about cyberattack consequences.
Design/methodology/approach
Nonexperts sorted cyberattack consequences based on perceived similarity and labeled each group based on the reason those grouped consequences were perceived to be similar. Participants’ labels were analyzed to understand the general themes and the specific features that are present in nonexperts’ thinking.
Findings
The results suggested participants mainly thought about cyberattack consequences in terms of what the attacker is doing and what will be affected. Further, the results suggested participants thought about certain aspects of the consequences in concrete terms and other aspects of the consequences in general terms.
Originality/value
This research illuminates how nonexperts think about cyberattack consequences. This paper also reveals what aspects of nonexperts’ thinking are more or less concrete and identifies specific terminology that can be used to describe aspects that fall into each case. Such information allows one to align warning messages to nonexperts’ thinking in more nuanced ways than would otherwise be possible.
Keywords
Acknowledgements
This research was supported in part by the U.S. National Science Foundation (Award : 1564293). Opinions, findings, and conclusions are those of the authors and do not necessarily reflect the views of the NSF.
Citation
Jones, K.S., Lodinger, N.R., Widlus, B.P., Siami Namin, A., Maw, E. and Armstrong, M.E. (2022), "How do non experts think about cyber attack consequences?", Information and Computer Security, Vol. 30 No. 4, pp. 473-489. https://doi.org/10.1108/ICS-11-2020-0184
Publisher
:Emerald Publishing Limited
Copyright © 2022, Emerald Publishing Limited