Time pressure in human cybersecurity behavior: Theoretical framework and countermeasures
Introduction
Cybersecurity policies, procedures, and controls are common countermeasures for protecting organizations against cyberattacks (von Solms, 2006). However, without taking human behavior into consideration, crafting and implementing countermeasures will likely be ineffective, which is evident from a range of recent cybersecurity incidents. For instance, in 2017 about 200 million US voters’ sensitive personal data was mistakenly exposed to an unprotected public cloud (Forbes, 2017). In the same year, Equifax experienced a significant security failure due to a critical vulnerability left uncorrected by security staff (Bohmayr et al., 2018). A recent report by Australia's Information Commissioner revealed that human error is the most significant non-malicious source of all data breach incidents (OAIC, 2019). Hence, understanding the factors influencing non-secure behavior is becoming increasingly important for researchers and practitioners.
One of the factors that impacts human behavior and decision making, in general, is time pressure (Davidson, 1989; Ordóñez and Benson, 1997). Also in cybersecurity contexts, researchers found evidence that time pressure plays a critical role behind non-secure behaviors. Users, both in the professional and the private context, frequently experience time pressure, directly and indirectly, and their behavior is affected by it. Ironically, the source of time pressure is often associated with the pervasiveness of information and communications technologies (ICT) and the work interruptions caused by these (Rissler et al., 2017). Also, the increasing complexity of ICT infrastructure exacerbates the stress induced by time pressure, contributing to a “need it fast” attitude (Amoroso, 2018). Taken together, these factors weaken the “human firewall” and thereby impair the effectiveness of security countermeasures.
Researchers emphasize that, as cybersecurity encompasses daily interactions between human users and systems, security countermeasures should consider socio-technical aspects beyond only technical controls (e.g., Kraemer et al., 2009; Benson et al., 2019). This insight builds on the notion that changes in the technical domain should be complemented by changes in the societal or human domain, particularly for phenomena that are inherently driven by human perception and behavior. As one such phenomenon, human behavior under time pressure in a cybersecurity context requires countermeasures that consider technical controls as well as non-technical interventions to mitigate the detrimental effects of non-secure behavior on cybersecurity assets.1
Studies designed specifically to explore this phenomenon of time pressure and the countermeasures to address this are scant. Moreover, to the best of our knowledge, there is limited conceptual work that may guide researchers and practitioners in (1) better understanding the role of time pressure in non-secure HCS behavior and (2) designing effective countermeasures. Against this backdrop, we conducted a series of 35 semi-structured interviews with cybersecurity experts, non-security professionals, and private users to investigate the following two research questions:
RQ1: How can the influence of time pressure on non-secure human cybersecurity behavior be conceptualized into an integrative framework?
RQ2: What countermeasures can be used to reduce the detrimental impact of time pressure on non-secure human cybersecurity behavior?
Section snippets
Human affect and cognition in human cybersecurity behavior
HCS behavior plays a pivotal role in security. About 50% of all cybersecurity incidents can be traced back to non-malicious behavior of non-technical professionals (PwC, 2018). As such, non-secure behavior contributes to creating further vulnerabilities, exacerbating existing vulnerabilities, and thus undermines cybersecurity overall. Theories on HCS behavior often assume deliberate thought processes. However, the extent to which these theories can explain behavior in stressful situations such
Research method
We set out to address our research questions by means of a set of semi-structured interviews which allow us to explore the phenomenon in depth and breadth (Lazar et al., 2017). Because many factors around individuals’ behaviors are difficult or even impossible to express quantitatively, interview-based research can serve to elucidate people's experiential life “as it is lived, felt, undergone, made sense of and accomplished by human beings” (Schwandt, 2001, p. 84). We gather detailed,
Validation and extension of the theoretical framework
Overall, users and cybersecurity experts expressed unanimous support for the components of the proposed framework and the general notion of time pressure's influence on HCS behavior. Further, we identified additional items for contexts, psychological constructs, behaviors, and moderating factors that have not been considered in the literature on the role of time pressure in HCS behavior so far. Exemplary statements are provided in the supplementary material.
Countermeasures
Based on the interviews, we identified a range of measures that were deemed suitable to counteract cybersecurity threats related to time pressure. We were interested in finding countermeasures that, firstly, prevent users from exhibiting non-secure behavior and, secondly, protect assets from the detrimental effects of such behavior and the potential resulting incidents. Along the GTAG 1 framework's categorization, the countermeasures identified in our study fall into the preventive class along
Theoretical implications
While it is well established that time pressure plays an important role in human decision making (Ordóñez and Benson, 1997), literature on its role in cybersecurity is rather scant. To shed light on this matter, the present qualitative study draws on interviews with representatives from different relevant stakeholder groups (cybersecurity experts, non-security professional, private users). Overall, the interviewees provided unanimous support for the integrative theoretical framework presented
Conclusion
Despite the important role of time pressure for human behavior, there is currently only limited conceptual work on its role in the domain of cybersecurity. In order to address this gap, we conducted an interview study to conceptualize the phenomena and identify potential human, operational, physical, and technical countermeasures. We hope that researchers and practitioners will find the resulting framework useful in accounting for the role of affective human processes in cybersecurity behavior
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Mohammad Noman H. Chowdhury is a Doctoral candidate in Information Systems at University of Newcastle, Australia. He is also Senior Lecturer (on leave) at BRAC Business School, BRAC University, Bangladesh. He received his Bachelor in Computer Science and Engineering from Bangladesh University of Engineering and Technology (BUET), and pursued MBA from Institute of Business Administration (IBA), Dhaka University. Mr. Noman also has long corporate experience working in companies like Grameen Phone
References (88)
- et al.
Auction fever! How time pressure and social competition affect bidders’ arousal and bids in retail auctions
Journal of Retailing
(2015) - et al.
Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea
Information & Management
(2012) - et al.
An exploratory investigation of message-person congruence in information security awareness campaigns
Computers & Security
(2014) - et al.
Human and organizational factors in computer and information security: pathways to vulnerabilities
Computers & Security
(2009) - et al.
Investigating phishing victimization with the Heuristic–Systematic Model: a theoretical framework and an exploration
Computers & Security
(2013) - et al.
Decisions under time pressure: how time constraint affects risky decision making
Organ Behav Hum Decis Process
(1997) - et al.
Designing interviews to generate rich data for information systems research
Information and Organization
(2011) - et al.
Masquerade mimicry attack detection: a randomised approach
Computers & Security
(2011) Information security - The fourth wave
Computers & Security
(2006)- Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., & Stransky, C. (2016). You get where you're looking for: the...
Information security strategies: towards an organizational multi-strategy perspective
J Intell Manuf
The cell phone, constant connection and time scarcity in Australia
Soc Indic Res
Eliciting managers’ personal values: an adaptation of the laddering interview method
Organ Res Methods
Transforming Qualitative information: Thematic analysis and Code Development
Using thematic analysis in psychology
Qual Res Psychol
The user affective experience scale: a measure of emotions anticipated in response to pop-up computer warnings
Int J Hum Comput Interact
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
MIS Quarterly
Perceptions of information security in the workplace: linking information security climate to compliant behavior
Journal of Information Privacy and Security
The heuristic-systematic model in its broader context
The impact of time pressure on cybersecurity behaviour: a systematic literature review
Behav Inf Technol
Basics of Qualitative research: Techniques and Procedures For Developing Grounded the Ory (3rd ed.)
Understanding employee responses to stressful information security requirements: a coping perspective
Journal of Management Information Systems
User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach
Information Systems Research
The five elements of our time-pressed society
Management Quarterly
Conflict detection, dual processes, and logical intuitions: some clarifications
Think Reason
Security on autopilot: why current cecurity theories hijack our thinking and lead us astray
ACM SIGMIS Database: The DATABASE for Advances in Information Systems
Security in the wild: user strategies for managing security as an everyday, practical problem
Pers Ubiquitous Comput
The Psychology of Attitudes
Psychosocial risks: can their effects on the security of information systems really be ignored?
Information Management & Computer Security
Sometimes it is not so bad to decide in a hurry: influence of different levels of temporal opportunity on the elaboration of purchasing intention
Polish Psychological Bulletin
Thinking fast increases framing effects in risky decision making
Psychol Sci
The state of phishing attacks
Commun ACM
The role of extra-role behaviors and social controls in information security policy effectiveness
Information Systems Research
Cited by (0)
Mohammad Noman H. Chowdhury is a Doctoral candidate in Information Systems at University of Newcastle, Australia. He is also Senior Lecturer (on leave) at BRAC Business School, BRAC University, Bangladesh. He received his Bachelor in Computer Science and Engineering from Bangladesh University of Engineering and Technology (BUET), and pursued MBA from Institute of Business Administration (IBA), Dhaka University. Mr. Noman also has long corporate experience working in companies like Grameen Phone Ltd., Nokia Siemens Network (NSN) etc. His-research interest includes Human Computer Interaction, Data Science.
Marc T. P. Adam is an Associate Professor in Computing and Information Technology at the University of Newcastle, Australia. In his research, he investigates the interplay of human users’ cognition and affect in human-computer interaction. He received an undergraduate degree in Computer Science from the University of Applied Sciences Würzburg, Germany, and a PhD in Information Systems from the Karlsruhe Institute of Technology, Germany. His-research has been published in top international outlets such as IEEE Transactions on Affective Computing, International Journal of Electronic Commerce, Journal of Management Information Systems, Journal of the Association for Information Systems, and Journal of Retailing.
Timm Teubner is assistant professor at the Einstein Center Digital Future at TU Berlin. He holds a Diploma degree in industrial engineering and management and a doctoral degree in Information Systems from Karlsruhe Institute of Technology (KIT). His-research interests include online platforms and multi-sided markets, reputation, and trust in digital services, online auctions, Internet user behavior and psychology, as well as crowdsourcing.