Passive-and not active-risk tendencies predict cyber security behavior

Isabel Arend, Asaf Shabtai, Tali Idan, Ruty Keinan, Yoella Bereby-Meyer

Computers & Security 97, 101964, 2020

Vulnerabilities to online cyber-related crime are typically the result of poor decisions on the part of users. To date, research on risk-taking behavior applied to cyber-security situations has concentrated mainly on the risks that stem from active behavioral choices (e.g., opening an attachment from an unknown sender). However, risk may result from the failure to implement an action (e.g., not strengthening a password). These two types of risk have been differentiated and termed active- and passive-risk behaviors. We conducted two studies (Study 1 and Study 2) that examine how self-reported active- and passive-risk behaviors predict cyber-security behavioral intentions. In Study 3, we examine how active and passive risk relate to actual cyber-security behavior. The results show that cyber-security behavioral intentions and actual cyber behaviors are significantly correlated with self-reported individual differences in …