Research into Cultural Theory, White Male Effect, and more. We show high level of concern about cybercrime among US adults and first evidence of White Male Effect in cyber risk perception.
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Cybersecurity Risk Perception and Communication
1. Cybersecurity Risk Perception
and Communication:
Cultural Theory, White Male
Effect, and more
Lysa Myers and Stephen Cobb
Security Researchers, ESET
2. Why research the intersection of
cyber, risk, and communication?
• Studies show that perceptions of risk differ
• There’s too much risk in information systems
• Understanding risk perception may help to:
• Improve risk communication
• Reduce risk creation
3. Cybersecurity can be approached
as a risk management problem
• Reduce the amount of risk and the problem
gets easier to manage
• One way to reduce risk is reduce the
number of vulnerabilities
4. Risk is the probability that a particular threat-source
will exercise (accidentally trigger or intentionally
exploit) a particular information system vulnerability
• NIST Special Publication 800-30
What is risk, in this context?
5. Consider 3 major sources of information
system vulnerability
People and companies
that make products
with holes in
People that don’t
practice proper cyber
hygiene
Organizations that
don’t do security
properly
ASSORTED
CORPORATE
LOGOS
6. 3 sources of information system vulnerability
People and companies
that make products
with holes in
People that don’t
practice proper cyber
hygiene
Organizations that
don’t do security
properly
What do all three have in common?
THEY DO NOT HEED EXPERTS!
7. Failure to
heed the
experts?
• When it comes to
assessing
technology risks
• This is not a new
problem
• Consider nuclear
energy
• Or climate change
97% of actively publishing climate
scientists agree:
Climate-warming trends over the
past century are extremely likely
due to human activities.
8. Failure to
heed the
experts?
• When it comes to
assessing
technology risks
• This is not a new
problem
• Consider nuclear
energy
• Or climate change
97% of actively publishing climate
scientists agree:
Climate-warming trends over the
past century are extremely likely
due to human activities.
9. Failure to
heed the
experts?
• When it comes to
assessing
technology risks
• This is not a new
problem
• Consider nuclear
energy
• Or climate change
97% of actively publishing climate
scientists agree:
Climate-warming trends over the
past century are extremely likely
due to human activities.
10. Failure to
heed the
experts? 97% of actively publishing climate
scientists agree:
Climate-warming trends over the
past century are extremely likely
due to human activities.
Yet the % of US adults who think climate change is
due to human activity has never broken 50%
11. Why do people reject expert advice?
• Do they not understand the science?
• Don’t they have all the facts?
• Is it a religious thing?
• Are they stupid, or what?
• Yes, it could be “or what?”
12. Cultural theory argues that risks
are defined, perceived, and
managed according to principles
that inhere in particular forms of
social organization.
• Tansey and Rayner
Why do people reject expert advice?
16. Rating risks from a
variety of hazards
(1994 edition)
When risk ratings were
broken down by gender
and ethnicity they
revealed an interesting
“White Male Effect”
White
Male
Effect
17. A clear gender difference in risk perception
2.0
2.5
3.0
3.5
4.0
Female
Male
High
Low
Risk
18. White males saw less risk across the board
2.0
2.5
3.0
3.5
4.0
White Male
White Female
Nonwhite Male
Nonwhite Female
High
Low
Risk
19. What is the White Male Effect?
• On aggregate, white males see less risk in technology
• Than white females, non-white females, non-white males
• But the people who were doing the study were white
males with serious concerns about risk
• And information security professionals “get” risk, yet (ISC)2
Workforce Study says we’re mostly male (and mostly white)
• So what is going on with these survey results?
20. Dude, they’re skewed
• Some white males (30%)
drastically underestimate
risk, relative to the mean
• Group-Grid-wise, they are
Hierarchical Individualists
• As a group they tend to
have more education and
higher household incomes
• Also tend to be politically
conservative
GRID
Hierarchy
Community
GROUP
Individualism
Egalitarianism
Hierarchical
Individualist
Hierarchical
Communi-
tarianist
Egalitarian
Individualist
Egalitarian
Communi-
tarianist
21. But there is
good skew
too
E.g. some white males are
very concerned about
global warming.
For more examples see:
CulturalCognition.net
22. Let’s find out if WME affects perception of
risks from information technology
• We asked people to rate 15 technology hazards
• including some arising from digital technology
• If WME exists with respect to these “cyber-risks”
• Can we use the results to improve risk communication
• to developers, IT professionals, CEOs, boards?
• If no WME, can we still learn something useful?
23. global warming
private gun
ownership
medical X-rays
air pollution
"fracking"
genetically modified foods
nuclear
power
motor vehicle
accidents
disposal of hazardous
wastes in landfill
government monitoring of
emails and web searches
theft or exposure of
private data criminals hacking into
computer systems
corporate computer
network failures
companies accumulating
your personal data
artificial intelligence
We selected 9+6 hazards
24. Presenting the risk of certain hazards
• As individuals and as a society, we face a number of possible
hazards. Some threaten people’s health, safety, or financial
well-being directly. Others indirectly threaten health, safety,
or financial well-being through the damage they can impose
on the environment or the economy. The next set of
questions asks how much risk you think the following items
pose to human health, safety, or prosperity. In each case you
can answer from "No risk at all" to "Very high risk”.
27. Cyber hazard risks relative to other risks
Medical X-rays
Artificial Intelligence
Gun ownership
GM food
Network failures
Nuclear power
Fracking
Gov data monitoring
Accumulating PII
Global warming
Motor vehicles
PII theft/exposure
Hazardous waste
Air pollution
Criminal hacking
Higher
risk
28. Sanity check: before our main study we surveyed US
adults to see if concern about cyber risks was real
• Do you think problems with technology, like computer hacking and
network outages, pose a risk to your security and well-being?
0% 10% 20% 30% 40%
Almost no
risk
Slight risk
Moderate
risk
High risk
29. We also looked to see if there was a male effect
• And there was
0% 10% 20% 30% 40%
Almost no risk
Slight risk
Moderate risk
High risk
Female
Male
(n=847)
30. For all of our 9+6 hazards, women see more risk
2
3
4
5
6
Female
Male
(n=740)
High
Low
Risk
31. For all of our 9+6 hazards, women see more risk
2
3
4
5
6
Female
Male
(n=740)
High
Low
Risk
32. Women see more risk in “cyber” hazards
Medical X-rays
Artificial Intelligence
Gun ownership
GM food
Nuclear power
Fracking
Network failures
Gov data monitoring
Accumulating PII
Global warming
Motor vehicles
Hazardous waste
PII theft/exposure
Air pollution
Criminal hacking
Male
Female
(n=740)
33. On average, white people see less risk
2
3
4
5
6
White
Nonwhite
(n=710)
High
Low
Risk
34. And the White Male Effect is there, but…
2
3
4
5
6
White Male
White Female
Non-white Male
Non-white Female
(n=710)
High
Low
Risk
35. Mixed signals in cyber
3
4
5
6
White Male
White Female
Non-white Male
Non-white Female
(n=710)
38. What does it all mean (1/4)?
• Some white males underestimate some
cyber risks relative to the mean
• In organizations where those white males
make most technology-related decisions
• Greater gender and ethnic diversity could
improve cyber-risk sensitivity
• In general: Greater gender and ethnic diversity
in technology company boardrooms could:
• Reduce the number of vulnerabilities shipped
• Improve risk assessment and security posture
39. Cyber risk perception also varies by age
0%
10%
20%
30%
40%
50%
60%
70%
18-29 30-44 45-59 60+
Criminal hacking
PII exposure
Percentage of survey
respondents who
rated risk “high” or
“very high” for
(n=740)
40. And remember education and income?
0%
10%
20%
30%
40%
50%
60%
70%
No degree Degree
0%
10%
20%
30%
40%
50%
60%
70%
Uncertified P-certified
0%
10%
20%
30%
40%
50%
60%
70%
Under $75K Over $75K
Percentage of people who rated criminal hacking as high risk or very high risk
41. What does it all mean (2/4)?
• The effectiveness with which cyber-risk is
communicated may be improved through
better understanding of Culture Theory
• Consider: the Cultural Cognition Project
42. Cultural cognition
• the tendency of individuals to conform their
beliefs about disputed matters of fact…
to values that define their cultural identities.
• CulturalCognition.net
43. Cultural cognition and communication
• Considering the power of cultural alignment to influence
risk perception, independent of factors such as education
and intelligence, suggests new ways of communicating risk
• Presenting information “in a manner that affirms rather
than threatens people's values” (Cohen)
• Making sure that sound information is “vouched for by a
diverse set of experts” (Kahan)
• Reducing polarization by presenting advocates with diverse
values on both sides of the issue (Kahan)
44. What does this all mean (3/4)?
• Companies that rely on the use and adoption of
information technology should be very concerned
about the public’s perception of cyber-risks
Global warming
Motor vehicles
PII theft/exposure
Hazardous waste
Air pollution
Criminal hacking
45. What does it all mean (4/4)?
• We can probably do better at communicating
risk when we have a better understanding of
why risk perceptions vary
• So let’s do more research on this…
Hi, I am Stephen Cobb and this is Lysa Myers. We are researchers at ESET, a security software company that has been around for 30 years and is based in Slovakia, which is part of the European Union, and a fully paid up member of the NATO alliance (humor). We belong to the US Research Team which is based in San Diego.
When you work in information security you quickly realize that some people see risk where others do not. Some see less risk than others. This has practical implications when it comes to securing information systems. Clearly there is a lot of risk in information systems. One way to reduce that risk would be at the source, namely product design and system design. It would help if more product designers and system architects were more sensitive to risk – we think a better understanding of why perceptions of risk differ between different people could help us with that.
The classic NIST definition of risk in information systems makes clear the role of vulnerabilities, so where do these come from?
The classic NIST definition of risk in information systems makes clear the role of vulnerabilities, so where do these come from?
Well here are three sources of vulnerability (these are not THE or the only sources, but they are 3 that information security folks will recognize.
1. People and companies that make products with holes in – like these internet connected toys, or these internet connected DVRs used in botnet attacks that cost US companies millions of dollars. Or this Jeep, one of the 1,4 million vehicles that were found to be seriously hackable, and seriously hard to patch.
2. People that don’t practice proper cyber hygiene – like over-riding the security settings on this mobile device, or forgetting vital code in this internet voting software.
3. Organizations don’t do security properly – or to the appropriate level. For example, here’s a healthcare company that It failed to fully assess the potential risks and vulnerabilities to its patient data, also failed to implement physical access controls at a large data center, and didn’t have security agreements with its business associates.
At a recent Applied Human Factors conference, just about every presentation on human factors in cybersecurity cited IBM’s 1994 statistic that “over 95 percent of all incidents investigated recognize “human error” as a contributing factor.”
(IBM 2015 Cyber Security Intelligence Index)
“Still, it’s important to note that more often than not, breaches caused by insiders are unintentional. In fact, over 95 percent of these breaches are caused by human error.
For example: There’s a lot of scientific information pointing to rising temperature.
NASA Goddard Institute for Space Studies - http://data.giss.nasa.gov/gistemp/graphs/
Global mean surface-temperature change from 1880 to 2016, relative to the 1951–1980 mean. The black line is the global annual mean, and the red line is the five-year local regression line. The blue uncertainty bars show a 95% confidence interval.
http://www.pewinternet.org/2016/10/04/public-views-on-climate-change-and-climate-scientists/
https://climate.nasa.gov/scientific-consensus/
For example: There’s a lot of scientific information pointing to rising temperature.
NASA Goddard Institute for Space Studies - http://data.giss.nasa.gov/gistemp/graphs/
Global mean surface-temperature change from 1880 to 2016, relative to the 1951–1980 mean. The black line is the global annual mean, and the red line is the five-year local regression line. The blue uncertainty bars show a 95% confidence interval.
http://www.pewinternet.org/2016/10/04/public-views-on-climate-change-and-climate-scientists/
https://climate.nasa.gov/scientific-consensus/
For example: There’s a lot of scientific information pointing to rising temperature.
NASA Goddard Institute for Space Studies - http://data.giss.nasa.gov/gistemp/graphs/
Global mean surface-temperature change from 1880 to 2016, relative to the 1951–1980 mean. The black line is the global annual mean, and the red line is the five-year local regression line. The blue uncertainty bars show a 95% confidence interval.
http://www.pewinternet.org/2016/10/04/public-views-on-climate-change-and-climate-scientists/
https://climate.nasa.gov/scientific-consensus/
On aggregate, popular opinion does not align with the scientific.
NASA Goddard Institute for Space Studies - http://data.giss.nasa.gov/gistemp/graphs/
Global mean surface-temperature change from 1880 to 2016, relative to the 1951–1980 mean. The black line is the global annual mean, and the red line is the five-year local regression line. The blue uncertainty bars show a 95% confidence interval.
http://www.pewinternet.org/2016/10/04/public-views-on-climate-change-and-climate-scientists/
https://climate.nasa.gov/scientific-consensus/
It can be frustrating when people reject your advice. A lot of explanations are put forward. We think the answer is “or what?” where what is Culture Theory and Cultural Ccognition.
1982 Mary Douglas and Aaron Wildavsky 1982 Risk and Culture : An Essay on the Selection of Technical and Environmental Dangers.
Cultural Theory asserts that structures of social organization endow individuals with perceptions that reinforce those structures in competition against alternative ones.
Group – grid, then named groups
Group – grid, then named groups
The survey 1994 Flynn, Slovic, Mertz
The survey 1994 Flynn, Slovic, Mertz
The survey 1994 Flynn, Slovic, Mertz
The survey 1994 survey by Flynn, Slovic, Mertz.
White Male Effect
White Male Effect
Cultural Cognition dot net
White Male Effect
A mixed of previously surveyed hazards and cyber hazards
This is the standard pre-amble to the questions about risks posed by certain hazards
The survey – not security specific, not branded. Neutral
Bars represented weighted average risk ratings for each of the 15 hazards
Bars represented weighted average risk ratings for each of the 15 hazards
Google Consumer Survey (n=847) earlier this year showed a high level of concern.
And suggested WME might be at work
This is final dataset
This is final dataset
This is final dataset
This is final dataset
This is final dataset
This is final dataset
Differing patterns on Group-Grid
Differing patterns on Group-Grid
Greater gender and ethnic diversity could improve cyber-risk sensitivity
1982 Mary Douglas and Aaron Wildavsky Risk and Culture : An Essay on the Selection of Technical and Environmental Dangers.