Research into Cultural Theory, White Male Effect, and more. We show high level of concern about cybercrime among US adults and first evidence of White Male Effect in cyber risk perception.

1. Cybersecurity Risk Perception
and Communication:
Cultural Theory, White Male
Effect, and more
Lysa Myers and Stephen Cobb
Security Researchers, ESET

2. Why research the intersection of
cyber, risk, and communication?
• Studies show that perceptions of risk differ
• There’s too much risk in information systems
• Understanding risk perception may help to:
• Improve risk communication
• Reduce risk creation

3. Cybersecurity can be approached
as a risk management problem
• Reduce the amount of risk and the problem
gets easier to manage
• One way to reduce risk is reduce the
number of vulnerabilities

4. Risk is the probability that a particular threat-source
will exercise (accidentally trigger or intentionally
exploit) a particular information system vulnerability
• NIST Special Publication 800-30
What is risk, in this context?

5. Consider 3 major sources of information
system vulnerability
People and companies
that make products
with holes in
People that don’t
practice proper cyber
hygiene
Organizations that
don’t do security
properly
ASSORTED
CORPORATE
LOGOS

6. 3 sources of information system vulnerability
People and companies
that make products
with holes in
People that don’t
practice proper cyber
hygiene
Organizations that
don’t do security
properly
What do all three have in common?
THEY DO NOT HEED EXPERTS!

7. Failure to
heed the
experts?
• When it comes to
assessing
technology risks
• This is not a new
problem
• Consider nuclear
energy
• Or climate change
97% of actively publishing climate
scientists agree:
Climate-warming trends over the
past century are extremely likely
due to human activities.

8. Failure to
heed the
experts?
• When it comes to
assessing
technology risks
• This is not a new
problem
• Consider nuclear
energy
• Or climate change
97% of actively publishing climate
scientists agree:
Climate-warming trends over the
past century are extremely likely
due to human activities.

9. Failure to
heed the
experts?
• When it comes to
assessing
technology risks
• This is not a new
problem
• Consider nuclear
energy
• Or climate change
97% of actively publishing climate
scientists agree:
Climate-warming trends over the
past century are extremely likely
due to human activities.

10. Failure to
heed the
experts? 97% of actively publishing climate
scientists agree:
Climate-warming trends over the
past century are extremely likely
due to human activities.
Yet the % of US adults who think climate change is
due to human activity has never broken 50%

11. Why do people reject expert advice?
• Do they not understand the science?
• Don’t they have all the facts?
• Is it a religious thing?
• Are they stupid, or what?
• Yes, it could be “or what?”

12. Cultural theory argues that risks
are defined, perceived, and
managed according to principles
that inhere in particular forms of
social organization.
• Tansey and Rayner
Why do people reject expert advice?

13. Communitarianism
GRID
Hierarchy
GROUP Individualism
Egalitarianism
After Douglas, Wildavsky, Flynn, Slovic, Kahan, etc.

14. Communitarianism
GRID
Hierarchy
GROUP Individualism
Egalitarianism
After Douglas, Wildavsky, Flynn, Slovic, Kahan, etc.
Hierarchical
Individualist
Hierarchical
Communitarianist
Egalitarian
Individualist
Egalitarian
Communitarianist
Community

15. Rating risks from a
variety of hazards
(1994 edition)

16. Rating risks from a
variety of hazards
(1994 edition)
When risk ratings were
broken down by gender
and ethnicity they
revealed an interesting
“White Male Effect”
White
Male
Effect

17. A clear gender difference in risk perception
2.0
2.5
3.0
3.5
4.0
Female
Male
High
Low
Risk

18. White males saw less risk across the board
2.0
2.5
3.0
3.5
4.0
White Male
White Female
Nonwhite Male
Nonwhite Female
High
Low
Risk

19. What is the White Male Effect?
• On aggregate, white males see less risk in technology
• Than white females, non-white females, non-white males
• But the people who were doing the study were white
males with serious concerns about risk
• And information security professionals “get” risk, yet (ISC)2
Workforce Study says we’re mostly male (and mostly white)
• So what is going on with these survey results?

20. Dude, they’re skewed
• Some white males (30%)
drastically underestimate
risk, relative to the mean
• Group-Grid-wise, they are
Hierarchical Individualists
• As a group they tend to
have more education and
higher household incomes
• Also tend to be politically
conservative
GRID
Hierarchy
Community
GROUP
Individualism
Egalitarianism
Hierarchical
Individualist
Hierarchical
Communi-
tarianist
Egalitarian
Individualist
Egalitarian
Communi-
tarianist

21. But there is
good skew
too
E.g. some white males are
very concerned about
global warming.
For more examples see:
CulturalCognition.net

22. Let’s find out if WME affects perception of
risks from information technology
• We asked people to rate 15 technology hazards
• including some arising from digital technology
• If WME exists with respect to these “cyber-risks”
• Can we use the results to improve risk communication
• to developers, IT professionals, CEOs, boards?
• If no WME, can we still learn something useful?

23. global warming
private gun
ownership
medical X-rays
air pollution
"fracking"
genetically modified foods
nuclear
power
motor vehicle
accidents
disposal of hazardous
wastes in landfill
government monitoring of
emails and web searches
theft or exposure of
private data criminals hacking into
computer systems
corporate computer
network failures
companies accumulating
your personal data
artificial intelligence
We selected 9+6 hazards

24. Presenting the risk of certain hazards
• As individuals and as a society, we face a number of possible
hazards. Some threaten people’s health, safety, or financial
well-being directly. Others indirectly threaten health, safety,
or financial well-being through the damage they can impose
on the environment or the economy. The next set of
questions asks how much risk you think the following items
pose to human health, safety, or prosperity. In each case you
can answer from "No risk at all" to "Very high risk”.

26. Criminal hacking tops US risk list
2
3
4
5
6
(n=740)
High
Low
Risk

27. Cyber hazard risks relative to other risks
Medical X-rays
Artificial Intelligence
Gun ownership
GM food
Network failures
Nuclear power
Fracking
Gov data monitoring
Accumulating PII
Global warming
Motor vehicles
PII theft/exposure
Hazardous waste
Air pollution
Criminal hacking
Higher
risk

28. Sanity check: before our main study we surveyed US
adults to see if concern about cyber risks was real
• Do you think problems with technology, like computer hacking and
network outages, pose a risk to your security and well-being?
0% 10% 20% 30% 40%
Almost no
risk
Slight risk
Moderate
risk
High risk

29. We also looked to see if there was a male effect
• And there was
0% 10% 20% 30% 40%
Almost no risk
Slight risk
Moderate risk
High risk
Female
Male
(n=847)

30. For all of our 9+6 hazards, women see more risk
2
3
4
5
6
Female
Male
(n=740)
High
Low
Risk

31. For all of our 9+6 hazards, women see more risk
2
3
4
5
6
Female
Male
(n=740)
High
Low
Risk

32. Women see more risk in “cyber” hazards
Medical X-rays
Artificial Intelligence
Gun ownership
GM food
Nuclear power
Fracking
Network failures
Gov data monitoring
Accumulating PII
Global warming
Motor vehicles
Hazardous waste
PII theft/exposure
Air pollution
Criminal hacking
Male
Female
(n=740)

33. On average, white people see less risk
2
3
4
5
6
White
Nonwhite
(n=710)
High
Low
Risk

34. And the White Male Effect is there, but…
2
3
4
5
6
White Male
White Female
Non-white Male
Non-white Female
(n=710)
High
Low
Risk

35. Mixed signals in cyber
3
4
5
6
White Male
White Female
Non-white Male
Non-white Female
(n=710)

36. Notable differences in cultural alignment of cyber risk

37. Hierarchical individualists and criminal hacking risk

38. What does it all mean (1/4)?
• Some white males underestimate some
cyber risks relative to the mean
• In organizations where those white males
make most technology-related decisions
• Greater gender and ethnic diversity could
improve cyber-risk sensitivity
• In general: Greater gender and ethnic diversity
in technology company boardrooms could:
• Reduce the number of vulnerabilities shipped
• Improve risk assessment and security posture

39. Cyber risk perception also varies by age
0%
10%
20%
30%
40%
50%
60%
70%
18-29 30-44 45-59 60+
Criminal hacking
PII exposure
Percentage of survey
respondents who
rated risk “high” or
“very high” for
(n=740)

40. And remember education and income?
0%
10%
20%
30%
40%
50%
60%
70%
No degree Degree
0%
10%
20%
30%
40%
50%
60%
70%
Uncertified P-certified
0%
10%
20%
30%
40%
50%
60%
70%
Under $75K Over $75K
Percentage of people who rated criminal hacking as high risk or very high risk

41. What does it all mean (2/4)?
• The effectiveness with which cyber-risk is
communicated may be improved through
better understanding of Culture Theory
• Consider: the Cultural Cognition Project

42. Cultural cognition
• the tendency of individuals to conform their
beliefs about disputed matters of fact…
to values that define their cultural identities.
• CulturalCognition.net

43. Cultural cognition and communication
• Considering the power of cultural alignment to influence
risk perception, independent of factors such as education
and intelligence, suggests new ways of communicating risk
• Presenting information “in a manner that affirms rather
than threatens people's values” (Cohen)
• Making sure that sound information is “vouched for by a
diverse set of experts” (Kahan)
• Reducing polarization by presenting advocates with diverse
values on both sides of the issue (Kahan)

44. What does this all mean (3/4)?
• Companies that rely on the use and adoption of
information technology should be very concerned
about the public’s perception of cyber-risks
Global warming
Motor vehicles
PII theft/exposure
Hazardous waste
Air pollution
Criminal hacking

45. What does it all mean (4/4)?
• We can probably do better at communicating
risk when we have a better understanding of
why risk perceptions vary
• So let’s do more research on this…

46. Thank you!
Lysa.Myers@ESET.com
Stephen.Cobb@ESET.com
www.WeLiveSecurity.com