Are you an adrenaline junkie who takes risks with security?

Lee Hadlington is a cyberpsychologist at De Montfort University. He researches how psychology plays a role in cybersecurity. He recently conducted a study to find out if personality characteristics such as impulsivity and “internet addiction” determine whether people are conscientious or risky in their cybersecurity behavior. The study’s paper was published in July.

For the study, 538 people in the UK who are employed completed an online questionnaire. The subjects ranged in age from 18 to 84, with 218 males and 297 females.

Some of the risky cybersecurity behaviors asked about in Hadlington’s study include:

  • Sharing passwords with friends and colleagues
  • Disabling antivirus software to access blocked content
  • Using the same password for multiple websites
  • Sending personal information to strangers on the internet
  • Downloading digital media such as music and video files from unlicensed sources
  • Entering payment information on websites that have no clear security information

Hadlington used Mark Griffiths’ criteria for internet use disorder in his definition of internet addiction. Griffiths defines internet use disorder as a compulsive need to engage in online activities to the detriment of other areas of a person’s life.

However, concepts such as “internet addiction” and “videogame addiction” are controversial in the psychological community.  Dr Anthony Bean, a clinical psychologist, was recently interviewed in Polygon about his skepticism about video game addiction.

One of the major concerns that we have is that we’re putting the cart before the horse on his one. We don’t know what videogame addiction is. The psychology and medical fields took the concept of addiction — whether it’s substance abuse or anything like that — and just switched it out with video games. The thinking was, ‘Oh, it’s a form of addiction. It’s like any other addiction.’ But it’s not the same.

You could do the whole process over again with football. Why are we not considering that an addiction? What about someone who really likes to go into a library and read books, and they just can’t put that book down because they’re at that great part that they want. You force them to put that book down, [and] their mind’s just going to be on it. Why isn’t that a form of addiction?

So is characterizing these as addictions an unnecessary pathologization? Says Hadlington:

I think there are two issues here – addiction is a clinical term, which requires a formal diagnosis, and in the context of my work I accept that this is an issue. I think we look at more the issue of problematic use – and internet addiction is an umbrella term through which other aspects of digital technology addiction are actioned – if that makes sense. I haven’t seen anything as of yet [for internet addiction in psychiatry’s DSM-V diagnostic manual], butthe very term is problematic – from a research perspective it’s used as a label at the moment.”

Nonetheless, according to the definition of internet addiction that Hadlington and Griffiths accept, the study found a correlation with risky cybersecurity behavior. Richard Davis’ Online Cognition Scale was used to determine if subjects in Hadlington’s study were addicted to internet use. From the paper:

The results demonstrated that internet addiction was a significant predictor for risky cybersecurity behaviors.

The study used Christopher Coutlee’s Abbreviated Impulsiveness Scale to determine if subjects were impulsive. Hadlington’s study found another correlation:

The measure of impulsivity revealed that both attentional and motor impulsivity were both significant positive predictors of risky cybersecurity behaviours, with non-planning being a significant negative predictor.

So how can businesses help their employees do better with cybersecurity? Hadlington responds:

I think first of all they need to understand what is going on within their organization. Rather than spending money on making password protection really good, they might already have this covered – then it is a matter of finding out what works. We know from research that online training and emails about cybersecurity really don’t work. You need to connect with employees, so focus groups and guest speakers appear to be most effective at changing behavior.

How could a focus group be implemented?

It takes very little time and money to get involved in academic research that could help a company identify the key risks, which could in turn save them millions in the long run. Focus groups are really easy to do, and you can introduce the topic (such as online security) and ask people about their concerns. Often you seen that groups have the same concerns, which the focus group lead can then offer advice on.

So it seems that people who engage in risky behavior in other areas of their life are more likely to also engage in risky behavior in their computer and internet use. Thankfully, people can learn to engage in better cybersecurity behavior, and teaching them in person and asking for feedback is more effective than indirect training methods such as sending them emails.