Individual perceptions of cybersecurity and risk management

Seeing human actors as a primary target for cybersecurity attacks suggests that awareness of threats and the willingness to implement controls may be lacking. Previous studies have identified context, demographic characteristics, and self-efficacy to be key factors influencing security-enhancing behaviours among private individuals. In this study, 801 UK private individuals responded to an anonymous online survey, identifying their ability to recognise threats and controls, who they believe responsible for implementing controls, and their general willingness to engage with cybersecurity via a Protection Motivation Theory behavioural model. Using a healthcare data context, results indicate that private individuals can identify threats, controls, and match them. They rarely, however, see themselves responsible for the security of their data. Further, an explanatory factor analysis based on 676 response sets suggests that decision making involved background considerations rather than a simple cost-benefit analysis or cognitive assessment of cybersecurity controls. This work adds to a growing body of literature which highlights that human actors are cybersecurity aware, but that they perceive the broader context to be relevant to their decision making. As such, it provides insights to consider in response to making technology end-users part of the solution to cybersecurity threats.