Applying the Security Quotient score: Identifying high-risk individuals who may be predisposed to falling victim to cybercrime

Over the course of undertaking this research, it has become clear that there is significant potential to use ‘cyber psychology’ in the form of the Security Quotient scale to identify high risk individuals who may be predisposed to fall victim to common socio technical attacks like phishing and internet scams.

A simple psychometric test that also allows for demographic, health and lifestyle factors and how they may shape risk appetite and risk perception could be used to target cybercrime prevention and intervention efforts to a subset of individuals at the greatest risk of victimisation. Such efforts could deliver real harm reduction across both social and financial domains of wellbeing.

Second stage methods utilised both the psychometric scales and demographic survey response data and identified the following preliminary findings:

  • SeBIS, CFC-F and DOSPERT-R scale scores used to identify 11 Very High Risk individuals from 103 validated survey responses.
  • 36% of those identified had previously suffered a financial loss due to cybercrime; all bar one had experienced a security incident.
  • More than half did not exercise and the remainder did significantly less than the study average (2hrs 5 mins).
  • Individuals who had suffered the highest number of incidents were more likely to smoke, take less exercise and not be saving towards their future.
  • They were also significantly younger than the survey median age at 33.8 (Millennials).
  • 55% of smokers and 42% of those who did not invest in their future via Kiwisaver or other channels had suffered a financial loss, compared with a survey average of 21%.
  • 50% of those unemployed and looking for work had been a victim of cybercrime and had suffered a financial loss.

Data analysis identified two groups of note – 22 ‘Victors’ and 20 ‘Victims’ based on self-reported answers to the second survey:

‘Victors’

Those who reported suffering no incidents or losses were older, predominantly female, less likely to smoke, keen investors, avid
exercisers. 4% better at online safety and security practices (SeBIS) than the study average; slightly more future focused (CFC-F); 9%
lower risk appetite than study average (DOSPERT-R).

‘Victims’

Those who had lost money were more likely to be smokers, not actively investing, risk takers by nature. Less confident at online
safety and security practices than the study average, scoring 10% below the Victors (SeBIS). Risk appetite 16% higher than the Victors
(DOSPERT-R).

In summary, the first two scales offer good ‘predictive’ insights into security knowledge and ability and future focused behaviour – Very High Risk (VHR) individuals are ‘correctly’ identified to some extent as victims of cybercrime. For DOSPERT-R, there appears to be a sweet spot at the start of the High Risk band; VHR recreational risk takers identified by the DOSPERT-R scale appear to be resilient ‘Victors’. Combining the three scale scores via weighting or other means is required to produce a final Security Quotient metric.

Further statistical analysis will help validate these preliminary findings (potential linear / logistic / multinomial regression). The small sample size for the second stage survey is an issue to prove that the Security Quotient model is both valid and repeatable. A larger survey dataset is necessary to validate the concept and two large employers have now provided a further pool of responses to analyse. A larger dataset (1000+) could allow nationality to be assessed for evaluation of Hofstede cultural ‘Individualism’ also being a protective/risk factor.

The full report to InternetNZ was published in May 2019 as part of the funding proposal; analysis of third stage surveying of 700 participants from two major NZ employers is now underway to validate the Security Quotient model.

Next steps

If the Security Quotient model can be fully validated through final analysis of the third stage survey responses and found to be repeatable there is the possibility that the approach could be used to target cybercrime prevention and intervention efforts to the subset of individuals at the greatest risk of victimisation.

Learnings from other risk based modelling approaches can also be used in future work to benefit from research efforts developed predominantly for commercial underwriting gains in the US personal, life and auto insurance markets and known links to other behavioural risks such as financial lending.

The advanced US lending and insurance markets have increasingly targeted indicative aspects of psychometric/behavioural relationships with claims histories and credit scores. Recent research has shown that both outcomes are influenced by sensation seeking/self control theories that match other OCEAN personality traits that can be measured using the CFC-F and DOSPERT-R scales.

Psycho-social (personality) and biochemical (biological and inheritable trait) links have increasingly been shown to predict risk-taking behaviour in one realm also maps to risk-taking behaviour in others. In our increasingly data-rich environments, insurers in the US are looking to leverage such data to evolve the insurance marketplace as predictors of loss propensity.