Statement of Ethics

1. Purpose of the research, duration and procedures

Cybercrime, cyber-enabled fraud and cyber security threats continue to impact internet users globally.

The UK’s Office of National Statistics Crime Survey of England and Wales estimates that fraud and cybercrime now account for almost six million offences[1] “accounting for almost half of all crime in the country”[2].

There is a prevailing view – and substantial evidence – that “humans are the weakest link” when it comes to successfully facilitating socio-technical cyber-attacks such as phishing, malware infection and scam compliance[3].

The human factor “continues to have a far reaching impact on the security and integrity of computerised systems due to the inherent imperfections that humans exhibit when compared to technical layers of security.”[4].

Clicking on a phishing email, for example, can result in the loss of personally identifiable information that can be sold or traded to enable identity theft, used to gain illegitimate access to personal or work systems such as email or cloud services or lead to continued targeting by scam operators that may ultimately lead to significant financial or emotional harm and a resulting loss of trust in the online environment.

This research project aims to establish if it is possible to accurately measure an individual’s Security Quotient score – their likelihood of falling victim to such attacks – and has been designed to test current thinking around personality traits that might predispose an internet user to be susceptible to such threats.

Format of the research

Internet users are invited to participate in a brief online survey that poses questions about how they use connected devices, their appetite for risk and wider lifestyle choices. The online survey will examine a range of personality traits that have been identified as possible signifiers of risk taking behavior that may predispose individuals to become victims of socio-technical attacks.

Some demographic information around age, gender, education and lifestyle will be sought as part of this phase of the study to help identify potential patterns in survey results. The survey concludes with several questions that identify examples of cybercrime activity and any associated impact on the respondent.

All data submitted will be anonymous in nature unless the survey respondent volunteers to take part in a follow-on interview by providing a contact email address.

Only individuals who choose to submit their personal information will be identifiable so that they can be contacted for a follow up study in the form of an interview to be conducted face to face in Auckland or over a video conferencing system.

Volunteers who wish to take part in the interview stage will be asked a further range of questions about their technical and computer security abilities, experiences of cyber-enabled threats and on aspects of their personality.

Survey data can only be accessed by Chris Hails and no personally identifiable information will be published or used in any findings/results and will be made anonymous. All or part of the content of the survey results may be used in academic papers, conferences or associated publications or in a thesis or future study. Data will be kept for up to three years minimum after the study is completed.

2. Participants rights

Volunteers for this project are able to decline to participate at any time and to withdraw from the research once it has started; they do not need to give a reason. Withdrawing from the project will result in their involvement with the research ceasing and their contributions to the study to date being ineligible for further examination. Any existing data will be destroyed.

3. Impact on participants

Volunteering to take part in this project is not foreseen to result in any adverse effects on the individuals involved. All data submitted will be treated as confidential with personal identifiers beyond general demographic questions being anonymised.

4. Research benefits

It is the aim of the researcher that this project can potentially identify personality traits that can be accurately measured as a means of producing a security quotient score. Such a score could ultimately be used to enable the development of tailored security awareness education programmes that build confidence and capability online and/or deliver adaptive, context aware security controls that assist internet users to avoid falling victim to socio-technical attacks.

5. Privacy and confidentiality

Volunteers who submit data as part of this research project can be confident that their responses will be treated as sensitive information to be managed in accordance with New Zealand’s Privacy Act.

Data will be coded to ensure anonymity of the respondent. Information collected will be stored, analysed and archived in accordance with the Privacy Act principles to maintain confidentiality.

Research summaries will be drawn from aggregate data and statistical analysis used to produce evidence-based outputs where no single individual can be de-identified. Publication of the research findings will comply with this ethics statement.

6. Incentives for participation

No payments will be made to research participants as part of this project. All subjects will volunteer to take part and can withdraw at any time in accordance with Section 2.

7. Questions about this research

This research is being undertaken by Chris Hails with funding gratefully provided by InternetNZ[5]. If you have any questions or concerns about the study please contact Chris via email to research@ubisec.nz or contact InternetNZ’s community grants team[6].

The research outcomes and veracity of identifying an individual’s Security Quotient score remain the intellectual property of Chris Hails of Ubiquitous Security. Findings will be published under a Creative Commons Attribution licence in accordance with InternetNZ’s guidelines for Internet Research.

[1] Nearly six million fraud and cyber crimes last year, ONS says

[2] Fraud and cyber crime are now the country’s most common offences

[3] Socio-technical attacks and the impact of human components in a system

[4] Behavioural Thresholds in the Context of Information Security

[5] More than $100,000 given for Internet research

[6] Internet Research Funding Round