Trustworthy and effective communication of cybersecurity risks: A review

Proceedings - 2011 1st Workshop on Socio-Technical Aspects in Security and Trust, STAST 2011

Volumn , Issue , 2011, Pages 60-68

  Nurse, Jason R C ^a   Creese, Sadie ^a   Goldsmith, Michael ^a   Lamberts, Koen ^a  

^a UNIVERSITY OF WARWICK   (United Kingdom)

Author keywords

Cybersecurity risk; information trustworthiness; risk perception and communication; security communication recommendations

Indexed keywords

COMMUNICATION DOMAIN; CYBER SECURITY; EFFECTIVE COMMUNICATION; INFORMATION TRUSTWORTHINESS; LITERATURE REVIEWS; RISK PERCEPTION AND COMMUNICATIONS; SECURITY AND TRUSTS; SECURITY COMMUNICATION;

COMMUNICATION; RISK PERCEPTION;

NETWORK SECURITY;

EID: 84880944110     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/STAST.2011.6059257     Document Type: Conference Paper

References (80)

1. Computer Security Institute (CSI), "2008 CSI computer crime and security survey," 2008.
2. PricewaterhouseCoopers LLP and Infosecurity Europe, "Information Security Breaches Survey 2010: Executive Summary," 2010.
3. Detica and Office of Cyber Security and Information Assurance in the Cabinet Office UK, "The cost of cyber crime," 2011.
4. M. Sasse, S. Brostoff, and D. Weirich, "Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security," BT Technology Journal, vol. 19, no. 3, pp. 122-131, 2001. (Pubitemid 32903117)
5. S. Smith, "Humans in the loop: Human-computer interaction and security," IEEE Security & Privacy, vol. 1, no. 3, pp. 75-79, 2003.
6. D. Balfanz, G. Durfee, D. Smetters, and R. Grinter, "In search of usable security: Five lessons from the field," Security & Privacy, IEEE, vol. 2, no. 5, pp. 19-24, 2004. (Pubitemid 40168622)
7. B. Payne and W. Edwards, "A brief introduction to usable security," IEEE Internet Computing, pp. 13-21, 2008.
8. S. Parkin, A. van Moorsel, P. Inglesant, and M. Sasse, "A stealth approach to usable security: helping it security managers to identify workable security solutions," in The New Security Paradigms Workshop (NSPW) 2010. ACM, 2010, pp. 33-50.
9. R. Kainda, I. Flechais, and A. Roscoe, "Security and usability: Analysis and evaluation," in International Conference on Availability, Reliability and Security (ARES). IEEE, 2010, pp. 275-282.
10. M. Pattinson and G. Anderson, "How well are information risks being communicated to your computer end-users?" Information Management & Computer Security, vol. 15, no. 5, pp. 362-371, 2007. (Pubitemid 47527421)
11. S. Creese and K. Lamberts, "Can cognitive science help us make online risk more tangible?" IEEE Intelligent Systems, vol. 24, no. 6, pp. 32-36, 2009.
12. F. Farahmand, M. Dark, S. Liles, and B. Sorge, "Risk perceptions of information security: A measurement study," in International Conference on Computational Science and Engineering. IEEE Computer Society, 2009, pp. 462-469.
13. J. Blythe, J. Camp, and V. Garg, "Targeted risk communication for computer security," in 15th International Conference on Intelligent User Interfaces, 2011, pp. 295-298.
14. L. J. Camp, "Mental models of privacy and security," IEEE Technology and Society Magazine, vol. 28, no. 3, pp. 37-46, 2009.
15. K. Kelton, K. R. Fleischmann, and W. A. Wallace, "Trust in digital information," Journal of the American Society for Information Science and Technology, vol. 59, no. 3, pp. 363-374, 2008. (Pubitemid 351288080)
16. J. R. C. Nurse, S. S. Rahman, S. Creese, M. Goldsmith, and K. Lamberts, "Information quality and trustworthiness: A topical state-of-the-art review," in International Conference on Computer Applications and Network Security (ICCANS). IEEE Press, 2011, pp. 492-500.
17. Y. Gil and D. Artz, "Towards content trust of web resources," Journal of Web Semantics: Science, Services and Agents on the World Wide Web, vol. 5, no. 4, pp. 227-239, 2007. (Pubitemid 350180647)
18. A. J. Pickard, P. Gannon-Leary, and L. Coventry, "Trust in 'E': Users' trust in information resources in the web environment," in ENTERprise Information Systems, ser. Communications in Computer and Information Science, J. E. Quintela Varajo, Ed., 2010, vol. 110, pp. 305-314.
19. S. Moturu and H. Liu, "Quantifying the trustworthiness of social media content," Distributed and Parallel Databases, pp. 1-22, 2010.
20. National Research Council (NRC) USA, Improving Risk Communication. National Academy of Sciences, 1989. [Online]. Available: http://www.nap.edu/ openbook.php?record-id=1189
21. K. Calman, "The language of risk: a question of trust," Transfusion, vol. 41, no. 11, pp. 1326-1328, 2001. (Pubitemid 33104216)
22. -, "The William Pickles Lecture. Issues of risk:'this unique opportunity'," The British Journal of General Practice, vol. 51, no. 462, pp. 47-51, 2001.
23. International Organization for Standardization (ISO), "ISO/IEC guide 73 risk management - vocabulary - guidelines for use in standards," Tech. Rep., 2002.
24. B. Rohrmann, "The evaluation of risk communication effectiveness," Acta psychologica, vol. 81, no. 2, pp. 169-192, 1992.
25. -, "Risk perception, risk attitude, risk communication, risk management: a conceptual appraisal," in 15th Internaional Emergency Management Society (TIEMS) Annual Conference, 2008.
26. B. Fischhoff, A. Bostrom, and M. Quadrel, "Risk perception and communication," Annual Review of Public Health, vol. 14, no. 1, pp. 183-203, 1993. (Pubitemid 23161717)
27. P. Slovic, "Trust, emotion, sex, politics, and science: Surveying the risk-assessment battlefield," Risk analysis, vol. 19, no. 4, pp. 689-701, 1999.
28. E. Peters, K. McCaul, M. Stefanek, and W. Nelson, "A heuristics approach to understanding cancer risk perception: contributions from judgment and decision-making research," Annals of Behavioral Medicine, vol. 31, no. 1, pp. 45-52, 2006.
29. C. Jenkin, "Risk perception and terrorism: Applying the psychometric paradigm," Homeland Security Affairs, vol. 2, no. 2, pp. 1-14, 2006.
30. Y. Asnar and N. Zannone, "Perceived risk assessment," in 4th ACM workshop on Quality of protection, 2008, pp. 59-64.
31. P. Slovic, "Perception of risk," Science, vol. 236, no. 4799, pp. 280-285, 1987. (Pubitemid 17061043)
32. C. Skubisz, T. Reimer, and U. Hoffrage, "Communicating quantitative risk information," in Communication yearbook: Vol. 33, C. S. Beck, Ed. Routledge, 2009, pp. 177-211.
33. C. Stout, "Using Psychology to Counter Terrorism at the Personal and Community Level," in Psychology of terrorism: Coping with the continuing threat, C. Stout, Ed. Praeger Publishers/Greenwood Publishing Group, 2004, pp. 1-31.
34. I. Lipkus and J. Hollands, "The visual communication of risk," J. Natl Cancer Inst Monographs, vol. 1999, no. 25, pp. 149-163, 1999.
35. J. Hibbard and E. Peters, "Supporting informed consumer health care decisions: data presentation approaches that facilitate the use of information in choice," Annual Review of Public Health, vol. 24, no. 1, pp. 413-433, 2003. (Pubitemid 37056038)
36. I. Lipkus, "Numeric, verbal, and visual formats of conveying health risks: suggested best practices and future recommendations," Medical Decision Making, vol. 27, no. 5, pp. 696-713, 2007. (Pubitemid 47547606)
37. E. Peters, N. Dieckmann, A. Dixon, J. Hibbard, and C. Mertz, "Less is more in presenting quality information to consumers," Medical Care Research and Review, vol. 64, no. 2, pp. 169-190, 2007. (Pubitemid 46570715)
38. D. Timmermans, C. Ockhuysen-Vermey, and L. Henneman, "Presenting health risk information in different formats: the effect on participants' cognitive and emotional evaluation and decisions," Patient Education and Counseling, vol. 73, no. 3, pp. 443-447, 2008.
39. E. Waters, H. Sullivan, W. Nelson, and B. Hesse, "What is my cancer risk? how internet-based cancer risk assessment tools communicate individualized risk estimates to the public: content analysis," Journal of Medical Internet Research, vol. 11, no. 3, 2009.
40. V. Visschers, R. Meertens, W. Passchier, and N. De Vries, "Probability information in risk communication: a review of the research literature," Risk Analysis, vol. 29, no. 2, pp. 267-287, 2009.
41. E. Peters, "Numeracy and the perception and communication of risk," Annals of the NY Academy of Sciences, vol. 1128, no. 1, pp. 1-7, 2008. (Pubitemid 351652569)
42. I. Lipkus, G. Samsa, and B. Rimer, "General performance on a numeracy scale among highly educated samples," Medical Decision Making, vol. 21, no. 1, pp. 37-44, 2001. (Pubitemid 32245029)
43. S. Woloshin, L. Schwartz, M. Moncur, S. Gabriel, and A. Tosteson, "Assessing values for health: numeracy matters," Medical Decision Making, vol. 21, no. 5, pp. 380-388, 2001.
44. A. Fagerlin, P. Ubel, D. Smith, and B. Zikmund-Fisher, "Making numbers matter: present and future research in risk communication," American Journal of Health Behavior, vol. 31, no. 1, pp. 47-56, 2007.
45. G. Gigerenzer and A. Edwards, "Simple tools for understanding risks: from innumeracy to insight," BMJ: British Medical Journal, vol. 327, no. 7417, pp. 741-744, 2003. (Pubitemid 37176763)
46. R. Thomson, A. Edwards, and J. Grey, "Risk communication in the clinical consultation," Clinical Medicine, Journal of the Royal College of Physicians, vol. 5, no. 5, pp. 465-469, 2005. (Pubitemid 41503098)
47. C. Keller, M. Siegrist, and V. Visschers, "Effect of Risk Ladder Format on Risk Perception in High-and Low-Numerate Individuals," Risk analysis, vol. 29, no. 9, pp. 1255-1264, 2009.
48. B. Zikmund-Fisher, A. Fagerlin, and P. Ubel, "A Demonstration of Less Can Be Morein Risk Graphics," Medical Decision Making, vol. 30, no. 6, pp. 661-671, 2010.
49. E. Kurz-Milcke, G. Gigerenzer, and L. Martignon, "Transparency in risk communication," Annals of the New York Academy of Sciences, vol. 1128, no. 1, pp. 18-28, 2008.
50. A. Alaszewski and T. Horlick-Jones, "How can doctors communicate information about risk more effectively?" British Medical Journal, vol. 327, no. 7417, pp. 728-731, 2003. (Pubitemid 37176758)
51. P. Wiedemann, H. Schutz, and M. Clauberg, "Lessons learned: Avoiding pitfalls in risk communication," in International Conference and COST 281 Workshop on Emerging EMF Technologies, Potential Sensitive Groups and Health, 2006.
52. I. Lin and D. D. Petersen, "Risk Communication in Action: The tools of message mapping," U.S. Environmental Protection Agency (EPA), Tech. Rep. EPA/625/R-06/012, 2007.
53. R. Rudd, J. Comings, and J. Hyde, "Leave no one behind: improving health and risk communication through attention to literacy," Journal of health communication, vol. 8, pp. 104-115, 2003.
54. L. Sjöberg, "Factors in risk perception," Risk analysis, vol. 20, no. 1, pp. 1-12, 2000.
55. C. Keller, M. Siegrist, and H. Gutscher, "The role of the affect and availability heuristics in risk communication," Risk Analysis, vol. 26, no. 3, pp. 631-639, 2006. (Pubitemid 43944581)
56. P. Slovic, M. Finucane, E. Peters, and D. MacGregor, "Risk as analysis and risk as feelings: Some thoughts about affect, reason, risk, and rationality," Risk analysis, vol. 24, no. 2, pp. 311-322, 2004. (Pubitemid 38620129)
57. J. Jackson, N. Allum, and G. Gaskell, "Perceptions of risk in cyberspace," in Trust and Crime in Information Societies. Edward Elgar, 2005, pp. 245-281.
58. T. Earle and M. Siegrist, "Trust, Confidence and Cooperation model: a framework for understanding the relation between trust and Risk Perception," International Journal of Global Environmental Issues, vol. 8, no. 1, pp. 17-29, 2008. (Pubitemid 351301194)
59. D.-L. Huang, P.-L. Rau, and G. Salvendy, "A survey of factors influencing peoples perception of information security," in Human-Computer Interaction. HCI Applications and Services, ser. Lecture Notes in Computer Science, J. Jacko, Ed. Springer, 2007, vol. 4553, pp. 906-915.
60. I. Gabriel and E. Nyshadham, "A cognitive map of people's online risk perceptions and attitudes: An empirical study," in 41st Hawaii International Conference on System Sciences, 2008, pp. 274-283.
61. F. Farahmand, M. Atallah, and B. Konsynski, "Incentives and perceptions of information security risks," 29th International Conference on Information Systems (ICIS), pp. 25-41, 2008.
62. L. Chen and D. Farkas, "An investigation of decision-making and the tradeoffs involving computer security risk," 15th Americas Conference on Information Systems (AMCIS), pp. 610-618, 2009.
63. R. West, C. Mayhorn, J. Hardee, and J. Mendel, "The weakest link: A psychological perspective on why users make poor security decisions," in Social and Human Elements of Information Security: Emerging Trends and Countermeasures. IGI Global, 2009, pp. 43-60.
64. R. West, "The psychology of security," Communications of the ACM, vol. 51, no. 4, pp. 34-40, 2008. (Pubitemid 351530776)
65. P. Wang and E. Nyshadham, "Knowledge of online security risks and consumer decision making: An experimental study," in 44th Hawaii International Conference on Systems Sciences (HICSS). IEEE Computer Society, 2011, pp. 1-10.
66. P. Johnson-Laird, Mental models: Towards a cognitive science of language, inference, and consciousness. Harvard Univ Press, 1983.
67. T. Ibrahim, S. Furnell, M. Papadaki, and N. Clarke, "Assessing the usability of end-user security software," in Trust, Privacy and Security in Digital Business, ser. Lecture Notes in Computer Science, S. Katsikas, J. Lopez, and M. Soriano, Eds. Springer, 2010, vol. 6264, pp. 177-189.
68. C. Bravo-Lillo, L. Cranor, J. Downs, and S. Komanduri, "Bridging the gap in computer security warnings: A mental model approach," IEEE Security & Privacy, vol. 9, no. 2, pp. 18-26, 2011.
69. P. Jaferian, D. Botta, F. Raja, K. Hawkey, and K. Beznosov, "Guidelines for designing IT security management tools," in 2nd ACM Symposium on Computer Human interaction For Management of information Technology, 2008, pp. 1-10.
70. P. Jaferian, K. Hawkey, A. Sotirakopoulos, and K. Beznosov, "Heuristics for evaluating it security management tools," in 2011 Annual Conference Extended Abstracts on Human factors in Computing Systems. ACM, 2011, pp. 1633-1638.
71. S. Chiasson, R. Biddle, and A. Somayaji, "Even experts deserve usable security: Design guidelines for security management systems," in Symposium on Usable Security and Privacy Workshop at Usable IT Security Management (USM), 2007, pp. 1-4.
72. E. Kandogan and E. Haber, "Security administration tools and practices," in Security and Usability: Designing Secure Systems that People Can Use. O'Reilly, 2005, pp. 357-376.
73. i2 Limited, "i2 Clarity Platform and Analysis Product Line." [Online]. Available: http://www.i2group.com/uk/products-services
74. Future Point Systems, "Starlight Visual Information System™(VIS)." [Online]. Available: http://www.futurepointsystems. com/
75. Lookingglass Cyber Solutions, "ScoutVision™." [Online]. Available: http://www.lgscout.com/products/scoutvision
76. J. Rasmussen, K. Ehrlich, S. Ross, S. Kirk, D. Gruen, and J. Patterson, "Nimble cybersecurity incident management through visualization and defensible recommendations," in 7th International Symposium on Visualization for Cyber Security (VizSec). ACM, 2010, pp. 102-113.
77. V. Bier, "On the state of the art: risk communication to the public," Reliability Engineering & System Safety, vol. 71, no. 2, pp. 139-150, 2001. (Pubitemid 32034818)
78. K. O'Doherty and G. Suthers, "Risky communication: pitfalls in counseling about risk, and how to avoid them," Journal of Genetic Counseling, vol. 16, no. 4, pp. 409-417, 2007. (Pubitemid 47305499)
79. N. D. Weinstein and P. M. Sandman, "Some Criteria for Evaluating Risk Messages," Risk Analysis, vol. 13, no. 1, pp. 103-114, 1993. (Pubitemid 23082186)
80. P. Shi, H. Xu, and X. Zhang, "Informing security indicator design in web browsers," in 2011 iConference. ACM, 2011, pp. 569-575.