Revealing the cyber security non-compliance “attribution gulf”

Jacques Ophoff; Karen Renaud

Revealing the cyber security non-compliance “attribution gulf”

Jacques Ophoff, Karen Renaud

Division of Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Citations (Scopus)

95 Downloads (Pure)

Abstract

Non-compliance is a well-known issue in the field of cyber security. Non-compliance usually manifests in an individual’s sins of omission or commission, and it is easy to conclude that the problem is attributable to their personal flawed decision making. However, the individual’s decision not to comply is likely also to be influenced by a range of environmental and contextual factors. Bordieu, for example, suggests that personal habitus influences decisions. We identified a wide range of possible explanations for non-compliance from the research literature and classified these, finding that a number of the identified factors were indeed habitus related. We then used Q-methodology to determine which of these non-compliance explanations aligned with public attributions of non-compliance causatives. We discovered an “attribution gulf”, with popular opinion attributing non-compliance primarily to individual failings or ignorance. The existence of this attribution gap means that those designing cyber security interventions are likely to neglect the influence of habitus on choices and decisions. We need to broaden our focus if non-compliance is to be reduced.

Original language	English
Title of host publication	Proceedings of the 54th Annual Hawaii International Conference on System Sciences
Editors	Tung X. Bui
Place of Publication	Honolulu, HI
Publisher	University of Hawaii at Manoa
Pages	4557-4566
Number of pages	10
ISBN (Print)	9780998133140
Publication status	Published - 5 Jan 2021
Event	Hawaii International Conference on System Sciences - Virtual venue, United States Duration: 4 Jan 2021 → 8 Jan 2021 Conference number: 54th https://scholarspace.manoa.hawaii.edu/handle/10125/72112

Publication series

Name	Proceedings of the 54th Annual Hawaii International Conference on System Sciences
ISSN (Electronic)	2572-6862

Conference

Conference	Hawaii International Conference on System Sciences
Abbreviated title	HICSS-54
Country/Territory	United States
Period	4/01/21 → 8/01/21
Internet address	https://scholarspace.manoa.hawaii.edu/handle/10125/72112

Keywords

Innovative behavioral IS security and privacy research
Common wisdom
Habitus
Non-compliance

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

Ophoff_RevealingTheCyberSecurityNon-Compliance_Published_2021Final published version, 817 KBLicence: CC BY-NC-ND

http://hdl.handle.net/10125/71169Licence: CC BY-NC-ND

Data for: Revealing the cyber security non-compliance "Attribution Gulf"
Ophoff, J. (Creator) & Renaud, K. (Creator), Figshare, 16 Jun 2022
DOI: 10.6084/m9.figshare.20079464
Dataset

Cite this

@inproceedings{cd474feff10c4b7890d45db941700737,

title = "Revealing the cyber security non-compliance “attribution gulf”",

abstract = "Non-compliance is a well-known issue in the field of cyber security. Non-compliance usually manifests in an individual{\textquoteright}s sins of omission or commission, and it is easy to conclude that the problem is attributable to their personal flawed decision making. However, the individual{\textquoteright}s decision not to comply is likely also to be influenced by a range of environmental and contextual factors. Bordieu, for example, suggests that personal habitus influences decisions. We identified a wide range of possible explanations for non-compliance from the research literature and classified these, finding that a number of the identified factors were indeed habitus related. We then used Q-methodology to determine which of these non-compliance explanations aligned with public attributions of non-compliance causatives. We discovered an “attribution gulf”, with popular opinion attributing non-compliance primarily to individual failings or ignorance. The existence of this attribution gap means that those designing cyber security interventions are likely to neglect the influence of habitus on choices and decisions. We need to broaden our focus if non-compliance is to be reduced.",

author = "Jacques Ophoff and Karen Renaud",

year = "2021",

month = jan,

day = "5",

language = "English",

isbn = "9780998133140",

series = "Proceedings of the 54th Annual Hawaii International Conference on System Sciences",

publisher = "University of Hawaii at Manoa",

pages = "4557--4566",

editor = "Bui, {Tung X.}",

booktitle = "Proceedings of the 54th Annual Hawaii International Conference on System Sciences",

note = "Hawaii International Conference on System Sciences, HICSS-54 ; Conference date: 04-01-2021 Through 08-01-2021",

url = "https://scholarspace.manoa.hawaii.edu/handle/10125/72112",

}

Ophoff, J & Renaud, K 2021, Revealing the cyber security non-compliance “attribution gulf”. in TX Bui (ed.), Proceedings of the 54th Annual Hawaii International Conference on System Sciences. Proceedings of the 54th Annual Hawaii International Conference on System Sciences, University of Hawaii at Manoa, Honolulu, HI, pp. 4557-4566, Hawaii International Conference on System Sciences, Hawaii, United States, 4/01/21. <http://hdl.handle.net/10125/71169>

Revealing the cyber security non-compliance “attribution gulf”. / Ophoff, Jacques; Renaud, Karen.
Proceedings of the 54th Annual Hawaii International Conference on System Sciences. ed. / Tung X. Bui. Honolulu, HI: University of Hawaii at Manoa, 2021. p. 4557-4566 (Proceedings of the 54th Annual Hawaii International Conference on System Sciences).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Revealing the cyber security non-compliance “attribution gulf”

AU - Ophoff, Jacques

AU - Renaud, Karen

N1 - Conference code: 54th

PY - 2021/1/5

Y1 - 2021/1/5

N2 - Non-compliance is a well-known issue in the field of cyber security. Non-compliance usually manifests in an individual’s sins of omission or commission, and it is easy to conclude that the problem is attributable to their personal flawed decision making. However, the individual’s decision not to comply is likely also to be influenced by a range of environmental and contextual factors. Bordieu, for example, suggests that personal habitus influences decisions. We identified a wide range of possible explanations for non-compliance from the research literature and classified these, finding that a number of the identified factors were indeed habitus related. We then used Q-methodology to determine which of these non-compliance explanations aligned with public attributions of non-compliance causatives. We discovered an “attribution gulf”, with popular opinion attributing non-compliance primarily to individual failings or ignorance. The existence of this attribution gap means that those designing cyber security interventions are likely to neglect the influence of habitus on choices and decisions. We need to broaden our focus if non-compliance is to be reduced.

AB - Non-compliance is a well-known issue in the field of cyber security. Non-compliance usually manifests in an individual’s sins of omission or commission, and it is easy to conclude that the problem is attributable to their personal flawed decision making. However, the individual’s decision not to comply is likely also to be influenced by a range of environmental and contextual factors. Bordieu, for example, suggests that personal habitus influences decisions. We identified a wide range of possible explanations for non-compliance from the research literature and classified these, finding that a number of the identified factors were indeed habitus related. We then used Q-methodology to determine which of these non-compliance explanations aligned with public attributions of non-compliance causatives. We discovered an “attribution gulf”, with popular opinion attributing non-compliance primarily to individual failings or ignorance. The existence of this attribution gap means that those designing cyber security interventions are likely to neglect the influence of habitus on choices and decisions. We need to broaden our focus if non-compliance is to be reduced.

M3 - Conference contribution

SN - 9780998133140

T3 - Proceedings of the 54th Annual Hawaii International Conference on System Sciences

SP - 4557

EP - 4566

BT - Proceedings of the 54th Annual Hawaii International Conference on System Sciences

A2 - Bui, Tung X.

PB - University of Hawaii at Manoa

CY - Honolulu, HI

T2 - Hawaii International Conference on System Sciences

Y2 - 4 January 2021 through 8 January 2021

ER -

Revealing the cyber security non-compliance “attribution gulf”

Abstract

Publication series

Conference

Keywords

UN SDGs

Access to Document

Fingerprint

Datasets

Data for: Revealing the cyber security non-compliance "Attribution Gulf"

Cite this