Currently, Information Technologies (IT) are present in many of the activities we perform in our everyday lives. They have long been the basis of our interpersonal communication and are increasingly used for various personal and economic functions, mainly for our financial transactions.
This context and, of course, this last role, have spurred a major evolution of crime in the cyber realm, which currently represents the leading problem for the world of security: providing cybercrime protection.
This means that companies and governments are starting to look to cybersecurity as a key survival element. The danger no longer looms over vulnerable and uninformed users; large multinationals, critical infrastructure and even governments are being attacked and hijacked by the new digital terrorism because of an insufficient cybercrime protection.
Until now, cybercrime protection has been firmly based on technical protection such as antiviruses or firewalls that try to defend computer systems against external threats. However, computer security must be developed using a global and complementary approach, where the machine and the user, the system and the human being work in a coordinated way to reduce risks and respond to threats.
Along with this technical cybersecurity, it is necessary to address personal protection for the user, a context that needs development and for which we must ask ourselves some initial questions. Can we get users to try to protect themselves online against cybercrime? Can we motivate them to actually engage in self-protective behaviors?
Little has been studied about user motivation in the IT context and we still do not know what variables can influence users to protect themselves against cybercrime carrying out secure virtual behaviors.
To understand how we can get users to protect themselves against cybercrime, we can look at disease and health.
Some time ago, a new vision of health management based on prevention and healthy behavior emerged in healthcare. Instead of dedicating effort and money to fighting diseases with new drugs and treatments, some experts thought that it might be more useful to train and teach people to prevent disease with healthy behaviors.
Improving their diet, exercising or quitting smoking were behaviors that could be more effective and cheaper in the long run than investing in drugs and reactive research. This clearly starts with a paradigm shift in which the patient becomes part of their own health management, implementing changes in those behaviors that could lead to disease. To do this, the person must be motivated to make these changes.
This context is where the Protection Motivation Theory comes in, where the motivational process that is behind disease coping behaviors is analyzed, which could also help to understand and strengthen these protective behaviors in the case of cybercrime protection.
According to this theory, there are two processes involved in people being motivated to engage in protective behaviors: safety awareness and cognitive mediation.
The safety awareness process involves knowing what threats exist and what protective measures are available against them. That is, the subject must know and be aware that there are certain dangers in the use of IT that can cause them varying problems: identity theft, economic loss, extortion, device disabling, legal problems....
Until the person is aware of this threat it will be very difficult for them to act on it. But, in addition, the person also must be aware of the protective measures that they can take. This means that the subject must know the danger, but must also know that they can do something about it and protect themselves against cybercrime.
This security awareness process represents an attitude towards the threat and is the first step towards achieving a coping behavior. However, we need something else to promote motivation for change: cognitive mediation. This second process is also subdivided into two areas: threat assessment and coping strategy assessment.
Threat assessment means that the subject evaluates the danger posed by the threat and their vulnerability to it. One example is CEO fraud for a company's senior manager, who perceives that if they are attacked with this method they might lose a significant amount of money. In turn, as they are responsible for accounting and have been in the company for a short time, they realize it would be quite easy to be fooled with such attacks.
The other area of cognitive mediation is the assessment of coping strategies, which involves knowing the efficacy of a certain coping response along with the feeling of being able to carry it out successfully.
Continuing with the previous example, the accounting officer knows that they must verify the authenticity of the emails they receive and the bank accounts indicated on any invoices, and they also have the necessary means of verification in their accounting database. This makes the strategy efficient and gives the user a feeling of self-efficacy.
With these two general processes and the different areas of knowledge involved in each of them, we have all the necessary ingredients to generate cybercrime protection behaviors among users.
To continue with the health analogy, obtaining results so that users are motivated to carry out self-protection behaviors involves an initial investment in dissemination.
Cybersecurity should cease to be an area familiar exclusively to technicians. Even though the media and companies are increasingly sensitive to cybercrime, diffusion of the problem from a preventive perspective is still needed. Generally, cybercrimes tend to become publicized with two features that don't help much in generating coping attitudes:
This form of presentation affects threat awareness, as users do not feel an immediate concern as potential victims of cybercrime and therefore don’t feel the need for cybercrime protection. But, in turn, it also affects perceived vulnerability, since users also think that they have security levels suitable for handling the low probability of becoming a cybercrime victim.
Therefore, it is necessary to change this perception of cybercrime, to make it something closer to each user—not those who download any type of program or who do not have protective software installed, but to normal users.
To make it clear that hackers don’t only attack the Pentagon or the central bank, but also seek out small businesses to rob from them and extort them. Users like us or companies like ours can become cybercrime victims, so the threat is real and close. We are all at risk.
This threat awareness is basic and should not be avoided because of fears that it might generate fear and panic among the public. Just as we are aware of the possibility of becoming cybercrime victims, we also have the advantage and the power to do something about it, to become aware of how to react. And this is the second phase: after disseminating information, investment is needed in training, teaching and demonstrating coping strategies; measures that do not involve tremendous effort or technical training.
Leaving suspicious emails unopened or changing passwords every 6 months is so easy, but at the same time these actions are so useful that they can avoid dreaded phishing attacks.
This new approach generates empowerment in users who are the great obstacle faced by cybercriminals: people who overcome fear and become consciously responsible for their own security. When we reach this point of awareness and active cybercrime protection, it will represent a very important paradigm shift in the development of cybersecurity.