Psychological Distance in
Cyber Decision Making:
Information about the Attackers
52nd Edwards Bayesian Research Conference
Fullerton, 15 February 2014
Jinshu Cui, Department of Psychology
Heather Rosoff, Sol Price School of Public Policy
Richard John, Department of Psychology
CREATE, University of Southern California
Evaluation of Cyber Threats
Identity
theft?
Financial
fraud?
Computer
crash?
• Human operators are often thought of as a major cause of
security failures - “the weakest link in the chain” [Schneier
2008]
• It is difficult for human operators to take cyber threats
seriously when few cause serious consequences at the
individual level
• Critical to understand perception and behavioral response to
cyber threats
Previous Research
• Experience of a near miss significantly increased
respondents’ endorsement of safer options, the effect
was bigger under a gain frame than a loss frame.
• Experience of a hit significantly increased respondents’
endorsement of safer options relative to the near miss
past experience.
• Experience of a false alarm significantly decreased
respondents’ likelihood of endorsing safer response
options, compared to the near miss past experience.
Rosoff, H., Cui, J., & John, R. S. (2013). Heuristics and biases in cyber security dilemmas. Environment Systems
and Decisions, 33(4), 517-529.
Real Crime vs. Cyber Crime
• Personally targeted
• Instant consequences
• Have information about the
offender, have interaction
with the offender, concern
about the offender
• Group targeted
• Delayed consequences
• Rarely have information about
the attacker, have no interaction
with the attacker, ignore the
attacker
Who? Why?
Motivation
• Construal level theory (CLT) – “distant” attacks will be
viewed abstractly, and “proximal” attacks will be
viewed concretely. (Trope & Liberman, 2003, 2010; Trope,
Liberman, & Wakslak, 2007)
Information about Attackers
Attributes
Psychological Distance
Construal Level
attacker
unknown
most distant
highest
group
distant
high
individual
proximal
low
physical identified individual
most proximal
lowest
unknown
most distant
highest
terrorism
distant
high
fame
proximal
low
money
most proximal
lowest
identification
attacker
motivations
Experiment 1 – Research Questions
• Attacker identification
o group or individual
o physical identified or not
• Attack tactics
o personal account
o database
Experiment 2 – Research Questions
• Attacker Motivations
o money: purchase luxury items
o fame: increase his visibility and reputation within the
hacker community
o terrorism: provide financial support to a Middle Eastern
terrorist group
• Resolution Status
o resolved
o unresolved
Experiment 1 - Design
• Financial attack scenario
• 4 (attacker identification) x 2 (attack tactics)
between-subjects design
• Manipulations
– Attacker identification:
• unknown
• group
• individual
• individual with picture
– Attack tactics: database vs. personal account
Official Bank Notification
___________________________________________________
August 2, 2013
Dear Valued Customer,
We are writing to notify you that two days ago, there was an
unauthorized attempt to withdraw all of your current funds. (personal
account) As of now, we know an individual online hacker is
responsible for the breach into your account. (individual attacker)
The hacker acted alone in carrying out the attack.
We are working with law enforcement officials and regret any
concern or inconvenience this incident may have caused you. We will
keep you informed as we make progress in his capture.
Kindest Regards,
Your Bank
Experiment 1 – Measures
• 10-item PANAS
– 1 (not at all) to 5 (extremely)
– 5-item negative affect: α = 0.94
– 5-item positive affect: α = 0.84
• 4-item Risk Perception:
– 0 to 10 / 0% to 100%
– α = 0.83
• 8-item Behavioral Intention:
– 1 (strongly disagree) to 5 (strongly agree)
– 3-item stay with bank: α = 0.63
– 3-item stay away from bank: α = 0.75
Experiment 1 – Respondents
•
•
•
•
•
•
•
Recruited from Amazon Mechanical Turk
N = 239
$0.55 each
Median time to complete: 6 min
43 % female
50% 18-30 years old
98.3% shop online, 92.9% bank online
Experiment 1 – Negative Affect
Less negative affect associated with pictured individual attacker
compared to individual attacker without a picture (p = .038)
Mean Negative Affect (1-5)
4.5
Mean Score of Negative Affect
attack
tactics
4
3.5
database
personal
3
2.5
2
individual
individual with picture
attacker identification
low psychological distance would increase participants’ interest in
subordinate and secondary aspects (Liviatan, Trope, and
Liberman, 2008)
Experiment 1 – Positive Affect
More positive affect was experienced if a personal account was
attacked compared to a database (p = .024)
Mean Positive Affect (1-5)
2.8
Mean Score of Positive Affect
2.6
2.4
attack
tactics
2.2
2
group
1.8
individual
1.6
individual with
picture
unknown
1.4
1.2
1
database
personal
attacker identification
Experiment 1 – Protective Behavior
When database was attacked, respondents are more willing to
count on the bank when the attacker was physically identified;
with an individual account attacked, there is little difference. (p =
0.036)
Expectation on Bank (1-5)
5
Mean Score of Expectation on Bank
4.9
4.8
4.7
attack
tactics
4.6
4.5
4.4
individual
4.3
individual
with picture
4.2
4.1
4
database
personal
attacker identification
Experiment 1 – Sex as a Moderator
Female respondents tended to experience more negative
affect (p = .014), higher perceived risk (p = .022), and
were more likely to support for government’s intervention
for online protection (p = .021) (Hale, 1996)
Experiment 2 - Design
• Identity theft scenario
• 4 (perpetrator’s motivation) x 3 (resolution status)
between-subjects design
• Manipulations
– Perpetrator’s motivation:
•
•
•
•
fame
money
terrorism
unknown
– Resolution status:
• resolved
• unresolved
• unknown
Experiment 2 – Scenes 1 and 2
Scene 1: This morning in the mail you received a credit card statement in
your name from a company with which you do not have an
account. As you looked over the statement, you noticed several cash
advances totaling $500. (PANAS)
Scene 2: One week following your receipt of the suspicious credit card
statement, you receive the following voice mail:
“Good morning, my name is Gabriel Dawson from the Identity Theft
Unit of the Police Department. Our investigation into a cyber
perpetrator has led us to believe your personal computer has been
compromised. We believe this individual hacked into your computer
and obtained access to your email account and the cache data of your
online activities. In doing so, he was able to obtain your usernames,
passwords, banking information, and other personal information. Our
investigation thus far shows no evidence that can confirm the
perpetrator's intent. (unknown motivation) I plan to be in touch in
the coming weeks to report on the progress of our investigation.
Please be vigilant in reporting to us any suspicious mail, email, or
phone call. Thank you.“ (PANAS, risk perception, short-term
behavior)
Experiment 2 – Scenes 3 and 4
Scene 3: In the days following the call from the Identity Theft Unit, you notice
an increase in suspicious activity. You are receiving more spam
emails, junk mails and phone calls from solicitors. More notably is
your receipt of a phone call from the Department of Motor Vehicles
confirming the issuance of a new driver's license you did not order.
You also receive a letter in the mail from the Internal Revenue
Service inquiring about your filing of duplicate income tax returns,
suggesting that fraudulent returns were submitted in your
name. (PANAS)
Scene 4: Moving ahead to several weeks following the call from the Identity
Theft Unit of the Police Department, you receive yet another
credit card statement in the mail from a company with which
you do not have an account. This statement has a $1,500
balance. (unresolved) It is clear that you are continuing to
experience complications as a result of your identity theft and that
you are still at risk. (PANAS, risk perception, long-term
behavior)
Experiment 2 - Measures
• 10-item negative affect (from PANAS):
– 1 (not at all) to 5 (extremely)
– 8-item negative affect (4 time periods): α = 0.93, 0.92, 0.92, 0.94
• 8-item Risk Perception:
– 1 (strongly disagree) to 6 (strongly agree)
– 5-item risk perception (2 time periods): α = 0.81, 0.83
• 10-item short-term behavior:
– check all that apply
– Summed number of checked responses
• 12-item long-term behavior:
– 1 (strongly disagree) to 6 (strongly agree)
– 9-item long-term behavior: α = 0.86
Experiment 2 - Respondents
•
•
•
•
•
•
•
Recruited from Amazon Mechanical Turk
N = 419
$0.75 each
Median time to complete: 7 min
44 % Female
50% 18-29 years old
72% have at least one credit card, of which:
– 8% have had an account opened fraudulently in their
name
– 6% pay for an identity theft protection service
Experiment 2 – Negative Affect
Respondents experienced less negative affect when the
identity theft case was resolved compared to unresolved or
unknown
Negative Affect (1-5)
4.5
Mean Score of Negative Affect
(Scene 4)
4
perpetrator's
motivation
3.5
3
fame
money
2.5
terrorism
2
unknown
1.5
resolved
unknown
resolution status
unresolved
Experiment 2 – Risk Perception
Respondents perceived less risk of identity theft when the
perpetrator was to fund terrorism compared to for money or
fame
Risk Perception (1-6)
Mean Score of Risk Perception
5.2
(scene 2)
5.1
5
4.9
4.8
4.7
4.6
4.5
fame
money
terrorism
resolution status
Participants in the low psychological distance condition
reported higher risk perceptions (Chandran&Menon, 2004)
Experiment 2 – Risk Perception
Respondents perceived less risk of identity theft when the
situation was resolved compared to unresolved or unknown
Risk Perception (1-6)
5.6
5.4
Mean Score of Risk Perception
(scene 4)
perpetrator's
motivation
5.2
money
5
4.8
terrorism
4.6
4.4
4.2
4
resolved
unknown
resolution status
unresolved
Experiment 2 – Long Term Protective Behavior
Mean Long-term Behavior (1-6)
Participants are more willing to pursue long-term behavior
of online identity protection when the identity theft case was
unresolved or unknown than if it was resolved.
Mean Score of Long-term Behavior
(Scene 4)
5
4.5
perpetrator's
motivation
4
money
3.5
terrorism
3
2.5
2
resolved
unknown
resolution status
unresolved
Experiment 2 – Sex as a Moderating Variable
Female participants tended to experience more negative
affect, high perceived risk, were more likely to seek help
(short-term behavior) and more likely to pursue online
identity protection (long-term behavior)
Conclusions
• Cyber attacker and attack characteristics influence
respondents’ affective responses, risk perceptions, and
intended long term behavior
• Cyber Attacker Identification (Individual, Group,
Individual with Picture, UK)
• Cyber Attack Tactics (Personal account vs. Database)
• Cyber Attackers’ Motivations (Fame, Money, Terror, UK)
• Resolution of Cyber Attack (Resolved, Unresolved, UK)
Psychological Distance in
Cyber Decision Making:
Information about the Attackers
52nd Edwards Bayesian Research Conference
Fullerton, 15 February 2014
Jinshu Cui, Department of Psychology
Richard John, Department of Psychology
Heather Rosoff, Sol Price School of Public Policy
CREATE, University of Southern California
Overview
• Research Questions
– Do attacker identification (e.g., picture or not), attack
tactics (i.e., personal account or database), motivations
of the perpetrator (e.g., money, terrorism), or resolution
of the event influence emotional, cognitive and
behavioral responses?
• Experiment 1
– Financial Fraud: attacker identification, attack tactics
• Experiment 2
– Identity Theft: perpetrator’s motivation, resolution status