High Risk Websites has a market

For any business organization, it is not enough to create a secure information architecture. To stay safe, companies must address the human factors that affect cybersecurity. When employees take computer security lightly, they put the organization’s systems at risk.

In a study published by the Americas Conference on Information Systems (AMCIS), researchers Li-Chiou Chen and Daniel Farkas at Pace University, New York, conducted a study that sought to understand how people make computer security decisions. They wanted to know if users would be willing to buy from a shady website if the price was lower than at a more secure online store. They sought to understand how much lower the price would have to be for the user to be comfortable enough to purchase on the shady website.

Monetary Rewards, Culture, and Security Skills

The study involved 131 undergraduate and graduate students taking courses both in-person and online at a university in the U.S, 121 of which completed the whole survey. The participants included graduate students from Bangalore, India, who were taking the courses over the internet.

In one scenario, the subjects were presented with a situation where they could buy a digital camera at a low price but from a website with a heightened security risk. 

41% chose to buy the camera while 59% declined regardless of how much cheaper the camera was on the online store that had security risk.

Other findings of the study include:

• Culture was an important factor in whether a participant was willing to tradeoff security for a reward. The Indian students accepted the reward at a higher rate than non-Indian students.
• Students who had more security skills, like using software that detects spyware, or encryption in emails, were more likely to reject monetary rewards than those with no security skills. The participants who had more security skills had a higher perception of computer security risk. They were unwilling to accept a monetary reward because of the possibility that doing so could compromise their computer security. Training users in computer security could be the key to reducing cybersecurity risks.

Conclusion

The results of this study provide insights that companies can use in computer security risk management. While most participants (about 53%) avoided security risk regardless of the tradeoff, the 47% that accepted the security risk is a significant percentage in computer security. Given that risk perception seems to be a significant factor in whether users are willing to compromise their security for a reward, companies could benefit from computer security risk training.