Network

Security
Begins at
Home
Changing
Consumer
Behavior for i-
Safety< that
of part>

NOTICE:
Study in
Progress!

People Publications Project Summary Press

Principal Investigators

• Dr. Robert LaRose

• Dr. Nora Rifon
• Dr. Richard J. Enbody

Publications

 Rifon, N.J., LaRose,R.J. & Lewis, M.L. (2007). Resolving the Privacy Paradox:
Toward A Social-Cognitive Theory of Consumer Privacy Protection.

 Wirth, C.B, Rifon, N.J, LaRose, R.J. & Lewis, M.L. (2007). Promoting Teenage
Online Safety with an I-Safety Intervention: Enhancing Self-efficacy and Protective Behaviors.
  Lewis, M.L., LaRose, R.J., Rifon, N.J, & Wirth, C.B. (2007). Self-Efficacy
Manipulations in Protection Motivation Research: A Meta-Analysis.

 LaRose, R., Rifon, N., & Wirth, C. (2007). Online Safety Begins with You and Me:
Getting Internet Users to Protect Themselves. Paper presented at the 57th Annual
Conference of the International Communication Association.
 LaRose, R. & Rifon, N. (2007). Promoting i-Safety: Effects of Privacy Seals on Risk
Assessment and Online Privacy BehaviorThe Journal of Consumer Affairs, 41(1),
127-149.
 Ellison, N., LaRose, R., & Rifon, N. (2007). Organizational Netizenship: An
Employee Survey for the Accident Fund, Technical Report. East Lansing , Michigan :
Department of Telecommunication, Information Studies, and Media,
Michigan State University .
 LaRose, R., Rifon, N. & Enbody, R. (2006). Promoting Personal Responsibility for
Internet Safety. Communications of the ACM.
 Rifon, N.J. LaRose, R. & Choi, S.M. (2005). Your Privacy is Sealed: Effects of Web
Privacy Seals on Trust and Personal Disclosures. The Journal of Consumer Affairs,
39(2), 339-362.
 Rifon, N., Quilliam, E.T., & LaRose, R. (2005). Consumer Perceptions of Online
Safety. Paper presented at the 55th Annual Conference of the International
Communications Association. (Powerpoint).
 LaRose, R., Rifon, N., Liu, S. & Lee, Doohwang. (2005). Online Safety
Strategies: A Content Analysis and Theoretical Assessment. Paper presented at the
55th Annual Conference of the International Communication Association.
 LaRose, R., Rifon, N., Liu, S. & Lee, Doohwang. (2005). Understanding Online
Safety Behavior: A Multivariate Model. Paper presented at 55th Annual Conference
of the International communication Association.

Project Summary

Rationale

Continuing virus and worm attacks that spread through "holes" in popular
consumer software emphasize the role the online public must play in preserving
the safety and integrity of the Internet. To protect the network commons, more
users must engage in safe online behavior by such actions as controlling their
private information, updating software security patches, downloading protective
software, and filtering their email. While network security remains an abstract
notion to the general public, online consumers can understand the issue in terms
of their personal privacy behavior, actions that result in the undesired disclosure
of information and unwanted intrusions on their personal cyberspace. The project
extends online privacy research to develop a theoretical model of online safety
behavior, evaluates and tests that model in the context of current security
interventions, and develops and tests a consumer online safety tool. The term i-
Safety connotes information safety and also the role that all individuals play in
preserving it.

Plan of Work

The research extends and validates a model of the psychological and social
factors that motivate Internet users to act safely online, with the ultimate goal of
creating effective interventions that will encourage safe online behavior. That
includes avoidance of behavior that poses risks to consumers' privacy as well as
to the security of the network they all share and adoption of protective measures
that will assure individual privacy while protecting all Internet users. The model
synthesizes theories of human behavior and theories of consumer information
processing. Specifically, it examines the relationships among safety involvement,
knowledge of online safety hazards, the expected outcomes of safe and unsafe
online behavior, self-efficacy beliefs in one's abilities to avoid risk and to take
preventive actions, and social norms about online behavior, the performance of
both risky and preventive behavior, and the formation of safe online habits.
Phase 1 extends and validates a theoretical model of online safety behavior
through a national panel survey of 1000 Internet users using structural equation
modeling techniques. In Phase 2 panel members will participate in experimental
studies of the effects of online safety interventions on consumer information
processing and safety behavior. An online safety auditing application will be
developed to measure effectiveness. In Phase 3 the safety auditing application
will be expanded into a personalized safety assessment tool that will facilitate
personalized online safety instruction, and the effectiveness of the application will
be evaluated.

Expected Outcomes

Broader impacts will follow from the dissemination of the results of the first two
phases of the study to online security developers and from the release of the
personalized safety assessment tool to the public. Phase 1 will supply policy
makers with the first reliable and publicly available, national-level data about the
safety status of online consumers in the U.S. The proposed research will guide
the development of new network security tools that require user actions to
implement, evaluate the effectiveness of current approaches to encouraging safe
online behavior, and provide the online public with a tool with which to manage
and control their own risks while maximizing the collective security of the Internet.
The i-Safety model will be used by future developers of online safety protection
tools and public information campaigns to create and test effective interventions.

Findings to Date

Both in our qualitative and quantitative research two factors stand out as
important “pressure points” to motivate safe online behaviors such as
downloading and updating protections and patches. One is self-efficacy, or
consumers’ beliefs that they can successfully enact protective measures to
defend against hackers, viruses, and malware. The other is personal
responsibility, the belief that online safety is a shared responsibility for all, as
opposed to “not my job.”

• New users who are low in self efficacy present a special case. In our focus
groups they say they use avoidance strategies, staying away from Internet
sites that may attack their computers, instead of taking the time to learn
about methods to cope with them.
• In our college
student
population we
find something
of the opposite
case, reckless
users who are
aware of the
dangers, but
just don’t see it
as their
responsibility to
do anything to
protect
themselves or
others.
• In our
quantitative
research we
also find that
response
efficacy (i.e.,
the perceived
effectiveness of
protective
measures,
Resp Eff) and
habit strength
(i.e., making a
routine out of
security
updates) as
well as self
efficacy (Self
Eff), safety self-
identity (Safe
ID) and
reckless self
identity (Reck
ID), predict
safe behavior
(see
diagram). Note
that Reck ID is
a negative
 predictor.

• Surprisingly,
beliefs in one’s
susceptibility to
online dangers
is not directly
related to
intentions to
protect oneself.
Indeed, there is
a weak
curvilinear
relationship:
both high and
low levels of
susceptibility
are related to
safe behavior,
but
intermediate
levels of
susceptibility
diminish safety.

Reviewing the strategies used by nine well- known online safety education sites,
including those sponsored by Homeland Security, the Federal Trade
Commission, and the UK government, we find several opportunities for improving
communication with the public about online safety issues. The strategies used in
this analysis are drawn from a variety of theoretical paradigms that have been
used to analyze safety behavior including Protection Motivation Theory (PMT),
the Health Belief Model (HBM), Social Cognitive Theory (SCT), and the Theory of
Planned Behavior (TPB). In so doing, we draw an analogy between human
health and computer "health."
• There is an
over-reliance
on scare tactics
that highlight
susceptibility to
dangers such
as fraud and
identity theft.
They are an
element of all
consumer
education sites
but these can
backfire.
• Too little
attention is paid
to bolstering
self-efficacy.
Many sites do
not address it
at all, those that
do take a
superficial “you
can do it if you
try” approach.
Appeals to
personal
responsibility
also tend to be
mere slogans.
• The positive
outcomes that
follow from
online safety,
such as
improved
productivity and
reduced repair
costs, have
been
overlooked by
the existing
online
consumer
education
efforts.
 • It is important
to tailor
messages to
consumers,
taking into
account their
self-efficacy
and
involvement
with respect to
online safety
issues. One-
size-fits-all
communication
strategies may
not only be
ineffective but
counterproducti
ve.

National Telephone Survey

Network Security Begins at Home: Changing Consumer Behavior for i-Safety

National Science Foundation, Cyber Trust Award

Robert LaRose and Nora J. Rifon, Principal Investigators

Michigan State University Internet Safety Survey: Technical Report

Press

 MSU researchers confront the online safety menace (9/28/2004)

 Detroit Free Press: MIKE WENDLAND: Safe surfing starts with user, MSU experts say
(09/27/2004)

Acknowledgments

We gratefully acknowledge the support of the National Science Foundation's CyberTrust Program
(Grant number 88691-00). The opinions expressed are those of the authors. Our thanks to Missy
Lewis, Christina Wirth, Sunny Liu, Doohwang Lee and Elizabeth Quilliam, our research
assistants, and to Tom Wolf who makes our computer magic.