In an article published in Social Science Computer Review, four researchers conducted an analysis that found a significant relationship between people with lower self-control and higher rates of victimization via malware infection. The study was based on an online questionnaire on victimization, routine activities, and self-control among other issues, with responses by more than 5,000 individuals in a nationally representative sample of people from the Netherlands. The study measured low self-control by 12 items of dysfunctional impulsivity from a standardized impulsivity inventory that “assesses self-reported difficulty with the regulation of behavioral impulses” (e.g., “I often say and do things without considering the consequences”).
Based on the responses, the researchers found that “respondents with a lower self-control have a significantly higher average score on malware victimization,” and “were more likely to experience more symptoms of infection.” They also found that this relationship “was significant and remained in the presence of routine activity measures,” and that malware victimization “is a consequence of differences in individual routine activities which are individually shaped by individuals’ levels of self-control.” In contrast, they also found that “respondents who often check for viruses score significantly lower on malware victimization,” and that respondents’ use of a secured wireless connection “is associated with lower probabilities of infection.”
Note: This study should be of interest to corporate-compliance and information-security officers, as they review their intracorporate training courses and online reminders to employees and customers about malware risks. Such training and reminders are often framed in general, “one-size-fits-all” terms, to reach the broadest possible audience. But as the lead author of the study, Professor Thomas Holt of Michigan State University, has noted, “it is also essential to address the psychological side of messaging to those with low self-control and impulsive behaviors.”
To that end, information-security programs should consider expanding their training content and cybersecurity reminders to include more targeted messages for those with lower self-control. The messaging can be framed in nonjudgmental terms, but should call out the consequences of impulsivity – perhaps “Take your time before clicking on emails or attachments from senders you don’t recognize. People who click without thinking are more likely to trigger malware that can take over their computers or steal their personal data.”
Over the longer term, Professor Holt indicated that he “hopes to help break the silos between computer and social sciences to think holistically about fighting cybercrime.” “If we can identify risk factors,” he said, “we can work in tandem with technical fields to develop strategies that then reduce the risk factors for infection.” The study itself acknowledges that “[f]uture research is needed assessing the extent to which populations recognize and experience infections across devices and the risk patterns associated with infections by mobile and personal computing devices.” Such research deserves support from academia, government, and the corporate sector.