Do you bend or break?

Preventing online banking fraud victimization through online resilience

Jurjen Jansen

Research output: ThesisDoctoral ThesisInternal (IDIP)

42 Downloads (Pure)

Abstract

This doctoral thesis is about the human aspects of online banking safety andsecurity. Preparations for this thesis, part of The Dutch Research Program onSafety and Security of Online Banking, started when online banking fraud figures were relatively high in the Netherlands. In this thesis, online banking fraud is limited to phishing and malware attacks. This thesis investigated a specific partof the issue of how to reduce this type of fraud, namely the extent to which the safety and security of online banking can be improved from an end-userpers pective. Hence, it examined how the online resilience of end users can be enhanced; making them better able to protect themselves against onlinebanking fraud. Next to the practical goal of this thesis, it also aimed to contribute to scientific theory in the behavioural information security domain.This thesis starts with an introductory Chapter (1) in which the context of studyis described and the goal and research questions are highlighted. The empiricalpart of this thesis is divided into two smaller parts. In order to get acomprehensive overview of the human aspects of online banking safety andsecurity, it is important to study the threats as well as people-focussedsafeguards. Therefore, Part I (Chapters 2 to 5) deals with studies on end-users’perceptions of and victimization due to online banking fraud. Learning moreabout risk perceptions, how and why victimization takes place, victimcharacteristics and how victims recover from incidents may lead to moreknowledge on how to combat online banking fraud effectively. Part II of thisthesis (Chapters 6 to 9) consequently deals with studies on precautionary onlinebehaviour of end users and how that behaviour can be improved. Knowledge onthis subject may contribute to strengthening one of the most essential links inthe safety and security of online banking: the end user. The concluding Chapter(10) provides an answer to the central and main research questions and dealswith the theoretical and practical implications of the findings. The main researchquestions are:1: What are the perceptions of end users regarding the safety and security ofonline banking?2: How can online banking fraud victimization be explained from an end-userperspective?3: How can precautionary online behaviour of end users be explained andimproved?To answer these questions, several studies were conducted; these areelaborated in Part I and Part II of this thesis. The contents of the chapters areoutlined below.In Chapter 2, end-user risk perceptions of online bank fraud are studied.Secondary analysis of data based on a survey among 1,200 Dutch onlinebanking users shows that online banking fraud is not considered to be a majorrisk. End users perceive the potential impact of online banking fraud to besevere, but the chances of falling victim themselves to be slim. However, theyestimate the chances of others being victimized to be higher. Furthermore,online banking customers mainly come into contact with online banking fraudthrough media communications. Indirect victimization in the social environmentand direct victimization were less common. In addition, online banking users, ingeneral, have reasonable levels of trust in online banking. Finally, this chapterreveals – using partial least squares path modelling – that risk perceptions aremainly affected by the estimated chance of becoming a victim of online bankingfraud. The perceived impact of online banking fraud and the degree of trust inonline banking affected risk perception to some extent. Direct and indirectvictimization and demographic characteristics hardly affected risk perceptions.In Chapter 3, an analysis of 600 phishing and malware incidents obtained from aDutch bank is presented. The goal of this chapter is to shed light on thecircumstances in which bank customers are victimized in phishing and malwareattacks and how these attacks manifest in practice. This chapter shows that anessential step in the fraudulent process entails customers giving away theirpersonal information to fraudsters. Phishing victimization mainly occurred byresponding to a fraudulent e-mail, a fraudulent phone call or a combination ofthese. Malware victimization primarily occurred by responding to a maliciouspop-up and by installing a malicious application on a mobile device. Customerscooperated because the fraudulent messages were perceived to be professionaland trustworthy and because customers were not sufficiently suspicious of whatwas happening. The results suggest that victims have an unintended andsubconscious, but active role in the fraudulent process. An interesting finding isthat the victims did not always seem to trust the fraudster’s intentions, but werementally unable to stop the process. Reasons for this include not being aware ofhow fraudulent schemes manifest in practice, not being alert at the rightmoment and having insufficient knowledge of online banking procedures andprecautionary measures.Chapter 4 explores factors that may explain online banking fraud victimizationbased on interviews with 30 victims using the routine activity approach andprotection motivation theory as theoretical lenses. A qualitative approach was chosen because previous quantitative studies failed to identify such factors. Theinterview data were analysed using computer-assisted qualitative data analysissoftware. This chapter demonstrates that no specific factors from the routineactivity approach and protection motivation theory that increase the chance ofonline banking fraud victimization could be identified. Moreover, victims weredistributed across genders, age categories and levels of education. Ultimately,end-user attributes that lead to higher chances of being victimized throughonline banking fraud could not be identified. This suggests that everyone issusceptible to online banking fraud victimization to some degree.In order to find out whether victims adequately recover from phishing andmalware incidents, it is important to gain insight into its effects and impact onvictims first. However, there was not much literature available on the impact ofthese cybercrimes. This gap is addressed in Chapter 5, in which interview datafrom the above mentioned 30 victims are analysed again. Besides (initial)financial effects (most victims were reimbursed), victims also described variouskinds of psychological and emotional effects, such as feeling awful and stressed,and various kinds of secondary impact, such as time loss and not being treatedproperly during the handling of the incident. Furthermore, this chapterdemonstrates that the level of impact varies among victims, ranging from littleor no impact to severe impact. Moreover, while some victims were only affectedfor a few days, some felt the effects in the long term. The impact of thesefraudulent schemes on victims should therefore not be underestimated.In addition, the interview data provided insight into cognitive and behaviouralchange in order to cope with the incident. Cognitive strategies were mainlyconcerned with reducing psychological and emotional distress, and increasingonline resilience to future attacks. The main behavioural strategies that wereidentified are reporting the incident to the bank and the police and seekingsupport from the social environment. Furthermore, various other actions weretaken, such as enhancing the safety and security of devices and being moreattentive during online banking sessions. However, it was observed that some ofthese actions were only of limited duration. Some victims adopted avoidancebehaviours, such as making less use of online banking services. Victims whowere left with financial damages rationalized the incident, thereby minimizingvictimization for themselves. Chapter 5 concludes that the coping approach thatwas applied provides a useful framework to study the effects and impact ofcybercrime victimization and how victims recover from it.In Chapters 6 and 7, survey data on 1,200 Dutch online banking users areexamined and analysed using partial least squares path modelling. In Chapter 6,three social cognitive models are compared with respect to their ability to explain the intentions of precautionary online behaviour. The models are:protection motivation theory, the reasoned action approach and an integratedmodel comprising variables of these models. The three models were successfullyapplied to online banking. The individual models equally explain much of thevariance in precautionary online behaviour. In the integrated model, thesignificant predictors of the two models remained significant and the level ofexplained variance was highest. Precautionary online behaviour is largely drivenby response efficacy, self-efficacy and attitude towards that behaviour. Thischapter concludes that both protection motivation theory and the reasonedaction approach make a unique contribution in explaining variance forprecautionary online behavioural intention. The integrated model explained mostvariance in protection motivation, which means that integrating theoreticalperspectives from different domains is worthwhile. However, protectionmotivation theory is used as the main theoretical basis in the following chapters,because of its applicability to interventions.Chapter 7 builds on the preceding chapter and continues to study a model ofprecautionary behaviour in the domain of online banking. The aim was to gaininsight into factors that encourage customers to take measures to protectthemselves against online threats. The analyses that were conducted for thischapter provided support for most of the hypothesized relationships and showedthat the model explains high levels of variance for precautionary onlinebehaviour as well as for risk perception. Threat and coping appraisal successfullypredicted the protection motivation of online banking users; in particular,response efficacy and self-efficacy were the most important predictors for takingprecautions. Secondary predictors include locus of control, perceived severity(direct effect) and the negative predictor response costs. Finally, somedifferences in precautionary online behavioural intentions were observed basedon gender and level of education.In Chapter 8, insight is gained into what protective measures self-employedentrepreneurs take in order to protect themselves against online threats andwhat motivates them to do so. Information technology is becoming increasinglyimportant for entrepreneurs. Protecting their technical infrastructure and storeddata is, therefore, also growing in importance. Nevertheless, research into thesafety and security of entrepreneurs in general, and online threats targeted atentrepreneurs in particular, are still limited. Based on secondary analyses ondata collected from 1,622 Dutch entrepreneurs, it was observed that themajority implement technical and personal coping measures. Entrepreneurs arelikely to implement protective measures if they believe a measure is effective, ifthey are capable of using internet technology, if their attitude towardsinformation security is positive and if they believe they are responsible for their own online security. These findings are similar to those of private users outlinedin Chapters 6 and 7. Finally, some differences in precautionary online behaviourwere observed based on age and education level.Chapter 9 examines the impact of fear appeal messages on user cognitions,attitudes, behavioural attentions and precautionary behaviour regarding onlineinformation-sharing to protect against the threat of phishing attacks. A pre-testpost-test design was used in which 768 internet users filled out an onlinequestionnaire. Participants were grouped in one of three fear appeal conditions:strong-fear appeal, weak-fear appeal and control condition. Claims regardingvulnerability of phishing attacks and claims concerning response efficacy ofprotective online information-sharing behaviour were manipulated in the fearappeal messages. This chapter demonstrates positive effects of fear appeals onheightening end-users’ cognitions, attitudes and behavioural intentions.However, future studies are needed to determine how subsequent securitybehaviour can be promoted, as the effects on this crucial aspect were notdirectly observed. Nonetheless, fear appeals have great potential for promotingsecurity behaviour by making end users aware of threats and simultaneouslyproviding behavioural advice on how to mitigate these threats.All things considered, this thesis investigated online banking fraud victimizationand precautionary online behaviour. Specifically, human aspects were the focusof the present research. This thesis demonstrates that good security is inpeople’s heads. It seems easier, cheaper and more successful for criminals toattack end users using psychology rather than the technology surrounding onlinebanking. Hence, even the best security engineers cannot stop end users fromgiving away their security codes. Therefore, using psychology to defend againstonline banking attacks also makes sense. This is especially the case for attacksusing social engineering (phishing), but to some extent also for attacks usingtechnical engineering (malware). Considering the further digitization of oursociety and the increasing dependability on information systems, the case ismade that people have to ‘bend’ with these developments and become resilientwhen online. This is necessary to stop people from ‘breaking’ and potentiallybecoming victims of online banking fraud.While this thesis obtained information on how safety and security of onlinebanking can be improved from an end-user perspective, it should be noted thatend users will always be confronted with numerous potential threats. It isunrealistic to believe that people can protect themselves against all threats at alltimes. Therefore, we have to accept that bad things will continue to happenonline, but optimistically they can be kept to a minimum if end users are morevigilant about what they do online and are aware of how some people abuse the advantages that the internet offers. At the very least, the impact of theseattacks can be reduced. The following main recommendations from this thesismay be helpful:1: Continue to invest in security education, training and awareness campaignsconcerning threats aimed at online banking.2: Focus on underlying cognitive dimensions in security education, training andawareness campaigns, most notably on response efficacy and self-efficacy.3: Make clear that banks and customers are partners in keeping online bankingsafe and secure.4: Facilitate victims in their recovery process, primarily by providing feedback.5: Continue with research on the human aspects of online banking safety andsecurity.In conclusion, security education, training and awareness remain an importantpriority, especially for combatting social risks. It is very important to promoteonline resilience. The research indicates that in order to strengthen the role ofcustomers in the safety and security of online banking, threat appraisals as wellas coping appraisals should be improved. If customers or end users believe thatprotective measures make a difference (response efficacy) and if they are ableto perform these measures (self-efficacy), it is likely that end users will adoptprecautionary behaviour and become a strong link in the information securitychain. Proper information security practices should become part of our generalskill set as people in this day and age. However, it should not be forgotten thatsafety and security is something that should be worked on together, with allparties involved. And when things do go wrong, we need to help one another torecover from it. All in all, an important requirement for a safer and more secureinternet is that the human factor takes a central place in information security.
Original languageEnglish
QualificationPhD
Awarding Institution
  • Open University of the Netherlands
Supervisors/Advisors
  • Stol, Wouter, Supervisor
  • Kop, N., Co-supervisor, External person
Thesis sponsors
Award date8 Jun 2018
Place of PublicationHeerlen
Publisher
Print ISBNs978-94-6233-960-6
Publication statusPublished - 22 Jun 2018

Fingerprint

fraud
banking
victimization
resilience
threat
incident
customer
motivation theory
appeal
anxiety
bank
entrepreneur
coping
self-efficacy
Internet
level of education

Cite this

@phdthesis{66e812969ea7430f91953645985014ec,
title = "Do you bend or break?: Preventing online banking fraud victimization through online resilience",
abstract = "This doctoral thesis is about the human aspects of online banking safety andsecurity. Preparations for this thesis, part of The Dutch Research Program onSafety and Security of Online Banking, started when online banking fraud figures were relatively high in the Netherlands. In this thesis, online banking fraud is limited to phishing and malware attacks. This thesis investigated a specific partof the issue of how to reduce this type of fraud, namely the extent to which the safety and security of online banking can be improved from an end-userpers pective. Hence, it examined how the online resilience of end users can be enhanced; making them better able to protect themselves against onlinebanking fraud. Next to the practical goal of this thesis, it also aimed to contribute to scientific theory in the behavioural information security domain.This thesis starts with an introductory Chapter (1) in which the context of studyis described and the goal and research questions are highlighted. The empiricalpart of this thesis is divided into two smaller parts. In order to get acomprehensive overview of the human aspects of online banking safety andsecurity, it is important to study the threats as well as people-focussedsafeguards. Therefore, Part I (Chapters 2 to 5) deals with studies on end-users’perceptions of and victimization due to online banking fraud. Learning moreabout risk perceptions, how and why victimization takes place, victimcharacteristics and how victims recover from incidents may lead to moreknowledge on how to combat online banking fraud effectively. Part II of thisthesis (Chapters 6 to 9) consequently deals with studies on precautionary onlinebehaviour of end users and how that behaviour can be improved. Knowledge onthis subject may contribute to strengthening one of the most essential links inthe safety and security of online banking: the end user. The concluding Chapter(10) provides an answer to the central and main research questions and dealswith the theoretical and practical implications of the findings. The main researchquestions are:1: What are the perceptions of end users regarding the safety and security ofonline banking?2: How can online banking fraud victimization be explained from an end-userperspective?3: How can precautionary online behaviour of end users be explained andimproved?To answer these questions, several studies were conducted; these areelaborated in Part I and Part II of this thesis. The contents of the chapters areoutlined below.In Chapter 2, end-user risk perceptions of online bank fraud are studied.Secondary analysis of data based on a survey among 1,200 Dutch onlinebanking users shows that online banking fraud is not considered to be a majorrisk. End users perceive the potential impact of online banking fraud to besevere, but the chances of falling victim themselves to be slim. However, theyestimate the chances of others being victimized to be higher. Furthermore,online banking customers mainly come into contact with online banking fraudthrough media communications. Indirect victimization in the social environmentand direct victimization were less common. In addition, online banking users, ingeneral, have reasonable levels of trust in online banking. Finally, this chapterreveals – using partial least squares path modelling – that risk perceptions aremainly affected by the estimated chance of becoming a victim of online bankingfraud. The perceived impact of online banking fraud and the degree of trust inonline banking affected risk perception to some extent. Direct and indirectvictimization and demographic characteristics hardly affected risk perceptions.In Chapter 3, an analysis of 600 phishing and malware incidents obtained from aDutch bank is presented. The goal of this chapter is to shed light on thecircumstances in which bank customers are victimized in phishing and malwareattacks and how these attacks manifest in practice. This chapter shows that anessential step in the fraudulent process entails customers giving away theirpersonal information to fraudsters. Phishing victimization mainly occurred byresponding to a fraudulent e-mail, a fraudulent phone call or a combination ofthese. Malware victimization primarily occurred by responding to a maliciouspop-up and by installing a malicious application on a mobile device. Customerscooperated because the fraudulent messages were perceived to be professionaland trustworthy and because customers were not sufficiently suspicious of whatwas happening. The results suggest that victims have an unintended andsubconscious, but active role in the fraudulent process. An interesting finding isthat the victims did not always seem to trust the fraudster’s intentions, but werementally unable to stop the process. Reasons for this include not being aware ofhow fraudulent schemes manifest in practice, not being alert at the rightmoment and having insufficient knowledge of online banking procedures andprecautionary measures.Chapter 4 explores factors that may explain online banking fraud victimizationbased on interviews with 30 victims using the routine activity approach andprotection motivation theory as theoretical lenses. A qualitative approach was chosen because previous quantitative studies failed to identify such factors. Theinterview data were analysed using computer-assisted qualitative data analysissoftware. This chapter demonstrates that no specific factors from the routineactivity approach and protection motivation theory that increase the chance ofonline banking fraud victimization could be identified. Moreover, victims weredistributed across genders, age categories and levels of education. Ultimately,end-user attributes that lead to higher chances of being victimized throughonline banking fraud could not be identified. This suggests that everyone issusceptible to online banking fraud victimization to some degree.In order to find out whether victims adequately recover from phishing andmalware incidents, it is important to gain insight into its effects and impact onvictims first. However, there was not much literature available on the impact ofthese cybercrimes. This gap is addressed in Chapter 5, in which interview datafrom the above mentioned 30 victims are analysed again. Besides (initial)financial effects (most victims were reimbursed), victims also described variouskinds of psychological and emotional effects, such as feeling awful and stressed,and various kinds of secondary impact, such as time loss and not being treatedproperly during the handling of the incident. Furthermore, this chapterdemonstrates that the level of impact varies among victims, ranging from littleor no impact to severe impact. Moreover, while some victims were only affectedfor a few days, some felt the effects in the long term. The impact of thesefraudulent schemes on victims should therefore not be underestimated.In addition, the interview data provided insight into cognitive and behaviouralchange in order to cope with the incident. Cognitive strategies were mainlyconcerned with reducing psychological and emotional distress, and increasingonline resilience to future attacks. The main behavioural strategies that wereidentified are reporting the incident to the bank and the police and seekingsupport from the social environment. Furthermore, various other actions weretaken, such as enhancing the safety and security of devices and being moreattentive during online banking sessions. However, it was observed that some ofthese actions were only of limited duration. Some victims adopted avoidancebehaviours, such as making less use of online banking services. Victims whowere left with financial damages rationalized the incident, thereby minimizingvictimization for themselves. Chapter 5 concludes that the coping approach thatwas applied provides a useful framework to study the effects and impact ofcybercrime victimization and how victims recover from it.In Chapters 6 and 7, survey data on 1,200 Dutch online banking users areexamined and analysed using partial least squares path modelling. In Chapter 6,three social cognitive models are compared with respect to their ability to explain the intentions of precautionary online behaviour. The models are:protection motivation theory, the reasoned action approach and an integratedmodel comprising variables of these models. The three models were successfullyapplied to online banking. The individual models equally explain much of thevariance in precautionary online behaviour. In the integrated model, thesignificant predictors of the two models remained significant and the level ofexplained variance was highest. Precautionary online behaviour is largely drivenby response efficacy, self-efficacy and attitude towards that behaviour. Thischapter concludes that both protection motivation theory and the reasonedaction approach make a unique contribution in explaining variance forprecautionary online behavioural intention. The integrated model explained mostvariance in protection motivation, which means that integrating theoreticalperspectives from different domains is worthwhile. However, protectionmotivation theory is used as the main theoretical basis in the following chapters,because of its applicability to interventions.Chapter 7 builds on the preceding chapter and continues to study a model ofprecautionary behaviour in the domain of online banking. The aim was to gaininsight into factors that encourage customers to take measures to protectthemselves against online threats. The analyses that were conducted for thischapter provided support for most of the hypothesized relationships and showedthat the model explains high levels of variance for precautionary onlinebehaviour as well as for risk perception. Threat and coping appraisal successfullypredicted the protection motivation of online banking users; in particular,response efficacy and self-efficacy were the most important predictors for takingprecautions. Secondary predictors include locus of control, perceived severity(direct effect) and the negative predictor response costs. Finally, somedifferences in precautionary online behavioural intentions were observed basedon gender and level of education.In Chapter 8, insight is gained into what protective measures self-employedentrepreneurs take in order to protect themselves against online threats andwhat motivates them to do so. Information technology is becoming increasinglyimportant for entrepreneurs. Protecting their technical infrastructure and storeddata is, therefore, also growing in importance. Nevertheless, research into thesafety and security of entrepreneurs in general, and online threats targeted atentrepreneurs in particular, are still limited. Based on secondary analyses ondata collected from 1,622 Dutch entrepreneurs, it was observed that themajority implement technical and personal coping measures. Entrepreneurs arelikely to implement protective measures if they believe a measure is effective, ifthey are capable of using internet technology, if their attitude towardsinformation security is positive and if they believe they are responsible for their own online security. These findings are similar to those of private users outlinedin Chapters 6 and 7. Finally, some differences in precautionary online behaviourwere observed based on age and education level.Chapter 9 examines the impact of fear appeal messages on user cognitions,attitudes, behavioural attentions and precautionary behaviour regarding onlineinformation-sharing to protect against the threat of phishing attacks. A pre-testpost-test design was used in which 768 internet users filled out an onlinequestionnaire. Participants were grouped in one of three fear appeal conditions:strong-fear appeal, weak-fear appeal and control condition. Claims regardingvulnerability of phishing attacks and claims concerning response efficacy ofprotective online information-sharing behaviour were manipulated in the fearappeal messages. This chapter demonstrates positive effects of fear appeals onheightening end-users’ cognitions, attitudes and behavioural intentions.However, future studies are needed to determine how subsequent securitybehaviour can be promoted, as the effects on this crucial aspect were notdirectly observed. Nonetheless, fear appeals have great potential for promotingsecurity behaviour by making end users aware of threats and simultaneouslyproviding behavioural advice on how to mitigate these threats.All things considered, this thesis investigated online banking fraud victimizationand precautionary online behaviour. Specifically, human aspects were the focusof the present research. This thesis demonstrates that good security is inpeople’s heads. It seems easier, cheaper and more successful for criminals toattack end users using psychology rather than the technology surrounding onlinebanking. Hence, even the best security engineers cannot stop end users fromgiving away their security codes. Therefore, using psychology to defend againstonline banking attacks also makes sense. This is especially the case for attacksusing social engineering (phishing), but to some extent also for attacks usingtechnical engineering (malware). Considering the further digitization of oursociety and the increasing dependability on information systems, the case ismade that people have to ‘bend’ with these developments and become resilientwhen online. This is necessary to stop people from ‘breaking’ and potentiallybecoming victims of online banking fraud.While this thesis obtained information on how safety and security of onlinebanking can be improved from an end-user perspective, it should be noted thatend users will always be confronted with numerous potential threats. It isunrealistic to believe that people can protect themselves against all threats at alltimes. Therefore, we have to accept that bad things will continue to happenonline, but optimistically they can be kept to a minimum if end users are morevigilant about what they do online and are aware of how some people abuse the advantages that the internet offers. At the very least, the impact of theseattacks can be reduced. The following main recommendations from this thesismay be helpful:1: Continue to invest in security education, training and awareness campaignsconcerning threats aimed at online banking.2: Focus on underlying cognitive dimensions in security education, training andawareness campaigns, most notably on response efficacy and self-efficacy.3: Make clear that banks and customers are partners in keeping online bankingsafe and secure.4: Facilitate victims in their recovery process, primarily by providing feedback.5: Continue with research on the human aspects of online banking safety andsecurity.In conclusion, security education, training and awareness remain an importantpriority, especially for combatting social risks. It is very important to promoteonline resilience. The research indicates that in order to strengthen the role ofcustomers in the safety and security of online banking, threat appraisals as wellas coping appraisals should be improved. If customers or end users believe thatprotective measures make a difference (response efficacy) and if they are ableto perform these measures (self-efficacy), it is likely that end users will adoptprecautionary behaviour and become a strong link in the information securitychain. Proper information security practices should become part of our generalskill set as people in this day and age. However, it should not be forgotten thatsafety and security is something that should be worked on together, with allparties involved. And when things do go wrong, we need to help one another torecover from it. All in all, an important requirement for a safer and more secureinternet is that the human factor takes a central place in information security.",
author = "Jurjen Jansen",
year = "2018",
month = "6",
day = "22",
language = "English",
isbn = "978-94-6233-960-6",
publisher = "Open Universiteit",
school = "Open University of the Netherlands",

}

Jansen, J 2018, 'Do you bend or break? Preventing online banking fraud victimization through online resilience', PhD, Open University of the Netherlands, Heerlen.

Do you bend or break? Preventing online banking fraud victimization through online resilience. / Jansen, Jurjen.

Heerlen : Open Universiteit, 2018. 296 p.

Research output: ThesisDoctoral ThesisInternal (IDIP)

TY - THES

T1 - Do you bend or break?

T2 - Preventing online banking fraud victimization through online resilience

AU - Jansen, Jurjen

PY - 2018/6/22

Y1 - 2018/6/22

N2 - This doctoral thesis is about the human aspects of online banking safety andsecurity. Preparations for this thesis, part of The Dutch Research Program onSafety and Security of Online Banking, started when online banking fraud figures were relatively high in the Netherlands. In this thesis, online banking fraud is limited to phishing and malware attacks. This thesis investigated a specific partof the issue of how to reduce this type of fraud, namely the extent to which the safety and security of online banking can be improved from an end-userpers pective. Hence, it examined how the online resilience of end users can be enhanced; making them better able to protect themselves against onlinebanking fraud. Next to the practical goal of this thesis, it also aimed to contribute to scientific theory in the behavioural information security domain.This thesis starts with an introductory Chapter (1) in which the context of studyis described and the goal and research questions are highlighted. The empiricalpart of this thesis is divided into two smaller parts. In order to get acomprehensive overview of the human aspects of online banking safety andsecurity, it is important to study the threats as well as people-focussedsafeguards. Therefore, Part I (Chapters 2 to 5) deals with studies on end-users’perceptions of and victimization due to online banking fraud. Learning moreabout risk perceptions, how and why victimization takes place, victimcharacteristics and how victims recover from incidents may lead to moreknowledge on how to combat online banking fraud effectively. Part II of thisthesis (Chapters 6 to 9) consequently deals with studies on precautionary onlinebehaviour of end users and how that behaviour can be improved. Knowledge onthis subject may contribute to strengthening one of the most essential links inthe safety and security of online banking: the end user. The concluding Chapter(10) provides an answer to the central and main research questions and dealswith the theoretical and practical implications of the findings. The main researchquestions are:1: What are the perceptions of end users regarding the safety and security ofonline banking?2: How can online banking fraud victimization be explained from an end-userperspective?3: How can precautionary online behaviour of end users be explained andimproved?To answer these questions, several studies were conducted; these areelaborated in Part I and Part II of this thesis. The contents of the chapters areoutlined below.In Chapter 2, end-user risk perceptions of online bank fraud are studied.Secondary analysis of data based on a survey among 1,200 Dutch onlinebanking users shows that online banking fraud is not considered to be a majorrisk. End users perceive the potential impact of online banking fraud to besevere, but the chances of falling victim themselves to be slim. However, theyestimate the chances of others being victimized to be higher. Furthermore,online banking customers mainly come into contact with online banking fraudthrough media communications. Indirect victimization in the social environmentand direct victimization were less common. In addition, online banking users, ingeneral, have reasonable levels of trust in online banking. Finally, this chapterreveals – using partial least squares path modelling – that risk perceptions aremainly affected by the estimated chance of becoming a victim of online bankingfraud. The perceived impact of online banking fraud and the degree of trust inonline banking affected risk perception to some extent. Direct and indirectvictimization and demographic characteristics hardly affected risk perceptions.In Chapter 3, an analysis of 600 phishing and malware incidents obtained from aDutch bank is presented. The goal of this chapter is to shed light on thecircumstances in which bank customers are victimized in phishing and malwareattacks and how these attacks manifest in practice. This chapter shows that anessential step in the fraudulent process entails customers giving away theirpersonal information to fraudsters. Phishing victimization mainly occurred byresponding to a fraudulent e-mail, a fraudulent phone call or a combination ofthese. Malware victimization primarily occurred by responding to a maliciouspop-up and by installing a malicious application on a mobile device. Customerscooperated because the fraudulent messages were perceived to be professionaland trustworthy and because customers were not sufficiently suspicious of whatwas happening. The results suggest that victims have an unintended andsubconscious, but active role in the fraudulent process. An interesting finding isthat the victims did not always seem to trust the fraudster’s intentions, but werementally unable to stop the process. Reasons for this include not being aware ofhow fraudulent schemes manifest in practice, not being alert at the rightmoment and having insufficient knowledge of online banking procedures andprecautionary measures.Chapter 4 explores factors that may explain online banking fraud victimizationbased on interviews with 30 victims using the routine activity approach andprotection motivation theory as theoretical lenses. A qualitative approach was chosen because previous quantitative studies failed to identify such factors. Theinterview data were analysed using computer-assisted qualitative data analysissoftware. This chapter demonstrates that no specific factors from the routineactivity approach and protection motivation theory that increase the chance ofonline banking fraud victimization could be identified. Moreover, victims weredistributed across genders, age categories and levels of education. Ultimately,end-user attributes that lead to higher chances of being victimized throughonline banking fraud could not be identified. This suggests that everyone issusceptible to online banking fraud victimization to some degree.In order to find out whether victims adequately recover from phishing andmalware incidents, it is important to gain insight into its effects and impact onvictims first. However, there was not much literature available on the impact ofthese cybercrimes. This gap is addressed in Chapter 5, in which interview datafrom the above mentioned 30 victims are analysed again. Besides (initial)financial effects (most victims were reimbursed), victims also described variouskinds of psychological and emotional effects, such as feeling awful and stressed,and various kinds of secondary impact, such as time loss and not being treatedproperly during the handling of the incident. Furthermore, this chapterdemonstrates that the level of impact varies among victims, ranging from littleor no impact to severe impact. Moreover, while some victims were only affectedfor a few days, some felt the effects in the long term. The impact of thesefraudulent schemes on victims should therefore not be underestimated.In addition, the interview data provided insight into cognitive and behaviouralchange in order to cope with the incident. Cognitive strategies were mainlyconcerned with reducing psychological and emotional distress, and increasingonline resilience to future attacks. The main behavioural strategies that wereidentified are reporting the incident to the bank and the police and seekingsupport from the social environment. Furthermore, various other actions weretaken, such as enhancing the safety and security of devices and being moreattentive during online banking sessions. However, it was observed that some ofthese actions were only of limited duration. Some victims adopted avoidancebehaviours, such as making less use of online banking services. Victims whowere left with financial damages rationalized the incident, thereby minimizingvictimization for themselves. Chapter 5 concludes that the coping approach thatwas applied provides a useful framework to study the effects and impact ofcybercrime victimization and how victims recover from it.In Chapters 6 and 7, survey data on 1,200 Dutch online banking users areexamined and analysed using partial least squares path modelling. In Chapter 6,three social cognitive models are compared with respect to their ability to explain the intentions of precautionary online behaviour. The models are:protection motivation theory, the reasoned action approach and an integratedmodel comprising variables of these models. The three models were successfullyapplied to online banking. The individual models equally explain much of thevariance in precautionary online behaviour. In the integrated model, thesignificant predictors of the two models remained significant and the level ofexplained variance was highest. Precautionary online behaviour is largely drivenby response efficacy, self-efficacy and attitude towards that behaviour. Thischapter concludes that both protection motivation theory and the reasonedaction approach make a unique contribution in explaining variance forprecautionary online behavioural intention. The integrated model explained mostvariance in protection motivation, which means that integrating theoreticalperspectives from different domains is worthwhile. However, protectionmotivation theory is used as the main theoretical basis in the following chapters,because of its applicability to interventions.Chapter 7 builds on the preceding chapter and continues to study a model ofprecautionary behaviour in the domain of online banking. The aim was to gaininsight into factors that encourage customers to take measures to protectthemselves against online threats. The analyses that were conducted for thischapter provided support for most of the hypothesized relationships and showedthat the model explains high levels of variance for precautionary onlinebehaviour as well as for risk perception. Threat and coping appraisal successfullypredicted the protection motivation of online banking users; in particular,response efficacy and self-efficacy were the most important predictors for takingprecautions. Secondary predictors include locus of control, perceived severity(direct effect) and the negative predictor response costs. Finally, somedifferences in precautionary online behavioural intentions were observed basedon gender and level of education.In Chapter 8, insight is gained into what protective measures self-employedentrepreneurs take in order to protect themselves against online threats andwhat motivates them to do so. Information technology is becoming increasinglyimportant for entrepreneurs. Protecting their technical infrastructure and storeddata is, therefore, also growing in importance. Nevertheless, research into thesafety and security of entrepreneurs in general, and online threats targeted atentrepreneurs in particular, are still limited. Based on secondary analyses ondata collected from 1,622 Dutch entrepreneurs, it was observed that themajority implement technical and personal coping measures. Entrepreneurs arelikely to implement protective measures if they believe a measure is effective, ifthey are capable of using internet technology, if their attitude towardsinformation security is positive and if they believe they are responsible for their own online security. These findings are similar to those of private users outlinedin Chapters 6 and 7. Finally, some differences in precautionary online behaviourwere observed based on age and education level.Chapter 9 examines the impact of fear appeal messages on user cognitions,attitudes, behavioural attentions and precautionary behaviour regarding onlineinformation-sharing to protect against the threat of phishing attacks. A pre-testpost-test design was used in which 768 internet users filled out an onlinequestionnaire. Participants were grouped in one of three fear appeal conditions:strong-fear appeal, weak-fear appeal and control condition. Claims regardingvulnerability of phishing attacks and claims concerning response efficacy ofprotective online information-sharing behaviour were manipulated in the fearappeal messages. This chapter demonstrates positive effects of fear appeals onheightening end-users’ cognitions, attitudes and behavioural intentions.However, future studies are needed to determine how subsequent securitybehaviour can be promoted, as the effects on this crucial aspect were notdirectly observed. Nonetheless, fear appeals have great potential for promotingsecurity behaviour by making end users aware of threats and simultaneouslyproviding behavioural advice on how to mitigate these threats.All things considered, this thesis investigated online banking fraud victimizationand precautionary online behaviour. Specifically, human aspects were the focusof the present research. This thesis demonstrates that good security is inpeople’s heads. It seems easier, cheaper and more successful for criminals toattack end users using psychology rather than the technology surrounding onlinebanking. Hence, even the best security engineers cannot stop end users fromgiving away their security codes. Therefore, using psychology to defend againstonline banking attacks also makes sense. This is especially the case for attacksusing social engineering (phishing), but to some extent also for attacks usingtechnical engineering (malware). Considering the further digitization of oursociety and the increasing dependability on information systems, the case ismade that people have to ‘bend’ with these developments and become resilientwhen online. This is necessary to stop people from ‘breaking’ and potentiallybecoming victims of online banking fraud.While this thesis obtained information on how safety and security of onlinebanking can be improved from an end-user perspective, it should be noted thatend users will always be confronted with numerous potential threats. It isunrealistic to believe that people can protect themselves against all threats at alltimes. Therefore, we have to accept that bad things will continue to happenonline, but optimistically they can be kept to a minimum if end users are morevigilant about what they do online and are aware of how some people abuse the advantages that the internet offers. At the very least, the impact of theseattacks can be reduced. The following main recommendations from this thesismay be helpful:1: Continue to invest in security education, training and awareness campaignsconcerning threats aimed at online banking.2: Focus on underlying cognitive dimensions in security education, training andawareness campaigns, most notably on response efficacy and self-efficacy.3: Make clear that banks and customers are partners in keeping online bankingsafe and secure.4: Facilitate victims in their recovery process, primarily by providing feedback.5: Continue with research on the human aspects of online banking safety andsecurity.In conclusion, security education, training and awareness remain an importantpriority, especially for combatting social risks. It is very important to promoteonline resilience. The research indicates that in order to strengthen the role ofcustomers in the safety and security of online banking, threat appraisals as wellas coping appraisals should be improved. If customers or end users believe thatprotective measures make a difference (response efficacy) and if they are ableto perform these measures (self-efficacy), it is likely that end users will adoptprecautionary behaviour and become a strong link in the information securitychain. Proper information security practices should become part of our generalskill set as people in this day and age. However, it should not be forgotten thatsafety and security is something that should be worked on together, with allparties involved. And when things do go wrong, we need to help one another torecover from it. All in all, an important requirement for a safer and more secureinternet is that the human factor takes a central place in information security.

AB - This doctoral thesis is about the human aspects of online banking safety andsecurity. Preparations for this thesis, part of The Dutch Research Program onSafety and Security of Online Banking, started when online banking fraud figures were relatively high in the Netherlands. In this thesis, online banking fraud is limited to phishing and malware attacks. This thesis investigated a specific partof the issue of how to reduce this type of fraud, namely the extent to which the safety and security of online banking can be improved from an end-userpers pective. Hence, it examined how the online resilience of end users can be enhanced; making them better able to protect themselves against onlinebanking fraud. Next to the practical goal of this thesis, it also aimed to contribute to scientific theory in the behavioural information security domain.This thesis starts with an introductory Chapter (1) in which the context of studyis described and the goal and research questions are highlighted. The empiricalpart of this thesis is divided into two smaller parts. In order to get acomprehensive overview of the human aspects of online banking safety andsecurity, it is important to study the threats as well as people-focussedsafeguards. Therefore, Part I (Chapters 2 to 5) deals with studies on end-users’perceptions of and victimization due to online banking fraud. Learning moreabout risk perceptions, how and why victimization takes place, victimcharacteristics and how victims recover from incidents may lead to moreknowledge on how to combat online banking fraud effectively. Part II of thisthesis (Chapters 6 to 9) consequently deals with studies on precautionary onlinebehaviour of end users and how that behaviour can be improved. Knowledge onthis subject may contribute to strengthening one of the most essential links inthe safety and security of online banking: the end user. The concluding Chapter(10) provides an answer to the central and main research questions and dealswith the theoretical and practical implications of the findings. The main researchquestions are:1: What are the perceptions of end users regarding the safety and security ofonline banking?2: How can online banking fraud victimization be explained from an end-userperspective?3: How can precautionary online behaviour of end users be explained andimproved?To answer these questions, several studies were conducted; these areelaborated in Part I and Part II of this thesis. The contents of the chapters areoutlined below.In Chapter 2, end-user risk perceptions of online bank fraud are studied.Secondary analysis of data based on a survey among 1,200 Dutch onlinebanking users shows that online banking fraud is not considered to be a majorrisk. End users perceive the potential impact of online banking fraud to besevere, but the chances of falling victim themselves to be slim. However, theyestimate the chances of others being victimized to be higher. Furthermore,online banking customers mainly come into contact with online banking fraudthrough media communications. Indirect victimization in the social environmentand direct victimization were less common. In addition, online banking users, ingeneral, have reasonable levels of trust in online banking. Finally, this chapterreveals – using partial least squares path modelling – that risk perceptions aremainly affected by the estimated chance of becoming a victim of online bankingfraud. The perceived impact of online banking fraud and the degree of trust inonline banking affected risk perception to some extent. Direct and indirectvictimization and demographic characteristics hardly affected risk perceptions.In Chapter 3, an analysis of 600 phishing and malware incidents obtained from aDutch bank is presented. The goal of this chapter is to shed light on thecircumstances in which bank customers are victimized in phishing and malwareattacks and how these attacks manifest in practice. This chapter shows that anessential step in the fraudulent process entails customers giving away theirpersonal information to fraudsters. Phishing victimization mainly occurred byresponding to a fraudulent e-mail, a fraudulent phone call or a combination ofthese. Malware victimization primarily occurred by responding to a maliciouspop-up and by installing a malicious application on a mobile device. Customerscooperated because the fraudulent messages were perceived to be professionaland trustworthy and because customers were not sufficiently suspicious of whatwas happening. The results suggest that victims have an unintended andsubconscious, but active role in the fraudulent process. An interesting finding isthat the victims did not always seem to trust the fraudster’s intentions, but werementally unable to stop the process. Reasons for this include not being aware ofhow fraudulent schemes manifest in practice, not being alert at the rightmoment and having insufficient knowledge of online banking procedures andprecautionary measures.Chapter 4 explores factors that may explain online banking fraud victimizationbased on interviews with 30 victims using the routine activity approach andprotection motivation theory as theoretical lenses. A qualitative approach was chosen because previous quantitative studies failed to identify such factors. Theinterview data were analysed using computer-assisted qualitative data analysissoftware. This chapter demonstrates that no specific factors from the routineactivity approach and protection motivation theory that increase the chance ofonline banking fraud victimization could be identified. Moreover, victims weredistributed across genders, age categories and levels of education. Ultimately,end-user attributes that lead to higher chances of being victimized throughonline banking fraud could not be identified. This suggests that everyone issusceptible to online banking fraud victimization to some degree.In order to find out whether victims adequately recover from phishing andmalware incidents, it is important to gain insight into its effects and impact onvictims first. However, there was not much literature available on the impact ofthese cybercrimes. This gap is addressed in Chapter 5, in which interview datafrom the above mentioned 30 victims are analysed again. Besides (initial)financial effects (most victims were reimbursed), victims also described variouskinds of psychological and emotional effects, such as feeling awful and stressed,and various kinds of secondary impact, such as time loss and not being treatedproperly during the handling of the incident. Furthermore, this chapterdemonstrates that the level of impact varies among victims, ranging from littleor no impact to severe impact. Moreover, while some victims were only affectedfor a few days, some felt the effects in the long term. The impact of thesefraudulent schemes on victims should therefore not be underestimated.In addition, the interview data provided insight into cognitive and behaviouralchange in order to cope with the incident. Cognitive strategies were mainlyconcerned with reducing psychological and emotional distress, and increasingonline resilience to future attacks. The main behavioural strategies that wereidentified are reporting the incident to the bank and the police and seekingsupport from the social environment. Furthermore, various other actions weretaken, such as enhancing the safety and security of devices and being moreattentive during online banking sessions. However, it was observed that some ofthese actions were only of limited duration. Some victims adopted avoidancebehaviours, such as making less use of online banking services. Victims whowere left with financial damages rationalized the incident, thereby minimizingvictimization for themselves. Chapter 5 concludes that the coping approach thatwas applied provides a useful framework to study the effects and impact ofcybercrime victimization and how victims recover from it.In Chapters 6 and 7, survey data on 1,200 Dutch online banking users areexamined and analysed using partial least squares path modelling. In Chapter 6,three social cognitive models are compared with respect to their ability to explain the intentions of precautionary online behaviour. The models are:protection motivation theory, the reasoned action approach and an integratedmodel comprising variables of these models. The three models were successfullyapplied to online banking. The individual models equally explain much of thevariance in precautionary online behaviour. In the integrated model, thesignificant predictors of the two models remained significant and the level ofexplained variance was highest. Precautionary online behaviour is largely drivenby response efficacy, self-efficacy and attitude towards that behaviour. Thischapter concludes that both protection motivation theory and the reasonedaction approach make a unique contribution in explaining variance forprecautionary online behavioural intention. The integrated model explained mostvariance in protection motivation, which means that integrating theoreticalperspectives from different domains is worthwhile. However, protectionmotivation theory is used as the main theoretical basis in the following chapters,because of its applicability to interventions.Chapter 7 builds on the preceding chapter and continues to study a model ofprecautionary behaviour in the domain of online banking. The aim was to gaininsight into factors that encourage customers to take measures to protectthemselves against online threats. The analyses that were conducted for thischapter provided support for most of the hypothesized relationships and showedthat the model explains high levels of variance for precautionary onlinebehaviour as well as for risk perception. Threat and coping appraisal successfullypredicted the protection motivation of online banking users; in particular,response efficacy and self-efficacy were the most important predictors for takingprecautions. Secondary predictors include locus of control, perceived severity(direct effect) and the negative predictor response costs. Finally, somedifferences in precautionary online behavioural intentions were observed basedon gender and level of education.In Chapter 8, insight is gained into what protective measures self-employedentrepreneurs take in order to protect themselves against online threats andwhat motivates them to do so. Information technology is becoming increasinglyimportant for entrepreneurs. Protecting their technical infrastructure and storeddata is, therefore, also growing in importance. Nevertheless, research into thesafety and security of entrepreneurs in general, and online threats targeted atentrepreneurs in particular, are still limited. Based on secondary analyses ondata collected from 1,622 Dutch entrepreneurs, it was observed that themajority implement technical and personal coping measures. Entrepreneurs arelikely to implement protective measures if they believe a measure is effective, ifthey are capable of using internet technology, if their attitude towardsinformation security is positive and if they believe they are responsible for their own online security. These findings are similar to those of private users outlinedin Chapters 6 and 7. Finally, some differences in precautionary online behaviourwere observed based on age and education level.Chapter 9 examines the impact of fear appeal messages on user cognitions,attitudes, behavioural attentions and precautionary behaviour regarding onlineinformation-sharing to protect against the threat of phishing attacks. A pre-testpost-test design was used in which 768 internet users filled out an onlinequestionnaire. Participants were grouped in one of three fear appeal conditions:strong-fear appeal, weak-fear appeal and control condition. Claims regardingvulnerability of phishing attacks and claims concerning response efficacy ofprotective online information-sharing behaviour were manipulated in the fearappeal messages. This chapter demonstrates positive effects of fear appeals onheightening end-users’ cognitions, attitudes and behavioural intentions.However, future studies are needed to determine how subsequent securitybehaviour can be promoted, as the effects on this crucial aspect were notdirectly observed. Nonetheless, fear appeals have great potential for promotingsecurity behaviour by making end users aware of threats and simultaneouslyproviding behavioural advice on how to mitigate these threats.All things considered, this thesis investigated online banking fraud victimizationand precautionary online behaviour. Specifically, human aspects were the focusof the present research. This thesis demonstrates that good security is inpeople’s heads. It seems easier, cheaper and more successful for criminals toattack end users using psychology rather than the technology surrounding onlinebanking. Hence, even the best security engineers cannot stop end users fromgiving away their security codes. Therefore, using psychology to defend againstonline banking attacks also makes sense. This is especially the case for attacksusing social engineering (phishing), but to some extent also for attacks usingtechnical engineering (malware). Considering the further digitization of oursociety and the increasing dependability on information systems, the case ismade that people have to ‘bend’ with these developments and become resilientwhen online. This is necessary to stop people from ‘breaking’ and potentiallybecoming victims of online banking fraud.While this thesis obtained information on how safety and security of onlinebanking can be improved from an end-user perspective, it should be noted thatend users will always be confronted with numerous potential threats. It isunrealistic to believe that people can protect themselves against all threats at alltimes. Therefore, we have to accept that bad things will continue to happenonline, but optimistically they can be kept to a minimum if end users are morevigilant about what they do online and are aware of how some people abuse the advantages that the internet offers. At the very least, the impact of theseattacks can be reduced. The following main recommendations from this thesismay be helpful:1: Continue to invest in security education, training and awareness campaignsconcerning threats aimed at online banking.2: Focus on underlying cognitive dimensions in security education, training andawareness campaigns, most notably on response efficacy and self-efficacy.3: Make clear that banks and customers are partners in keeping online bankingsafe and secure.4: Facilitate victims in their recovery process, primarily by providing feedback.5: Continue with research on the human aspects of online banking safety andsecurity.In conclusion, security education, training and awareness remain an importantpriority, especially for combatting social risks. It is very important to promoteonline resilience. The research indicates that in order to strengthen the role ofcustomers in the safety and security of online banking, threat appraisals as wellas coping appraisals should be improved. If customers or end users believe thatprotective measures make a difference (response efficacy) and if they are ableto perform these measures (self-efficacy), it is likely that end users will adoptprecautionary behaviour and become a strong link in the information securitychain. Proper information security practices should become part of our generalskill set as people in this day and age. However, it should not be forgotten thatsafety and security is something that should be worked on together, with allparties involved. And when things do go wrong, we need to help one another torecover from it. All in all, an important requirement for a safer and more secureinternet is that the human factor takes a central place in information security.

M3 - Doctoral Thesis

SN - 978-94-6233-960-6

PB - Open Universiteit

CY - Heerlen

ER -