Research Spotlight: Do They Accept or Resist Cybersecurity Measures? Use SA-13 to Find Out

Authors Cori Faklaris, Laura Dabbish, and Jason I. Hong published a new psychometric scale, used for measuring the degree to which people may adopt or resist cybersecurity measures. 

If you have taken a knowledge or personality quiz (maybe on social media, or for a job), then you are familiar with psychometric scales. These assessments, typically in the form of a survey, are useful for measuring people’s thinking and feeling in a consistent manner that then can be compared with a benchmark or with other people’s scores. The best psychometric scales are statistically validated to show that they measure what they say they measure. Researchers love them for making it easy to conduct remote research at scale.

Our newest psychometric scale, SA-13, is a compact, 13-item measurement of cybersecurity decisional balance – the degree to which system users’ acceptance of security measures weighs against their resistance in deciding whether to adopt secure behaviors or to fully comply with policies and advice. It improves on our SA-6 scale, a six-item measure of security compliance published at the 2019 Usenix Symposium on Usable Privacy and Security, by adding seven items to measure a person’s degree of noncompliance and factoring the resulting scale into four subscales. A full-length article summarizing SA-13’s development and validation is currently in submission to a leading journal, but you can use it right now by downloading the directions at https://socialcybersecurity.org/files/SA13handout.pdf.

SA-13 can be scored as a composite measure of security attitudes or as its four subscales (SA-Engagement, SA-Attentiveness, SA-Resistance, and SA-Concernedness). It is shorter and more suited for general use than two other published measures of user attitudes, the 31-item Personal Data Attitude measure for adaptive cybersecurity (Addae et al., 2017), and the 63-item Human Aspects of Information Security Questionnaire, or HAIS-Q (Parsons et al., 2017); and it measures attitudes rather than specific behavioral intentions, setting it apart from the 16-item Security Behavior Intentions Scale, or SeBIS (Egelman and Peer, 2015). 

SA-13 will be used by researchers and security awareness teams who need to quantitatively assess the degree to which users’ attitudes toward security measures are positive, ambivalent or negative. SA-13 will also be helpful for those who are unable to access users’ system log data to infer attitudes or attitude change, for confidentiality or privacy reasons.

For researchers who are concerned about adding too many survey items to an online questionnaire, the SA-Engagement subscale (three items) can be used as a short version of SA-6, which measures a person’s engagement with security measures. The SA-Attentiveness subscale (three items) is useful as a short, standalone measure of security sensitivity, defined as the awareness, motivation and knowledge to use security tools and follow security advice (Das et al. 2014). The SA-Resistance subscale (four items) can be used as a short measure of security noncompliance, with users rating agreement with statements such as “I am too busy to put in the effort needed to change my security behaviors.” 

The authors of SA-13 are myself (Cori Faklaris) and my Phd advisors, Laura Dabbish and Jason I. Hong of the Human-Computer Interaction Institute. We are now discussing how to build on this work as part of my dissertation research at the intersection of cybersecurity and social psychology, with the assistance of committee members Geoff Kaufman of the HCII, Sauvik Das of Georgia Tech, and Michelle Mazurek of the University of Maryland.

Authors Cori Faklaris, Laura Dabbish, Jason I. Hong