Cyber crime is a serious threat for Internet users. Miscreants infect their victim computers and control them to perform malicious activities, such as sending email spam, stealing their victims’ personal information, performing denial of service attacks, or mining digital currencies (Huang et al., 2014). Cyber crime operations are a successful business, generating important revenues for attackers (Kanich et al., 2008). Using Information and Communications Technology (ICT) has become a pervasive phenomenon in both public and private domains. This has led to cyber security risks and threats against individual and organisational users. As countries develop and adopt new types of ICTs, associated problems emerge despite human efforts to stop them. There is need for continuous responses as the nature of the risks and threats is not static and develops over time. In terms of managing cyber security risks and threats, a wide range of technical controls at operational level have been accepted as the most applicable and feasible solutions (Singh et al., 2013). The technological revolution has changed business communication and management. However, there is a downside to all this. The Internet - as the core part of ICT - has the potential to be a breeding ground for cybercrimes (Wall, 2007). Cyber security risks and threats have increased in recent years, causing significant economic and social losses to public and private organisations as well as individuals.
Literature Review and Theoretical Framework
In terms of understanding cyber security, three approaches are identified by this study: (1) realist approach (2) psychological approach, and (3) sociological approach. The first approach conceptualises risk in an objective manner based on the assumption that risks are real events or dangers. In conceptualising terrorism risk, Willis (2007) asserts that risk is the intersection of three dimensions: threat, vulnerability and consequences, defining risk as the consequences of potential attacks on assets with vulnerability. Risk from an attack can be quantified as the unconditional expected value of damages from the attack. The greatest advantage of this approach is high application. As risk is denoted through probabilistic terms, risk can be understood in line with business management activities. Quantitative measures therefore are frequently used to communicate risks to non-security managers. As quantitative measures, metrics are effective in enabling constant risk assessment (Button, 2008) as well as informing business’ decision-making (Aleem, Wakefield, & Button, 2013).
The second approach is psychological one. This approach is concerned with how people perceive risk. Risk perception has been a great concern in social sciences. For example, in criminology and psychology risk perception is a major focus of interest. Two influential risk perception approaches are psychometrics and cognitive/behavioural decision-making (Borodzicz, 2005). The leading contender of risk perception studies, the psychometric model, aims at measuring psychological concepts of individuals in relation to hazards and risk. Psychometric studies attempt to develop measurements for human perception on risk from socio-political, natural, and man-made events. The psychometric model is of importance as it produced a great body of empirical data regarding risk perceptions (Royal Society, 1992).
The third approach postulates that risk is a socially or culturally constructed concept. Cultural theory postulates that risk perception is a reflection of the social context to which a person belongs (Sjöberg, 2000). More specifically, risk perception reflects aggregate values in socio-cultural contexts along with individuals’ values and beliefs of risk (Royal Society, 1992). It considers risk is an outcome of social processes, which means that risk can be controlled by managing social factors. Although the cultural theory expanded risk perception discourses, it was not widely welcomed due to an abstract nature of the concept, social context (Sjöberg, 2000).