Abstract
Users play a crucial role in the majority of successful cyberattacks. Compliance with information security guidelines can lead to more secure digital behavior and thereby reduce the chance of successful attacks. Since customer compliance is especially relevant for banks, the Dutch Banking Association (DBA) has developed and implemented a set of five security guidelines for customers. Each guideline is split into several specific actions that customers need to undertake in order to comply. Failure to comply can lead to a negligence claim and financial losses when falling victim to cybercrime. Such security guidelines are only successful if people are aware of their existence and mostly comply. In a user survey (n = 119) we tested whether this was the case. Results indicate that only a quarter of our sample (24.4%) was aware guidelines existed. When asked about compliance with the five general guidelines, less than a quarter (23.5%) of participants reported following all five guidelines. When asked about compliance with all specified actions needed to comply with these guidelines, only 3.4% reported complete compliance. A more in-depth analysis revealed that awareness of the guidelines did not increase compliance. The findings from this paper support recent findings in the security literature that knowledge and awareness alone do not increase secure digital behavior. Taken together, the low awareness and even lower compliance rates with the DBA security guidelines demonstrated in this study suggest that banks may be unfairly shifting the blame towards their customers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Anderson, R., Barton, C., Bohme, R., Clayton, R., van Eeten, M., Levi, M., … Savage, S. (2013). Measuring the cost of cybercrime. InThe economics of information security and privacy (pp. 265–300). Berlin: Springer-Verlag.
Bauer, S., Bernroider, E. W. N., & Chudzikowski, K. (2017). Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. Computers & Security, 68, 145–159.
Bossler, A. M., & Holt, T. J. (2010). The effect of self-control on victimization in the cyberworld. Journal of Criminal Justice, 38, 227–236.
Bravo-Lillo, C., Egelman, S., Herley, C., Schechter, S., & Tsai, J. (2013). You needn’t build that: Reusable ethics compliance infrastructure for human subjects research. InCybersecurity Research Ethics Dialog & Strategy Workshop. San Francisco, CA: IEEE.
CBS. (2019). Less traditional crime, more cybercrime. Retrieved April 5, 2020, from https://www.cbs.nl/en-gb/news/2020/10/less-traditional-crime-more-cybercrime
Claessens, J., Dem, V., De Cock, D., Preneel, B., & Vandewalle, J. (2002). On the security of today’s online electronic banking systems. Computers & Security, 21, 253–265.
Coventry, L., Briggs, P., Jeske, D., & van Moorsel, A. (2014). SCENE: A structured means for creating and evaluating behavioral nudges in a cyber security environment. International Conference of Design, User Experience, and Usability, 2014, 229–239.
Cross, C. (2015). No laughing matter: Blaming the victim of online fraud. International Review of Victimology, 21(2), 187–204.
Cross, C., & Blackshaw, D. (2014). Improving the police response to online fraud. Policing: A Journal of Policy and Practice, 9(2), 119–128.
Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why phishing works. CHI ‘06 Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006, 581–590.
Egelman, S., Harbach, M., & Peer, E. (2016). Behavior ever follows intention? A validation of the security behavior intentions scale (SeBIS). InThe 2016 Chi Conference (pp. 5257–5261). San Jose, CA: CHI.
Egelman, S., & Peer, E. (2015). Scaling the security wall. Developing a security behavior intentions scale (SeBIS). InChi 2015. Seoul: CHI.
European Central Bank (ECB). (2013). Recommendations for the security of internet payments. Retrieved April 5, 2020, from https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf
Gratian, M., Bandi, S., Cukier, M., Dykstra, J., & Ginther, A. (2018). Correlating human traits and cyber security behavior intentions. Computers & Security, 73, 345–358.
Holtfreter, K., Reisig, M. D., & Pratt, T. C. (2008). Low self-control, routine activities, and fraud victimization. Criminology, 46, 189–220.
ING. (n.d.). Uniforme veiligheidsregels. Retrieved April 5, 2020, from https://www.ing.nl/media/ING_uniforme-veiligheidsregels_tcm162-41790.pdf
ING Veilig Internetbankieren. (n.d.) Retrieved April 5, 2020, from https://www.ing.nl/de-ing/veilig-bankieren/veilig-bankzaken-regelen/veilig-bankzaken-regelen-met-mijn-ing/index.html
ITU. (2020). ITU statistics on individuals using the Internet, 2005–2019. Retrieved April 5, 2020, from https://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx
Jakobsson, M. (2007). The human factor in phishing. Privacy & Security of Consumer Information, 7, 1–19.
Jansen, J., & Leukfeldt, E. R. (2016). Phishing and malware attacks on online banking customers in the Netherlands: A qualitative analysis of factors leading to victimization. International Journal of Cyber Criminology, 10(1), 79–91.
Jones, H. S., Towse, J. N., & Race, N. (2015). Susceptibility to email fraud: A review of psychological perspectives, data-collection methods, and ethical considerations. International Journal of Cyber Behavior, Psychology and Learning., 5(3), 13–29.
Krol, K., Spring, J. M., Parkin, S., & Sasse, M. A. (2016). Towards robust experimental design for user studies in security and privacy. InLearning from authoritative security experiment results (LASER), USENIX (pp. 21–31). San Jose, CA: USENIX.
Lewis, J. (2018). Economic Impact of Cybercrime— No Slowing Down. McAfee report, February 2018.
Modic, D., & Lea, S. E. G. (2012, September 10). How neurotic are scam victims, really? The big five and internet scams. Retrieved April 5, 2020, from https://ssrn.com/abstract=2448130
Ngo, F. T., & Paternoster, R. (2011). Cybercrime victimization: An examination of individual and situational level factors. International Journal of Cyber Criminology, 5(1), 773–793.
Öğütçü, G., Testik, Ö. M., & Chouseinoglou, O. (2016). Analysis of personal information security behavior and awareness. Computers & Security, 56, 83–93.
Parsons, K., Calic, D., Pattison, M., Butavicius, M., McCormack, A., & Zwaans, T. (2017). The human aspects of information security questionnaire (HAIS-Q): Two further validation studies. Computers & Security, 66, 40–51.
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & Security, 42, 165–176.
Rajivan, P., & Gonzalez, C. (2018). Creative persuasion: A study on adversarial behaviors and strategies in phishing attacks. Frontiers in Psychology, 9, 135.
Sasse, M. A., Brostoff, S., & Weirich, D. (2001). Transforming the ‘weakest link’. A human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3), 122–131.
Scheerder, A., van Deursen, A., & van Dijk, J. (2017). Determinants of internet skills, uses and outcomes. A systematic review of the second- and third-level digital divide. Telematics and Informatics, 34(8), 1607–1624.
Schneier, B. (2000). Secrets and lies: Security in a digital world. Hoboken, NJ: John Wiley and Sons.
Van de Weijer, S., Leukfeldt, R., Van der Zee, S. (2020). Reporting cybercrime victimization: Determinants, motives, and previous experiences. Policing: An International Journal 2020, 1363-951X.
Van de Weijer, S. G. A., & Leukfeldt, E. R. (2017). Big five personality traits of cybercrime victims. Cyberpsychology, Behavior and Social Networking, 20(7), 407–412.
Volkskrant. (2013). ‘Eigen risico voor klanten banken bij cybercrime’ by Peter van Ammelrooy. Retrieved April 5, 2020, from https://www.volkskrant.nl/cultuur-media/eigen-risico-voor-klanten-banken-bij-cybercrime~bf53db4a/
World Payments Report 2019 by Capgemini and BNP Paribas. (2019). Retrieved April 5, 2020, from https://worldpaymentsreport.com/wp-content/uploads/sites/5/2019/09/World-Payments-Report-WPR-2019.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Van Der Zee, S. (2021). Shifting the Blame? Investigation of User Compliance with Digital Payment Regulations. In: Weulen Kranenbarg, M., Leukfeldt, R. (eds) Cybercrime in Context. Crime and Justice in Digital Society, vol I. Springer, Cham. https://doi.org/10.1007/978-3-030-60527-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-60527-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-60526-1
Online ISBN: 978-3-030-60527-8
eBook Packages: Law and CriminologyLaw and Criminology (R0)