Research Spotlight: Gender and Cybersecurity Decisions

How does gender affect cybersecurity decisions? A new study by Winnie Mbaka and Katja Tuma from Vrije Universiteit Amsterdam shed some light on this question in their paper  Role of Gender in the Evaluation of Security Decisions”, published in IEEE Security & Privacy in 2024.

Background

Cybersecurity is a complex and dynamic field that requires human analysts to make decisions under uncertain conditions, a form of risk assessment. These decisions can have significant consequences for the security and privacy of individuals, organizations, and society. However, human decision-making is not always rational and unbiased. It can be influenced by various factors, such as personality, emotions, culture, and demographics.

Previous research investigated the role of demographics in risk analysis (see “Risk Perception” row in Table 1 below) such as smoking, stress, and genetically modified organisms. But these are non-technical scenarios unlike cybersecurity risk analysis.

In the field of security (see “Security awareness and behavior” row below), the effect of gender and background knowledge (expertise) has been looked into, with mixed results. On the one hand it was found that male participants exhibit higher security awareness, while on the other hand a study reported the opposite, finding that female participants demonstrate higher awareness.

Study Design

To clarify these mixed findings and specify the role of demographics on cybersecurity decisions specifically, the authors used vignettes eliciting different demographic dimensions, which are randomized for each participant. The scenario is borrowed from an illustrative case study which the ACM uses in its Code of Ethics and Professional Conduct. The study authors used this as little is known about how these case studies are actually understood or perceived by members of the computing communities. They modified the case study to include the independent variables of gender (Frank [male] and Anna [female]) and seniority (junior and senior analyst). See the vignettes here:

To assess perception of the analyst, the participants were asked to rate their confidence in the analyst persona. In particular, they were asked to rate five aspects about the persona: namely, they were asked how competent, skillful, knowledgeable, moral, and trustworthy they perceived the analyst persona to be. This is on a five-point Likert scale (where point 1 is labeled “strongly disagree”, point 3 is labeled “neutral,” and point 5 is labeled “strongly agree”).

The NI members tackled two research questions:

  1. Does the perceived gender or seniority of the presented security analyst affect the participant’s evaluation of a security case study?
    1. Due to the mixed findings, the researchers hypothesised that gender and seniority will not have an effect on cybersecurity decisions
  2. Does the gender or education level of the participant affect their evaluation of a security case study?
    1. The authors expect to find some differences. For example, they might observe that female participants perceive security events with greater concern compared to men (or vice versa).

In total, 188 students (44 female and 144 male) attending a computer science university program at the VU voluntarily participated.

Results

The first hypothesis was supported in that the analysts gender and seniority did not have an impact on the perception of the participants.

The second hypothesis was rejected as no statistically significant differences were found, meaning that there is no effect of participants gender and level of education on risk perception.

Additional Results

The study authors additionally tested for the effect of gender on the perception of the case study since MaxxUpload’s business model (see vignettes) is ethically questionable.

  • They found that female participants did not agree with Maxxupload’s decision to host any type of client (legitimate and malicious ones) to a significantly greater extent then males (p = .03).

Finally, the researchers varied the type of mitigation which were used to prevent malicious use of MaxxUpload’s infrastructure. The first one suggested engineering malware that targets a part of MaxxUpload infrastructure and stops behavior that resembles malicious activity (the “Worm” from the vignette above). The second one suggested blocking incoming traffic (except the domains listed as verified nonmalicious customers) from MaxxUpload servers. They called the first and second mitigation as malware and traffic blocking, respectively.

  • It was found that participants who received the traffic blocking had a neutral perception, while participants with the malware mitigation had a negative perception. Those with the traffic blocking condition perceived it as a significantly more appropriate solution to the security threat in the case study.

Discussion

Regarding the perception of the type of mitigation (traffic blocking or malware) the authors note that there’s a dissonance between the ACM’s view that the malware mitigation is appropriate compared to the participants’ view indicating that traffic blocking is more fitting. Regarding the first research question, a reassuring finding was that the apparent gender of the analyst did not have any effect on the participants’ evaluation of the proposed solutions. However, the participant gender was found to affect perception, with female participants finding MaxxUpload’s behaviour in the security case study significantly less ethical.

In terms of limitations, the researchers note that students are not experts nor lay-people in the field, therefore limiting the generalizability of these findings. An interesting direction of study would be to check whether bias toward gender or seniority of the analysts’ persona has an effect on participants outside computer science: e.g., on participants with a communication science or law background. Security response teams also include different experts, such as lawyers or public relations experts, and they might react differently.

Lastly, Winnie Mbaka and Katja Tuma suggest that future studies could consider replicating this study treating gender as an intersectional concept by considering nonbinary gender. This was not possible in this experiment due to an insufficiently large sample size within the nonbinary group.

The paper is an interesting and important contribution to the field of cybersecurity decision-making. It provides empirical evidence for the role of gender in the evaluation of security decisions. The paper is also accessible to non-scientists who are interested in learning more about how human factors affect cybersecurity. You can read the full paper here.