Users play a crucial role in the majority of successful cyberattacks. Compliance with information security guidelines can lead to more secure digital behavior and thereby reduce the chance of successful attacks. Since customer compliance is especially relevant for banks, the Dutch Banking Association (DBA) has developed and implemented a set of five security guidelines for customers. Each guideline is split into several specific actions that customers need to undertake in order to comply. Failure to comply can lead to a negligence claim and financial losses when falling victim to cybercrime. Such security guidelines are only successful if people are aware of their existence and mostly comply. In a user survey (n = 119) we tested whether this was the case. Results indicate that only a quarter of our sample (24.4%) was aware guidelines existed. When asked about compliance with the five general guidelines, less than a quarter (23.5%) of participants reported following all five guidelines. When asked about compliance with all specified actions needed to comply with these guidelines, only 3.4% reported complete compliance. A more in-depth analysis revealed that awareness of the guidelines did not increase compliance. The findings from this paper support recent findings in the security literature that knowledge and awareness alone do not increase secure digital behavior. Taken together, the low awareness and even lower compliance rates with the DBA security guidelines demonstrated in this study suggest that banks may be unfairly shifting the blame towards their customers.
|Title of host publication||Cybercrime in Context. Crime and Justice in Digital Society, vol I.|
|Number of pages||18|
|Publication status||E-pub ahead of print - 4 May 2021|