Exploring the relationship between impulsivity and decision-making on mobile devices
- 1.8k Downloads
Mobile devices offer a common platform for both leisure and work-related tasks, but this has resulted in a blurred boundary between home and work. In this paper, we explore the security implications of this blurred boundary, both for the worker and the employer. Mobile workers may not always make optimal security-related choices when “on the go” and more impulsive individuals may be particularly affected as they are considered more vulnerable to distraction. In this study, we used a task scenario, in which 104 users were asked to choose a wireless network when responding to work demands while out of the office. Eye-tracking data was obtained from a subsample of 40 of these participants in order to explore the effects of impulsivity on attention. Our results suggest that impulsive people are more frequent users of public devices and networks in their day-to-day interactions and are more likely to access their social networks on a regular basis. However, they are also likely to make risky decisions when working on-the-go, processing fewer features before making those decisions. These results suggest that those with high impulsivity may make more use of the mobile Internet options for both work and private purposes, but they also show attentional behavior patterns that suggest they make less considered security-sensitive decisions. The findings are discussed in terms of designs that might support enhanced deliberation, both in the moment and also in relation to longer term behaviors that would contribute to a better work–life balance.
KeywordsImpulsivity Visual processing Cyber-security Social networks Work–life balance Mobile working
Mobile working is now commonplace, thanks in part to the widespread availability of public wireless networks, the growth in companies prepared to offer remote working  and the rise of the smartphone as a common platform for both leisure and work activities . The result is a blurring of the relationship between home and work, most directly affecting the time spent on work or home tasks . The advantage to the worker is that it offers them increased temporal and geographic flexibility and connectedness, but there are also disadvantages in terms of increased pressure, perceived or real, to be available for work around the clock and consequent feelings of stress and exhaustion . The advantage to the employer is a more responsive, agile and available workforce and the opportunity to exert greater organizational control , but there is also a cost. Employers tend to underestimate the time workers spend on their mobiles and, in particular, underestimate time spent on social media . Such flexible “anytime, anyplace” working on a mobile device can quickly become “all the time and everywhere”. This universal work mode can also compromise security, with serious implications for both the worker and for the employer, and it is this issue that is explored in the current study.
1.1 Mobile working and the work–life boundary
Prior literature exploring mobile communication technologies as tools that increase work–life balance and break down the barriers between work and home [25, 65, 66, 69] suggests that both positive and negative outcomes may result. In a large-scale survey of 1388 individuals from 845 Australian households , the mobile phone was predominantly seen to be a social tool, but there was clear evidence of its increasing use as a work tool, particularly by the men in the sample. One of the main functions of the mobile phone was for “micro-coordination of family arrangements and work schedules” —essentially reducing the rigidity of plans and allowing both work and home arrangements to be renegotiated at will. Note, however, that this micro-coordination was seen as a positive aspect to phone use and was associated with a significant proportion of respondents believing that the mobile had helped to balance their family and working lives. The same authors also made use of the “family strains and gains scale”  that measures ways that job-related stresses might transfer to the family and vice versa. They note that, contrary to popular belief, the work–family spillover was not significantly related to mobile phone use, but reflected other job characteristics (such as total hours worked). There was, however, clear evidence of the erosion of boundaries between home and work life, as for example, when both men (51 %) and women (31 %) chose to use their mobile phone to talk with their work colleagues while on holiday . The use of work-related communication technologies outside work has also been shown to increase perceived work–life conflict  and raise concerns about technostress associated with the pervasive and near-continual use of organizational IT systems and the effect this has on health and work–life balance .
Between 2004 and 2008, there was a marked shift in the ways in which individuals would exploit the interoperability of various portable devices; and by the end of that period, it was common to connect to the Internet for both work and personal activities, for example when travelling or when in cafes or bars . Today, it has become commonplace for employees to use the same social media sites to interact with friends, family and colleagues, creating a collision between personal and professional identities. The use of a common platform that can “collapse” identities in this way can result in a worker being careless in their demarcation or segregation of home and work activities which in turn can lead to information from one environment “leaking” into another. Thus, an employee may inadvertently reveal inappropriate personal information to their colleagues or sensitive, protected company information to their friends and family. A second factor is that the device itself may be vulnerable. Smartphones are typically armed with their own security systems. They can seamlessly load security updates or run maintenance checks, run virus screens in the background, and offer information alerts, but despite this, there are known security problems associated with being “always connected” . Not surprisingly then, employers are under pressure to enhance their mobile-based security and authentication policies and procedures . Employers increasingly utilize mobile device management and bring your own device (BYOD) policies to ensure that their mobile workers do not introduce new threats to workplace security. However, past evidence has shown that workers find it difficult to adhere to security policies, even within the workplace (see various reports on compliance issues by ). How much more difficult is it, then, to make optimal security decisions from a home or leisure environment when the same device is used for home and work activities. As a result, the distinction between home and work activities can become blurred, making it more challenging for users to adhere to company security policies under such circumstances.
There are a number of factors at play here. Firstly, the mobile worker must deal with increased task complexity, mastering not only the primary task itself, which can be challenging  but also gaining mastery of a device that has not necessarily been optimized to the task as well as dealing with any mobile services used in performance of that primary task. Secondly, the mobile worker may face a wide range of distractions (games, music, shopping and gambling) that are only a click away. Thirdly, the mobile worker may feel time pressure to submit work or reply to an e-mail even though they are operating in an insecure environment—such as a café with an open wireless network. In such a complex space, certain personality variables may also influence the extent to which any user can fully attend to the information most relevant to security-based decision-making. In particular, the impulsive individual may find it more difficult to prioritize security concerns, given that they may have difficulty to maintain focus and may be more impatient to get on with the primary task at hand. These personality issues are dealt with more detail in Sect. 1.3 below.
1.2 Mobile security
Mobile security has been a known issue for HCI for some time, with many of the published studies focusing on easier smartphone authentication ; or means to reduce unauthorized access . In short, much of the HCI work has been focused upon more usable means of protecting the smartphone user. A new, broader focus on smartphone security has come into play with the rise of BYOD practices in the work environment, and the increasing awareness that organizational as well as personal data are at risk from everyday insecure practices in mobile phone use . Perhaps surprisingly, users are relatively unaware of the security challenges they face while conducting sensitive exchanges on a mobile device , believing that smartphone exchanges are generally less risky than those made on a laptop. This is interesting considering the frequency with which people will use smartphones to download apps, conduct e-mail or connect to an unsecured wireless network while travelling.
In our own studies of BYOD security, we have adopted a “security by design” approach, seeking to develop a “choice architecture” that will seamlessly nudge users toward secure decision-making. Such an approach builds upon the work of Thaler and Sunstein  and also on the work of Kahneman , who describes the importance of two cognitive systems in his 2011 text “Thinking, fast and slow”. There are interesting design opportunities afforded by system 1—the “faster” of the two cognitive systems which operates quickly and with little or no cognitive effort or sense of voluntary control. In particular, it is possible to develop design nudges that support more secure decision-making in a relatively effortless way, by simply changing menu order or color-coding the choices  (e.g., in the case of wireless network selection). Such design nudges have been employed to great effect in the privacy space, where users are often thoughtless in their disclosure of sensitive information , but their use has been relatively limited for mobile security, which, as we have seen is becoming a critical issue. What is also interesting, for the current study, is the role that individual differences may come into play. Are some people less able or willing to engage system 2, i.e., reluctant to take a deliberative, analytical approach to managing their mobile security? Certainly deliberation would seem to be an important consideration when considering cyber-security practice outside of the workplace, given, for example, the finding that users who take a deliberative approach to mobile security (reading software policies and checking for trust kitemarks) are much less susceptible to malware .
1.3 Personality and security-related behavior
Certain personality variables can help predict security-related behavior on mobile devices and social media. They may shape the values users adopt, the types of information they share and the people with whom they share this information. In addition, just as personality can shape behavior, so conversely, behavior can be used to indicate the presence of certain personality traits. We propose that this relationship holds true in the security space, where compliance with security policy, non-responses to security messages and/or security prompts are mediated by stable characteristics of the users themselves. This approach recognizes that personality sits alongside knowledge and experience, cognitive capacities, heuristics and biases—all of which shape the interpretation of security messages and the willingness of the user to commit to secure practices.
A few general examples demonstrate this point. For example, introverts engage in more cautious online behavior, and both extroversion  and shyness  influence Internet behavior and search activities [11, 20, 26] as well as privacy and security risk perceptions . Other personality traits that have been shown to influence security practices include “big-five” factors (such as neuroticism, openness to experience, conscientiousness) as well as self-efficacy. For example, a correlation has been found between neuroticism scores and susceptibility to phishing e-mails . Social media users who rank high in openness to experience also set fewer privacy settings, making them more vulnerable to attacks . Conscientiousness positively influences information security managers’ attitudes toward technical as well as organizational activities associated with information security and security compliance, and greater security self-efficacy is associated with greater security efforts .
Personality can also moderate the effectiveness of security campaigns. For example, users ranking high on agreeableness are more likely to improve their security behavior when security advice incorporates a moral, regret or feedback component . However, these behavioral change incentives were not as effective for those users who also rank high in terms of openness to experience . Such findings therefore support the idea that personality can influence security behaviors, in terms of the attention users pay to security interfaces, and the types of advice they are likely to follow.
This paper focuses on the relationship between impulsivity and security-related decision-making. Impulsivity is the tendency of individuals to act in the moment . More impulsive individuals find it difficult to sustain attention, which means they deliberate less when making decisions [28, 32, 58] and often miss information . Impulsive individuals are also more likely to focus on potential rewards, pay less attention to possible negative outcomes of decisions  and also discount the value of delayed rewards . They may also be more fixed on specific choices and less willing to change their decisions in response to different incentives . Finally, impulsivity may also indicate a poorer ability to separate personal and work time effectively when using mobile devices , which may result in problems in maintaining a reasonable work–life balance.
The implications for decision-making when balancing competing demands, including security-related behaviors, are manifold. Impulsive individuals may not act on advice at a given time because they do not see the immediate benefit of doing so or because they find it difficult to adapt their behavior to changing circumstances (exhibiting choice fixedness as suggested by ). More impulsive users may also prioritize immediate and gratifying outcomes over long-term considerations such as security. This is important since meeting security requirements is rarely the users’ primary focus or task as the user's cognitive resources are limited . This means, the user may have insufficient resources to respond to security requests when he or she is already working on another task. The security risks are compounded if greater impulsivity coincides with a tendency to be more trusting . This would explain why impulsive individuals are also more likely to respond to phishing e-mails and are less attentive to the cues that would alert them to a scam . In addition, past work has shown that the use of mobile technology and successful management of work–life boundaries is influenced by their ability to respond to demands from home and their level of self-control . This provides further support for the potential role of impulsivity in relation to boundary management.
Not surprisingly then, there is also evidence that impulsivity is linked to poorer self-regulation and sensation seeking. This again may articulate itself in form of problematic Internet use . This can extend to the workplace: In one study, employees with lower self-control (a measure that includes impulsivity) also admitted that they would be more likely to violate cyber-security policy . Given the poor self-regulation aspect and processing of information, more impulsive individuals may not necessarily be aware of their poor information processing or the fact that they are compromising their privacy.
1.4 Rationale and goals of current study
A number of personality and contextual factors can influence security behaviors. These are affected by work-life demands but may not accounted for by the organisation . Impulsiveness is one of those factors that have been considered in relation to self-regulation and problematic Internet use  and cyber-security policy compliance . Impulsiveness may increase the susceptibility of an individual to distractions originating from the persuasive pull of mobile communication technologies and the availability of social networks. However, relatively little is known about how impulsivity might affect security decision-making outside of the work environment where users are more likely to be dealing with multiple and diverse demands. Impulsive employees are probably less tolerant of delays in their workflow, less able to resist frequent status checking of their mobiles and more easily distracted—all of which might mean that they are also more likely to blur their work–life boundaries and render them more vulnerable to security attacks.
The first study goal was to examine whether impulsivity was related to the deliberation of available wireless options, as poor deliberation could lead to insecure decision-making. Researchers have previously utilized eye-tracking technology and made use of gaze paths and fixation points to explore the users’ interaction with security indicators within web browsers . In our study, we predict that individuals scoring high on impulsivity process fewer features than those scoring low on impulsivity. More impulsive people may also struggle to focus on the task at hand, resulting in riskier decision-making (linked to poor self-regulation during the visual processing of materials).
Impulsivity is a negative predictor of the number of features processed.
The second goal was to expand on past work on poor self-regulation and impulsivity by considering the relationship between impulsivity and privacy concern. As noted above, impulsive individuals exhibit more problematic behaviors online and are more prone to sensation seeking . This suggests that more impulsive individuals may be less concerned about privacy, in part because they do not attend to the longer term consequences of their actions. This may lead to privacy breaches that could affect their employers’ and their own personal data security.
Impulsivity is negatively correlated with privacy concern.
The third goal was to consider the possibility that more impulsive individuals may be less able to maintain focus and stay engaged with one activity in the presence of other distracting and less demanding activities. They may show a greater tendency to pick up mobile devices to access social media sites, as suggested by past work linking impulsivity and Internet addiction . We are not suggesting that more impulsive individuals are less engaged or interested. Rather, impulsive individuals may be more readily enticed and persuaded to use their mobiles to connect to the Internet via public wireless networks in order to check for updates and review the status of their social networks. As noted earlier, impulsive individuals are more easily distracted [28, 32, 58]. This may translate into a greater tendency to access social media and other mobile distractions which in turn, might leave them vulnerable to security risks including credit card fraud or phishing, as they may engage in less careful screening of information sent to them. We therefore propose that impulsivity is connected to how frequently individuals use mobile devices to access public wireless networks and to check their social network account.
Impulsivity is positively correlated with mobile device use and social media access.
Social science students were recruited by posting a message on a dedicated university online recruitment portal. Students are a relevant sample in this case because they rely on and make assumptions about the security of university infrastructure and their publicly available open access services , but they exhibit limited awareness of the security issues involved with online transactions . Students are also an interesting population as they have concerns about work–life balance; concerns that may even be more pronounced if they combine family and work responsibilities with part-time study and raising a family. According to a report Higher Education Careers Services Unit , 36 % of students in the UK were part-timers in 2007–2008. Part-time students are often older and work while studying. Many students experience conflicting prioritiesas a result of having no experience or strategies to manage work–life conflicts, but also due to institutional culture and ethos in higher education .
All university students could earn research credits for their respective programs. The first forty participants were recruited in Autumn 2013 and completed the task in a laboratory setting that enabled us to also collect eye-tracking data. The remaining participants were given an online version of the task in Spring 2014. All instructions and materials were identical in both data collection phases and no significant effects of online versus off-line task completion were observed. One color-blind participant was excluded from the eye-tracking subsample. The final sample (N = 104) comprised 46 males and 53 female students with an average age of 21 years (MN = 21.61, SD = 4.84, range 18–40; 5 missing values). Half of the participants used the Internet at home (n = 54, 51.9 %) or both at work and home (n = 46, 44.2 %).
Upon completion the appropriate consent forms, all participants were given the following scenario: You have an hour to submit some urgent work and decide to go to a public café to connect to the Internet using one of several available wireless connections. Keeping this scenario in mind, they were then presented with five screens. Each screen offered six network options. Participants had to select one of the network options for each screen. The 41 participants were monitored discretely with an eye tracker while they explored each screen on a monitor. Following the selection of their choices, all participants were asked to complete a follow-up questionnaire about their personality, their use of various devices and their social and wireless networks. The questionnaire concluded with demographics and the debrief statement about the study.
The network options were presented on five screens similar to an Android default Wi-Fi selection screen. Each screen provided six networks from which participants had to choose one. The five screens themselves varied in terms of how the network options were presented to participants (using color coding, ordering of networks and presence of padlocks) and the behavioral effects of these different “nudges” are presented in [10, 61]. To avoid familiarity effects, network names were replaced with randomly generated network names. Screens were presented in a random order to participants. In this paper, we report how impulsivity affects attention to information when making decisions and use of devices and social media.
Behavioral and self-report measures are detailed below.
2.4.1 Attention score
The first set of outcomes referred to data obtained from eye tracking. Tobii Studio 3.0.2 was used to collect data about the frequency with which individuals looked at the various areas of interest (AOIs), fixation counts, time required per screen and various other indicators of visual processing. An X120 eye tracker was located directly beneath the monitor. This setup does not require the participant to wear any special equipment; it is just necessary to stay within the range of the device. Using the software, the researchers drew 12-specific AOIs using the graphics tools (network label to the left, signal and padlock to the right) for each of the five screen variations, resulting in a total of 60 AOIs (thus, using the same size and parameters for all participants when they were looking at one of the AOIs). The time participants took to make their choices was not restricted. In our study, the eye movements of every participant in the subsample were carefully examined to detect and compute the total number of screen features (e.g., number of options and symbols) each participant processed from each screen while making decisions. In order to do this, the recordings were slowed down and visually inspected by a research assistant who counted how many features each person processed. The results were summed across all screens to generate the processing score. On average, participants appeared to have visually attended to most but not all of the 12 AOIs on each screen (MN = 9.28, SD = 1.11).
Another important variable was the percentage provided for sampling effectiveness by Tobii Studio (on a scale of 1–100 %). The program generates this measure (“samples”) as a means of determining the quality of the eye recording. It gives a sense of the number of valid gaze points in the recording, if not necessarily the accuracy of the recording. A researcher was present to ensure that all participants were focused on the screen and not distracted. Slight misalignment can lead to specific gazing patterns not being counted, especially when the area of interest is small. Using the data from Tobii, the visual processing data were examined for the first 10-s period during which participants picked their preferred network option (participants usually started to revisit the same AOIs after this point). Our coding of AOIs scanned within 10 s strongly correlated with the statistics produced by the Tobii Studio for AOIs scanned by participants (r = .812, p < .001). A variety of measures were used to assess personality, social media and wireless network use in the follow-up questionnaire. In some cases, the scales were shortened to reduce the length of the follow-up questionnaires and reduce the likelihood of participant of fatigue and disengagement.
Four items from the ten-item Diminished Impulse Control subscale (part of the Online Cognition scale) were used to assess impulsivity . This scale was selected because it had been specifically designed as a means to assess both cognitive and behavioral control in relation to online activities and decision-making. This measure has also been used in other online research [20, 26, 31, 48]. Only four items were selected from the list of ten for two reasons: One was related to practicality (we aimed to keep the follow-up questionnaire reasonably short) and the other concerned the content of the items as these particular items captured problematic Internet use that is linked to impulsivity [see original scale information in 13]. The four items were: (1) “I use the Internet more than I ought to.” (2) “People complain that I use the Internet too much.” (3) “I never stay on longer than I had planned.” (4) “Even though there are times when I would like to, I can not cut down on my use of the Internet.” The third item was reverse-coded. The response scale ranged from (1) strongly disagree to (5) strongly agree. We decided to use five response options in line with other measures. The reverse-coded item was excluded due to poor reliability. Impulsivity score was computed as the average of the remaining items (α = .643, MN = 3.26, SD = .77). This gave us a range of responses between 1 and 5 with higher scores indicating greater impulsivity.
2.4.3 Privacy concern
Two items were used to measure privacy concern . The original scale had included questions not statements, each with response options on a five-point scale ranging from “not at all” to “very much”. The selected items were slightly rephrased to be in the first person. Following these revisions, the final items were: (1) “I am concerned that information about me could be found on an old computer.” (2) “I am concerned that my e-mails are being read by other people.” The response scale ranged from (1) hardly ever to (5) almost always. Privacy concern was computed as the average of the items (r = .493, p < .001, MN = 2.11, SD = 1.00), with a range from 1 to 5, higher scores indicating greater privacy concern.
2.4.4 Use of mobile device to connect to wireless and social networks
A selection of questions from  were utilized in order to learn more about the behaviors of our participants and their past experience. We first wanted to find out how often (but not why) our participants connected to public wireless: “How frequently do you connect your devices (work iPad, tablet, and laptop) to a public wireless network with your mobile phone?” The response options ranged from (a) “daily,” (b) “weekly,” (c) “monthly,” (d) “less than one a month,” to (e) “never.” Participants’ responses were grouped into two groups (daily vs. other) in subsequent analyses due to small cell sizes <20 (responses available for 96 participants). Participants fell into two different groups: those who used public wireless to connect via mobile devices at least once a month (n = 42) and those who never connected to public wireless (n = 54).
Participants were also asked about their use of social networks using the following statement: “How likely are you to use your mobile devices to access social networking sites (e.g., Facebook, Twitter, MySpace, Instagrams, LinkedIn, YouTube, etc.)?” The response options were identical for both questions: (1) daily, (2) weekly, (3) monthly, (4) less than once a month, and (5) never. Responses were available for 95 participants. These were grouped into three groups. Those who accessed social networking sites daily (n = 27), those who accessed it weekly to at least once monthly (n = 25), and those who never accessed social networks via their mobile devices (n = 43). Finally, the survey asked participants whether or not they had already experienced negative consequences due to their online activity. The question was “Have you ever experienced any negative consequences from your online activities?” and had five possible response options: (1) “No, I have not experienced any negative experiences.” (2) “Yes, my account information has been stolen.” (3) “Yes, my credit card information has been stolen.” (4) “Yes, my personal information has been compromised.” (5) “Yes, other” (to be completed by participant). Participant responses (98 responses available) were put into two groups in subsequent analyses due to small cell sizes. One group represented the group who reported no negative experience (n = 68). The second group included participants with different types of negative experiences (n = 30), including those who had their account detail or credit cards stolen, their personal information compromised or reported some other incident.
2.4.5 Control variables
Control variables included participant age, gender, their use of computers outside of the university, their self-reported IT proficiency and technological device ownership. IT proficiency varied between novice (n = 21), intermediate (n = 71) and professional (n = 8). Participants were also requested to report how many devices they owned (from a list of seven options, including options such as a computer, tablet, and removable media such as iPod or flash drive, mobile phone with 3G, mobile phone without 3G, Bluetooth equipment, and Internet enabled games). On average, our participants owned four such devices (MN = 3.83, SD = 1.05, range 2–7).
3.1 Descriptive results
Impulsivity correlated weakly and marginally significantly with privacy attitudes (r = .187, p = .058) but significantly and negatively with age (r = −.265, p = .008, n = 98). It is well known that impulsivity decreases with age. The observed correlation is therefore in line with previous research but also points to the need to control for age in subsequent analyses. Finally, greater use of technology via multiple devices was positively correlated with increased privacy concerns (r = .212, p = .034).
Impulsivity is a negative predictor of the number of features processed.
The extent to which impulsivity is related to attentional processing was examined using eye-tracking data as indicated by the number of pre-defined areas of interest (AOI, the features of interest) processed on each screen—described here as an attention score. This analysis involved eye-tracking data that were obtained for 40 of the 104 participants. This number was limited due to the effort required to evaluate all recordings individually for each of the 40 participants (resulting in 40*5 individual recordings).
In addition to the impulsivity and attention scores, the analysis included the effective data capture reports (effectiveness percentage provided by the software for each participant, representing the number of valid gaze points) as a control variable into the model. Regression analysis suggests a good model fit (R 2 = .293, R adj 2 = .254, F(2,36) = 7.472, p = .002). The regression coefficient indicates that as impulsivity increases, attention decreases, that is, the number of AOIs (=features) reviewed by participants declined (b = −2.448, β = −.334, t = −2.380, p = .023). The results support hypothesis 1.
In further analysis, we also assessed if feature processing in the eye-tracking may have been influenced by previous use of Wi-Fi networks. However, no significant group differences were observed in terms of how participants used public wireless services. This suggests that previous experience and use of open wireless do not explain our findings (e.g., no support was obtained for the suggestion that more impulsive candidates may have been less experienced and thus reviewed the Android screens more haphazardly).
Impulsivity is negatively correlated with privacy concern.
As privacy attitude is known to be associated with age and device ownership, we controlled for these in our regression analysis [R 2 = .083, R adj 2 = .054, F(3,94) = 2.845, p = .042]. The regression coefficient suggests that impulsivity was positively associated with privacy concern, not negatively as we had predicted (b = .279, β = .218, t = 2.130, p = .036).
This result was surprising and clearly does not support our hypothesis that privacy concern would be lower in more impulsive individuals. Several explanations exist. It is possible that experience with security-related incidents could play a role (i.e. more impulsive individuals may have experienced more adverse events in the past). The survey provided us with some information about our participants’ past experience with security-related incidents. This therefore enabled us to conduct an exploratory ANCOVA to examine a potential link between impulsiveness and security experience, controlling for age once more (gender was not a significant covariate). The results were not significant [F(1,95) = .712, p = .401]. Impulsivity was not significantly different between users who had no negative experiences to report (MN = 3.23, SD = .80, n = 68) and those who had reported negative experiences in the past (MN = 3.30, SD = .80, n = 30). Past experience of security-related incidents between more and less impulsive users did not appear to be the driving force behind greater privacy concerns voiced by the more impulsive users. Another explanation—not verifiable within our current dataset—is that more impulsive individuals are aware that their behavior may leave them vulnerable to risk and are accordingly more anxious about the corresponding privacy threat.
Impulsivity is positively correlated with mobile device use and social media access.
Some work suggests that when individuals use social media to check e-mail and connect with others, they are also more likely to suffer negative spillover effects on both work and home life . More impulsive individuals may be even more likely to engage in such behaviors on the spur of the moment. We therefore tested whether more impulsive individuals would also be more likely to connect to wireless networks via their mobile devices (data were available for 96 out of 104 participants due to eight missing values). The impulsivity score of the group that never used public wireless (n = 54) was examined in relation to the group that used mobile devices at least once a month to connect online (n = 42). This was assessed using ANCOVA controlling for age, as device ownership and use may be dependent on age via income and employment status. A significant group difference emerged [F(1,93) = 9.374, p = .003]. Those who never used public wireless with the help of their mobile devices also had significantly lower impulsivity (MN = 3.05, SD = .84) compared to those participants who used their mobile devices to do so at least once a month in order to check their e-mails (MN = 3.50, SD = .67). This indicates that those who were more driven to connect to public wireless to check e-mails also tended to be more impulsive.
Another question was whether or not impulsivity was associated with more frequent accessing of social networks via their mobile devices (iPad, tablet and laptop). A significant group difference was observed when conducting ANCOVA, again controlling for age [F(2,91) = 6.100, p = .003]. Individuals who never access social networks via their mobile devices were significantly less impulsive (MN = 2.97, SD = .87, n = 43) compared to individuals who accessed social networks daily (p = .012; MN = 3.44, SD = .76, n = 27) and those who accessed such networks at least weekly to monthly on their mobile devices (p = .017; MN = 3.48, SD = .58, n = 25). These results provide some support for hypothesis 3. More impulsive users had used their mobile devices to connect to public wireless more frequently than less impulsive users. This also extended to the frequency with which they would then access social network via public networks.
Impulsivity and mobile device use may have an important impact on work–life balance and security decisions. Previous work had suggested an important role for personality in security-related decision-making, influencing the effectiveness of security messages , vulnerability to phishing , perceptions of risk  and attitudes related to information security . This study aimed to add to our current understanding of the role of impulsivity in security-related behaviors around wireless network selection and mobile phone use.
Our design and hypotheses were based on existing evidence around poorer self-regulation, distractibility and lower deliberation associated with higher impulsiveness [28, 32, 58]. All of these aspects may also affect how and what type of security-related decisions individuals may make when switching back and forth between tasks and when switching between home and work contexts. Behaviors of interest included selecting less secure wireless network options, less attentive visual processing of information, the regular use of wireless public networks and the frequency with which individuals connect to (potentially insecure) social networks using their mobile devices. In addition, the omnipresence of the mobile phone and the culture of connecting “anytime, anywhere” may negatively impact temporal and geographical boundaries that separate work and home [see 49].
We first examined the type of decisions our users tended to make in a selection task. Using eye-tracking data, we found that those with higher impulsivity processed fewer details when making decisions. This suggests that impulsive individuals did not attend to all pieces of information available to them . This is not so much a concern when the best options come first in a menu list. But it can be a problem when better decision-making relies on a longer search of all menu options or a more considered weighing up of alternatives. These findings are therefore in line with the cited evidence above that impulsiveness is associated with problems of attention and deliberation  which we have now shown to lead to poor security decisions.
Based on previous evidence, we expected more impulsive individuals to show reduced privacy concern. However, the association between impulsivity and privacy concerns was positive, i.e., more impulsive individuals reported greater, not less, concern. This suggests that more impulsive individuals may be more casual about security settings, but nonetheless feel concern about the kinds of information they share (as indicated by the self-reported privacy concern). This result was not influenced by whether or not participants had experienced more negative events in the past. It is possible that impulsive individuals do not deliberate on their options at the time, or indeed that they exhibit a certain behavioral rigidity that means they find it difficult to change or alter choices , but they may be aware that these choices leave them vulnerable and this awareness feeds into a greater concern for privacy. Finally, our finding that more impulsive individuals made more regular use of public networks and were more frequent users of social media—activities that expose individuals to potential security and privacy risks—may be related again to the kinds of poorer self-regulation reported for more impulsive individuals .
In conclusion, the results of our study showed that impulsive people are more likely to make use of their mobiles to connect to social media and that they are also less likely to engage in careful deliberation before connecting to wireless networks. This means that impulsive individuals are more likely to place both personal and work data at risk, given the rise of BYOD working and the increased use of the mobile phone to complete and respond to both home and work activities. We already know that boundary management between home and work is difficult , but our findings suggest that personality may also play a role here—impulsive people may find it harder to manage those boundaries and may risk data security breaches as a consequence. However, it is important to note that we used a student sample in this study. While many students struggle to combine their academic and working lives, they nonetheless enjoy a degree of flexibility that is unusual for those in full time employment and that may limit the extent to which of our findings can be generalized to other contexts.
4.1 Practical implications for the use of mobile technologies and work–life balance
The findings have some practical implications for work-related decision-making, particularly for impulsive individuals faced with various challenges when trying to manage their work–life balance. Impulsive decision-making may be functional in many specific settings , especially when the decision is routine and the decision-maker is an expert who is able to assess the situation based on very few cues. However, in these situations more impulsive individuals may not be fully aware or cognizant of all possible (including negative) outcomes of their behaviors , which then results in suboptimal decisions and errors. This has implications not only for the work–life balance of more impulsive workers, but also for the ways in which mobile working might be supported, both by policy  and by design , while also reducing associated data risks, health and home life. Some research has already shown that employees have greater difficulties managing the boundaries between work and life when they are also in the habit of continuously accessing work-related e-mails and cannot tear themselves away from work, even when in the home . The current study’s findings suggest that these tendencies may be even more exacerbated when employees are more impulsive, thus potentially threatening their ability to manage work–life boundaries even more. We outline the practical implications and potential starting points next.
One suggestion, based on our work, would be to consider more carefully just how personality and risk are related and how this may inform design (e.g. we might wish to explore design interventions that might encourage more deliberation). Past research has suggested that campaigns to raise security awareness may be more effective if it were possible to consider the personality profile of the recipients  and identify those who are more likely to engage in more risky decisions in the area of information security . In terms of work–life balance, it is important that organizations and human resource managers recognize and potentially limit the very pervasive and negative impact of work-related communication in employees’ personal lives , particularly in virtual work settings . The negative impact may be even more pronounced when personal and work lives overlap, which is often the case when employees use social networks that include colleagues as well as friends. This has led some organizations to provide guidelines to their employees on how they should use social media as they recognize that their employees will be in touch with both colleagues and friends.
Another suggestion is to find ways to address individual sensitivity to undesirable outcomes and emphasize the potential benefits of certain behaviors. This could be particularly helpful for impulsive individuals who also appear to have low sensitivity to negative consequences in online contexts . These circumstances may not only apply to their decisions online, but may also affect their ability to balance time dedicated to personal or work-related tasks and interactions . This may also lead to problems due to cloud computing and online monitoring . Design interventions could heighten an individual’s sense of anticipated regret about making a potentially disadvantageous decision. Past work has shown that greater anticipated regret can sway individuals to choose safer options, in the presence of both potential gains and losses . So one strategy would be to increase perceived regret about making poor decisions. Another strategy could be to remove unnecessary time constraints as these may reduce the pressure on an individual and could lead to more deliberation when problem solving . A related option is to emphasize the security benefits, especially when this may require some effort . Increasing the personal relevance of consequences and making intangible benefits more explicit for the mobile worker (e.g., in terms of safety gains) may increase sensitivity of potential effects as most people have only abstract notions of information security .
A related suggestion would be to consider the timing and design of computer-mediated instructions and system warnings that could increase adherence and responsiveness of users, especially those who are more likely to make impulsive decisions to get online at all times during the day. This could be achieved by “timing-out” important messages and preventing users from clicking away messages within a specific period (too short for them to have read and process the information). In this paper, we have reported that impulsivity results in fewer features being processed on a screen featuring different choices. Indicators of security risks need to be particularly salient. For instance, color coding and order of wireless options (by security levels) have been shown to positively influence security decisions, even for those with higher levels of impulsivity . More inexperienced (such as students) and impulsive individuals may also benefit from reminders about time spent on tasks in different contexts, for instance, how much time spent on social media during the work day, or work e-mail outside of the work day and learning about how to better manage their time  and work–life demands .
4.2 Future research
Future research may wish to examine a number of areas. We first consider the security-specific concerns, before addressing issues around maintaining or supporting a work–life balance. These focus on domain-specific impulsivity research, the utility of including other measures to assess the relationship between impulsiveness and attention and the potential influence of other individual differences (such as self-efficacy).
Our first suggestion concerns the breadth of impulsiveness as a construct. Different types of impulsiveness are reported in the literature, and these may carry different implications for security behaviors. For example, making decisions quickly is representative of cognitive impulsiveness, while acting without careful thought is often associated with motor impulsivity. The lack of planning or forethought in activities has been described as non-planning impulsiveness (see more information in ). In our study, we were particularly interested in non-planning and attentional impulsivity as pertinent to online activities as these may be assessed more readily using self-report using the Diminished Impulse Scale and eye tracking. However, other measures may also be available to assess these subcomponents of impulsiveness. A variety of other measures for impulsivity exists such as the Impulsivity Inventory ; Impulsiveness Scale  and; the impulse subscale of the Adolescent Decision-Making Questionnaire . These measures also tap different behavioral components of impulsivity (see discussion in ). More research in this area could provide more insight—it would be particularly interesting to see work that explores the role of domain-specific impulsivity and how this relates to more or less effective boundary management as well as (sub)optimal security-related decision-making.
The second suggestion concerns the way interaction design may compensate for impulsivity (using notifications and display options). Our broader work is focused on the role of design in influencing choice and has currently investigated interface and message interventions around network choice, cookie acceptance, error reporting and phish detection. However, this sits along other research within the area of usable security and HCI which has identified design elements to nudge other security behaviors, e.g., improve password strength . This is only the tip of the iceberg with regards to the kinds of security behaviors that people are expected to show at work. More work is needed in this area not only to address ways to improve security decisions and behaviors, but also to reduce the dependency on the users for the overall security of the system.
The current literature says relatively little about the context for security interactions. Despite the recognition that BYOD is both a growing trend and a security threat, very few studies have considered the interplay between the context for work and home interactions and the security implications of eroding the work–life barrier. We do know that smartphone users often experience greater work–home interference because they find it difficult to disengage and actively recover from work-related stresses . This stress may not only affect how well work and life demands are managed, but also compromise security-related decision-making by affecting attention and deliberation of options. Further evidence to date suggests that workaholism tends to predict compulsive Internet use , which demonstrates how problematic the persistent and continuous use of communication technologies may become for balancing the demands of work and home life. Future research might explore the ways in which impulsive individuals self-regulate their behavior, so as to understand more precisely how they come to establish and maintain the barriers between home and work (as well the effect of distractors such as notifications and similar on maintaining boundaries).
And finally, the interaction between work and task demands, personality and interface or work design have not been fully explored. More work is needed to understand how personality relates to mobile working. Future work might explore other personality characteristics such as self-efficacy , conscientiousness or the role and impact of distraction (from the Online Cognition Scale). The distraction subscale in this measure might able to give some insight into how individuals use the Internet to prevaricate and reduce stress  and how this links to their use of BYOD technology, online networks, and their management of conflict and work-life boundaries.
This research is supported by Engineering and Physical Sciences Research Council (EPSRC) Grant EP/K006568 Choice Architecture for Information Security, part of the Government Communications Headquarters (GCHQ)/EPSRC Research Institute in Science of Cyber Security, UK. We gratefully acknowledge the support and the contribution of Kerry Rulton and Minh Tran as well as our colleagues James Turland, Iryna Yevseyevna and Aad van Moorsel from the School of Computing Science at Newcastle University.
- 1.Almuhimedi H, Schaub F, Sadeh N, Adjerid I, Acquisti A, Gluck J, Cranor L, Agarwal Y (2015) Your location has been shared 5398 times!: a field study on mobile app privacy nudging. In: Proceedings of the 33rd annual ACM conference on human factors in computing systems (pp 787–796). ACMGoogle Scholar
- 2.Barratt ES (1985) Impulsiveness subtraits: arousal and information processing. In: Spence JT, Izard CE (eds) Motivation, emotion, and personality. Elsevier, North Holland, pp 137–146Google Scholar
- 3.Beautement A, Sasse MA, Wonham M (2008) The compliance budget: managing security behaviour in organisations. In: New security paradigms: proceedings of the 2008 workshop (NSPW), pp 47–58. doi: 10.1145/1595676.1595684
- 8.Chin E, Porter Felt A, Sekar V, Wagner D (2012) Measuring user confidence in smartphone security and privacy. In: Proceedings of the eighth symposium on usable privacy and security (SOUPS ‘12). ACM, New York, NY, USAGoogle Scholar
- 10.Coventry L, Jeske D, Briggs P (2014) Perceptions and actions: combining privacy and risk perceptions to better understand user behavior. In: Workshop proposal, symposium on usable privacy and security (SOUPS) 2014, July 9–11, 2014, Menlo Park, CAGoogle Scholar
- 15.De Oliveira AS, Sendor J, Garaga A, Jenatton K (2013) Monitoring personal data transfers in the cloud.cloud computing technology and science (CloudCom). IEEE 5th international conference on, vol 1, pp 347–354, 2–5 December 2013. doi: 10.1109/CloudCom.2013.52
- 26.Günay E (2012) The effects of Internet use on individual’s socialization based on personality traits. New Yeni Symp J 50(3):123–133Google Scholar
- 27.Halevi T, Lewis J, Memon N (2013) A pilot study of cyber security and privacy related behavior and personality traits. In: International worldwide web conference, May 13–17; Rio de Janeiro, BrazilGoogle Scholar
- 28.Halpern DF (1989) Thought and knowledge: an introduction to critical thinking, 2nd edn. Erlbaum Publishing, HillsdaleGoogle Scholar
- 30.IFIP (2013) IFIP Technical Committee 11, Working Group 12: human aspects of information security and assurance, global information security awareness survey. http://www.ifip11-12.org/index.php/page/take-survey
- 32.Johnson-Laird PN (1988) A taxonomy of thinking. In: Sternberg RJ, Smith EE (eds) The psychology of human thought. Cambridge University Press, Cambridge, pp 429–457Google Scholar
- 33.Johnston AC, Warkentin M (2010) Fear appeals and information security behaviors: an empirical study. MIS Q 34(3):549–566Google Scholar
- 34.Kahneman D (2011) Thinking, fast and slow. Farrar, Straus and Giroux, New YorkGoogle Scholar
- 36.Katz FH (2005) The effect of a university information security survey on instructing methods in information security. In: Proceedings of the second annual conference on information security curriculum development, pp 43–48. doi: 10.1145/1107622.1107633
- 41.Luna L (2011) Smart-device woes. Urgent Commun 29(8):8Google Scholar
- 43.Marshall NL, Barnett RC (1993) Work-family strains and gains among two-earner couples. J Community Psychol 21:64–78. doi: 10.1002/1520-6629(199301)21:1<64:AID-JCOP2290210108>3.0.CO;2-P CrossRefGoogle Scholar
- 45.Mason, G. (2010). Part-time higher education students in the UK: Statistical Review. Revised report to Higher Education Careers Services Unit (HECSU) for Birkbeck/NIESR Project on Career decision-making and career development of HE students. http://www.hecsu.ac.uk/assets/assets/documents/Part-time_HE_students_in_the_UK_Statistical_Review_April_2010.pdf
- 46.Muslukhov I, Boshmaf Y, Kuo C, Lester J, Beznosov K (2013) Know your enemy: the risk of unauthorized access in smartphones by insiders. In: Proceedings of the 15th international conference on human–computer interaction with mobile devices and services (MobileHCI ‘13). ACM, New York, NY, USA, pp 271–280. doi: 10.1145/2493190.2493223
- 50.Price K, Kirwan G (2013) Personality caught in the social net: facebook phishing. In: Power A, Kirwan G (eds) Cyberpsychology and new media: a thematic reader. Psychology Press, Abingdon, pp 126–135Google Scholar
- 53.Rashid F (2012) Turning mobile devices into university dorm keys. eWeek 29(3):18–19Google Scholar
- 56.Russello G, Conti M, Crispo B, Fernandes E (2012) MOSES: supporting operation modes on smartphones. In: Proceedings of the 17th ACM symposium on access control models and technologies (SACMAT ‘12). ACM, New York, NY, USA, pp 3–12. doi: 10.1145/2295136.2295140
- 57.Shropshire J, Warkentin M, Johnston A, Schmidt M (2006) Personality and IT security: an application of the five-factor model. In: Proceedings of the twelfth Americas conference on information systems, Acapulco, Mexico, August 4–6Google Scholar
- 60.Thaler RH, Sunstein CR (2008) Nudge. Improving decisions about health, wealth and happiness. Penguin, LondonGoogle Scholar
- 61.Turland J, Coventry L, Jeske D, Briggs P, van Moorsel A (2015) Nudging towards security: Developing an application for wireless network selection for android phones. In: Proceedings of the 2015 British HCI Conference, pp 193–201. ACMGoogle Scholar
- 63.Uffen J, Guhr N, Breitner MH (2012) Personality traits and information security management: An empirical study of information security executives. In: Proceedings of thirty third international conference on information systems (ICIS), Orlando, USAGoogle Scholar
- 64.Ur B, Kelley PG, Komanduri S, Lee J, Maass M, Mazurek ML, Cranor LF (2012). How does your password measure up? The effect of strength meters on password creation. In: Proceedings of USENIX security symposium, pp 65–80Google Scholar
- 69.Wright KB, Abendschein B, Wombacher K, O’Connor M, Hoffman M, Dempsey M, Krull C, Dewes A, Shelton A (2014) Work-related communication technology use outside of regular work hours and work life conflict: the influence of communication technologies on perceived work life conflict, burnout, job satisfaction, and turnover intention. Manage Commun Q 28:507–530. doi: 10.1177/0893318914533332 CrossRefGoogle Scholar
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.