Improving Cyber Risk Communication: Mental Models of VPN in a professional services firm in the Netherlands

Abstract

More effective and efficient risk communication in the cybersecurity field needs to be designed to improve risk awareness among people and to increase resiliency. The field of cyber risk communication is relatively new, which limits the current knowledge on how to design risk communication. In this study the risk perception of eleven laypeople and eight experts is researched using a mental model approach and semi-structured interviews combined with a three part scenario-based drawing task. The data is analyzed using the grounded theory method and a substantive theory is formed on the similarities and differences between the mental models of experts and laypeople of VPN in a professional services firm in the Netherlands. The accuracy of the perceptions in the theory are evaluated by a comparison with a real-world representation of VPN organization. Further research can use the results of this study to determine the completeness of the mental models described. Additionally, the study design can be repeated in other settings to determine the generalizability of the identified beliefs. Furthermore, the prevalence of the identified beliefs among similar or different populations can be researched. And finally, the mental models can already be used to design risk communication in a more effective and efficient manner by considering the identified beliefs.