Vulnerabilities to online cyber-related crime are typically the result of poor decisions on the part of users. To date, research on risk-taking behavior applied to cyber-security situations has concentrated mainly on the risks that stem from active behavioral choices (e.g., opening an attachment from an unknown sender). However, risk may result from the failure to implement an action (e.g., not strengthening a password). These two types of risk have been differentiated and termed active- and passive-risk behaviors. We conducted two studies (Study 1 and Study 2) that examine how self-reported active- and passive-risk behaviors predict cyber-security behavioral intentions. In Study 3, we examine how active and passive risk relate to actual cyber-security behavior. The results show that cyber-security behavioral intentions and actual cyber behaviors are significantly correlated with self-reported individual differences in passive-risk behavior but not in active-risk behavior. We discuss the theoretical and practical implications of these findings.

网上与网络犯罪相关的漏洞通常是用户做出错误决定的结果。迄今为止，对应用于网络安全情况的冒险行为的研究主要集中在主动行为选择（例如，打开来自未知发件人的附件）引起的风险上。但是，未执行操作（例如，未加强密码）可能会导致风险。这两种风险已被区分为主动风险行为和被动风险行为。我们进行了两项研究（研究1和研究2），研究了自我报告的主动和被动风险行为如何预测网络安全行为意图。在研究3中，我们研究了主动和被动风险与实际网络安全行为之间的关系。结果表明，网络安全行为意图和实际网络行为与自我报告的被动风险行为个体差异显着相关，而与主动风险行为无关。我们讨论了这些发现的理论和实践意义。