14: STOP TELLING PEOPLE TO TAKE THOSE CYBER HYGIENE MULTIVITAMINS

After every cyber breach, security experts can be found castigating users for lacking “cyber hygiene”—the term used to describe all manner of best practices that would have protected them. Whenever pressed on what cyber hygiene really means, experts resort to conceptual analogies, explaining cyber hygiene in terms of personal hygiene. But is this conceptual leap justified? Is cyber hygiene really analogous to personal hygiene? This is an important question, not just for informing better theory, but also because many practice suggestions, even solutions, are inspired by such thinking. The paper examines the roots of the cyber hygiene concept, and the conceptual similarities and differences between cyber and personal hygiene. The paper then presents a definition of cyber hygiene that is empirically focused on users’ awareness, knowledge, technical capacity, and enactment of cyber security practices. The paper culminates with a presentation of the Cyber Hygiene Inventory (CHI), a multi-item and multidimensional index for measuring user cyber hygiene, and presents examples of how the CHI can be implemented for assessing awareness-knowledge gaps among users and for tracking the effectiveness of awareness training efforts within organizations.