Abstract
Users have difficulties in understanding and reacting to security-related threats. Moreover, users only try to protect themselves from risks salient to them. In contrast to the traditional one-message/one-size-fits-all approach when communicating risks, this paper aims to propose an individualized and persuasive approach to information security risk communication that goes beyond alerting the user of his insecure behavior to providing a level of security education. By focusing on the user and that different users react differently to the same stimuli, the authors proposed a targeted user-centric approach that communicates risks in a timely and continuous manner using a proposed gradual response mechanism. This user-centric approach is anticipated to help the user in making security-related decisions by educating him about his risk taking behavior in an individualized way. A scenario is assumed to demonstrate how a response decision is made within the proposed approach. This was useful in demonstrating how risk is not the same for all users and how the proposed approach is effective in adapting to differences between users offering a novel approach to communicating information security risks.