Heuristics and biases in cyber security dilemmas

Abstract Cyber security often depends on decisions made by human operators, who are commonly considered a major cause of security failures. We conducted 2 behavioral experiments to explore whether and how cyber security decision-making responses depend on gain–loss framing and salience of a primed recall prior experience. In Experiment I, we employed a 2 × 2 factorial design, manipulating the frame (gain vs. loss) and the presence versus absence of a prior near-miss experience. Results suggest that the experience of a near-miss significantly increased respondents’ endorsement of safer response options under a gain frame. Overall, female respondents were more likely to select a risk averse (safe) response compared with males. Experiment II followed the same general paradigm, framing all consequences in a loss frame and manipulating recall to include one of three possible prior experiences: false alarm, near-miss, or a hit involving a loss of data. Results indicate that the manipulated prior hit experience significantly increased the likelihood of respondents’ endorsement of a safer response relative to the manipulated prior near-miss experience. Conversely, the manipulated prior false-alarm experience significantly decreased respondents’ likelihood of endorsing a safer response relative to the manipulated prior near-miss experience. These results also showed a main effect for age and were moderated by respondent’s income level.

[1]  L. Jean Camp,et al.  Heuristics and Biases: Implications for Security Design , 2013, IEEE Technology and Society Magazine.

[2]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[3]  Panagiotis G. Ipeirotis,et al.  Running Experiments on Amazon Mechanical Turk , 2010, Judgment and Decision Making.

[4]  Sue-Huei Chen,et al.  Perception of Earthquake Risk in Taiwan: Effects of Gender and Past Earthquake Experience , 2012, Risk analysis : an official publication of the Society for Risk Analysis.

[5]  C. K. Mertz,et al.  Gender, race, and perception of environmental health risks. , 1994, Risk analysis : an official publication of the Society for Risk Analysis.

[6]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[7]  Paul Slovic,et al.  Affect, risk, and decision making. , 2005, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[8]  Kevin M. Simmons,et al.  False Alarms, Tornado Warnings, and Tornado Casualties , 2009 .

[9]  Howard Kunreuther,et al.  Neglecting Disaster: Why Don't People Insure Against Large Losses? , 2004 .

[10]  Kregg Aytes,et al.  Computer Security and Risky Computing Practices: A Rational Choice Perspective , 2004, J. Organ. End User Comput..

[11]  Robin L. Dillon,et al.  How Near-Miss Events Amplify or Attenuate Risky Decision Making , 2012, Manag. Sci..

[12]  Lauren I. Labrecque,et al.  Toward an Understanding of the Online Consumer's Risky Behavior and Protection Practices , 2009 .

[13]  S. Breznitz Cry Wolf: The Psychology of False Alarms , 1984 .

[14]  Siddharth Suri,et al.  Conducting behavioral research on Amazon’s Mechanical Turk , 2010, Behavior research methods.

[15]  Vilhelm Verendel,et al.  A Prospect Theory approach to Security , 2008 .

[16]  A. Acquisti,et al.  Digital privacy : theory, technologies, and practices , 2007 .

[17]  A. Tversky,et al.  Rational choice and the framing of decisions , 1990 .

[18]  J. Turow,et al.  How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies? , 2010 .

[19]  Robin L Dillon,et al.  Why Near‐Miss Events Can Decrease an Individual's Protective Response to Hurricanes , 2011, Risk analysis : an official publication of the Society for Risk Analysis.

[20]  Venkatesh Shankar,et al.  Online trust: a stakeholder perspective, concepts, implications, and future directions , 2002, J. Strateg. Inf. Syst..

[21]  Jens Grossklags,et al.  What Can Behavioral Economics Teach Us about Privacy , 2008 .

[22]  Michael D. Buhrmester,et al.  Amazon's Mechanical Turk , 2011, Perspectives on psychological science : a journal of the Association for Psychological Science.

[23]  Dennis S. Mileti,et al.  An Examination of the Effect of Perceived Risk on Preparedness Behavior , 2013 .

[24]  Michael Siegrist,et al.  Natural Hazards and Motivation for Mitigation Behavior: People Cannot Predict the Affect Evoked by a Severe Flood , 2008, Risk analysis : an official publication of the Society for Risk Analysis.

[25]  Bob Edwards,et al.  Gender and Evacuation: A Closer Look at Why Women are More Likely to Evacuate for Hurricanes , 2002 .

[26]  David M. Schultz,et al.  False Alarms and Close Calls: A Conceptual Model of Warning Accuracy , 2007 .

[27]  Walter Diaz,et al.  Tornado Warnings in Three Southern States: A Qualitative Analysis of Public Response Patterns , 2012 .

[28]  Daniel M. Downs,et al.  Internet Security: Who is leaving the 'Virtual Door' open and why? , 2009, First Monday.

[29]  M G Helander,et al.  Modeling the customer in electronic commerce. , 2000, Applied ergonomics.

[30]  Christine R. Harris,et al.  Gender Differences in Risk Assessment: Why do Women Take Fewer Risks than Men? , 2006, Judgment and Decision Making.

[31]  L. Cameron,et al.  Risk-Taking Behavior in the Wake of Natural Disasters , 2013, The Journal of Human Resources.

[32]  S. Cutter,et al.  Crying wolf: Repeat responses to hurricane evacuation orders , 1998 .

[33]  Ming-Chou Ho,et al.  How Do Disaster Characteristics Influence Risk Perception? , 2008, Risk analysis : an official publication of the Society for Risk Analysis.