Social Preferences in Decision Making Under Cybersecurity Risks and Uncertainties

The most costly cybersecurity incidents for organizations result from the failures of their third parties. This means that organizations should not only invest in their own protection and cybersecurity measures, but also pay attention to that of their business and operational partners. While economic impact and real extent of third parties cybersecurity risks is hard to quantify, decision makers inevitably compare their decisions with other entities in their network. This paper presents a theoretically derived model to analyze the impact of social preferences and other factors on the willingness to cooperate in third party ecosystems. We hypothesize that willingness to cooperate among the organizations in the context of cybersecurity increases following the experience of cybersecurity attacks and increased perceived cybersecurity risks. The effects are mediated by perceived cybersecurity value and moderated by social preferences. These hypotheses are tested using a variance-based structural equation modeling analysis based on feedback from a sample of Norwegian organizations. Our empirical results confirm the strong positive impact of social preferences and cybersecurity attack experience on the willingness to cooperate, and support the reciprocal behavior of cybersecurity decision makers. We further show that more perception of cybersecurity risk and value deter the decision makers to cooperate with other organizations.

[1]  K. Ferraro,et al.  The Measurement of Fear of Crime , 1987 .

[2]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[3]  David Ott,et al.  Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment , 2013, ISSE.

[4]  R. Thaler,et al.  Nudge: Improving Decisions About Health, Wealth, and Happiness , 2008 .

[5]  P. Briggs,et al.  Behavior Change Interventions for Cybersecurity , 2017 .

[6]  S. Schwartz Universals in the Content and Structure of Values: Theoretical Advances and Empirical Tests in 20 Countries , 1992 .

[7]  D. Ariely Predictably Irrational: The Hidden Forces That Shape Our Decisions , 2008 .

[8]  Paul A. Pavlou,et al.  Predicting E-Services Adoption: A Perceived Risk Facets Perspective , 2002, Int. J. Hum. Comput. Stud..

[9]  Jacob Jacoby,et al.  Consumer Research: How valid and useful are all our consumer behavior research findings? , 1978 .

[10]  Johannes M. Bauer,et al.  Cybersecurity: Stakeholder incentives, externalities, and policy options , 2009 .

[11]  J. Jacoby Consumer Research: A State of the Art Review , 1978 .

[12]  S. R. Jammalamadaka,et al.  Against the Gods: The Remarkable Story of Risk , 1999 .

[13]  Rex B. Kline,et al.  Principles and Practice of Structural Equation Modeling , 1998 .

[14]  Mazaher Kianpour,et al.  A Socio-technical Systems Approach to Design and Support Systems Thinking in Cybersecurity and Risk Management Education , 2019, Complex Syst. Informatics Model. Q..

[15]  Ryan O. Murphy,et al.  Measuring Social Value Orientation , 2011, SSRN Electronic Journal.

[16]  Norbert Schwarz,et al.  To compete or to cooperate? Values' impact on perception and action in social dilemma games , 2011 .

[17]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[18]  Steven M. Shugan Editorial: Marketing Science, Models, Monopoly Models, and Why We Need Them , 2002 .

[19]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[20]  S. Schwartz,et al.  Value priorities and subjective well‐being: direct relations and congruity effects , 2000 .

[21]  Marijn Scholte,et al.  Fear of Crime and Feelings of Unsafety in European Countries: Macro and Micro Explanations in Cross-National Perspective , 2013 .

[22]  A. Falk,et al.  The Preference Survey Module: A Validated Instrument for Measuring Risk, Time, and Social Preferences , 2016, Manag. Sci..

[23]  Rudolf R. Sinkovics,et al.  The Use of Partial Least Squares Path Modeling in International Marketing , 2009 .

[24]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[25]  J. Ciardi Fast and Slow , 1975 .

[26]  F. Bookstein,et al.  Two Structural Equation Models: LISREL and PLS Applied to Consumer Exit-Voice Theory: , 1982 .

[27]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[28]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[29]  A. Kaplan,et al.  A Beginner's Guide to Partial Least Squares Analysis , 2004 .

[30]  Wynne W. Chin,et al.  Structural equation modeling analysis with small samples using partial least squares , 1999 .

[31]  P. Dolan,et al.  Influencing behaviour: The mindspace way , 2012 .

[32]  Jan-Michael Becker,et al.  Accounting for sampling weights in PLS path modeling: Simulations and empirical examples , 2016 .

[33]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[34]  I. Ajzen The theory of planned behavior , 1991 .