Experimental Elicitation of Risk Behaviour amongst Information Security Professionals

Information security professionals have to assess risk in order to make investment decisions on security measures. To investigate whether professionals make such decisions unbiased and rationally, we conducted an economic online experiment and survey measuring risk attitude of security professionals and contrasting their behaviour with the general population. Participants were asked to state their willingness-to-pay in order to avoid a series of losses-only lotteries and to make choices between such lotteries. We also devised a mechanism to elicit preferences between security and operability. Our findings suggest that security professionals are risk and ambiguity averse, consider small losses inevitable and take risks when losses are associated with large probabilities. We find that their preferences are measurably different from those of the general population in some of these aspects. We also find that job position influences security and operability preferences and that avoidance of salient (catastrophic) outcomes explains some of the professionals’ behaviour. Moreover, professionals are susceptible to framing effects to the same extent as the general population, and reveal distorted probability perception, factors that are usually overlooked in risk assessment methodologies.

[1]  R. Abrams,et al.  Psychological sources of ambiguity avoidance , 1986 .

[2]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[3]  Jim Engle-Warnick,et al.  Série Scientifique Scientific Series Ambiguity Aversion as a Predictor of Technology Choice: Experimental Evidence from Peru Ambiguity Aversion as a Predictor of Technology Choice: Experimental Evidence from Peru , 2022 .

[4]  There ’ s Something About Ambiguity ∗ , 2008 .

[5]  M. Newman Power laws, Pareto distributions and Zipf's law , 2005 .

[6]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[7]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[8]  A. Falk,et al.  Individual Risk Attitudes: Measurement, Determinants and Behavioral Consequences , 2009 .

[9]  Tyler Moore,et al.  Information security: where computer science, economics and psychology meet , 2009, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[10]  F. Knight The economic nature of the firm: From Risk, Uncertainty, and Profit , 2009 .

[11]  Simon Shiu,et al.  Decision support for systems security investment , 2010, 2010 IEEE/IFIP Network Operations and Management Symposium Workshops.

[12]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[13]  L. Jean Camp,et al.  Heuristics and Biases: Implications for Security Design , 2013, IEEE Technology and Society Magazine.

[14]  Henri Prade,et al.  Decision-Making Process: Concepts and Methods , 2009 .

[15]  D. Sornette,et al.  Heavy-tailed distribution of cyber-risks , 2008, 0803.2256.

[16]  Isij Monitor Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2006 .

[17]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[18]  Ravi S. Behara,et al.  An economic analysis of the optimal information security investment in the case of a risk-averse firm , 2008 .

[19]  M. Friedman The Use of Ranks to Avoid the Assumption of Normality Implicit in the Analysis of Variance , 1937 .

[20]  Catherine C. Eckel,et al.  Measuring Ambiguity Aversion , 2006 .

[21]  Shelley E. Taylor,et al.  Stalking the elusive "vividness" effect. , 1982 .

[22]  N. McGlynn Thinking fast and slow. , 2014, Australian veterinary journal.

[23]  Christian Locher Methodologies for Evaluating Information Security Investments - What Basel II Can Change in the Financial Industry , 2005, ECIS.

[24]  Cormac Herley,et al.  Sex, Lies and Cyber-Crime Surveys , 2011, WEIS.

[25]  Lisa Young,et al.  A Taxonomy of Operational Cyber Security Risks , 2010 .

[26]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[27]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[28]  M. Rothschild,et al.  Increasing risk: I. A definition , 1970 .

[29]  Vilhelm Verendel,et al.  A Prospect Theory approach to Security , 2008 .

[30]  Julian Williams,et al.  Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach , 2011, WEIS.

[31]  Rakesh K. Sarin,et al.  Known, Unknown, and Unknowable Uncertainties , 2002 .

[32]  A. Tversky,et al.  Advances in prospect theory: Cumulative representation of uncertainty , 1992 .

[33]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[34]  Mark E. J. Newman,et al.  Power-Law Distributions in Empirical Data , 2007, SIAM Rev..

[35]  A. Shleifer,et al.  Salience Theory of Choice Under Risk , 2010 .

[36]  William T. Harbaugh,et al.  The Fourfold Pattern of Risk Attitudes in Choice and Pricing Tasks , 2009 .

[37]  M Baddeley,et al.  Information Security: Lessons from Behavioural Economics , 2011 .

[38]  Alessandro Acquisti,et al.  Privacy in electronic commerce and the economics of immediate gratification , 2004, EC '04.

[39]  Sandra Maximiano Measuring Reciprocity: Do Survey and Experimental Data Correlate? , 2017 .

[40]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[41]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[42]  Charles A. Holt,et al.  Risk Aversion and Incentive Effects , 2002 .

[43]  D. Ellsberg Decision, probability, and utility: Risk, ambiguity, and the Savage axioms , 1961 .

[44]  Jens Grossklags,et al.  What Can Behavioral Economics Teach Us about Privacy , 2008 .

[45]  M. Machina Choice under Uncertainty: Problems Solved and Unsolved , 1987 .

[46]  Andrei Shleifer,et al.  What Comes to Mind , 2009 .

[47]  A. Tversky,et al.  Choices, Values, and Frames , 2000 .

[48]  Marco Casassa Mont,et al.  Economic Methods and Decision Making by Security Professionals , 2011, WEIS.

[49]  N. Schroeder Using Prospect Theory to Investigate Decision-Making Bias within an Information Security Context , 2012 .

[50]  Mike Mcguire,et al.  Cyber crime: A review of the evidence , 2013 .

[51]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[52]  Ulrike Goldschmidt Advances In Behavioral Economics , 2016 .