Risk Perception and Attitude in Information Security Decision-making

Research output: ThesisDoctoral Thesis

809 Downloads (Pure)


In an age in which humanity produces increasingly more data, information security is of critical importance.
Risk, ambiguity and uncertainty are inherent features of information security, as potential threats can be known, imperfectly known or unknown.

Information security professionals have to assess risk and consequently decide on protective and corrective measures for treating this risk.
We investigate whether professionals make such decisions optimally, in an objective way.

In order to do so, we conduct online experiments and surveys measuring perception and attitudes of security professionals towards risk.
Participants are asked to state their willingness to pay (WTP) to avoid a series of losses-only lotteries, make choices between such lotteries and state their preferences over risk treatment actions.
We examine professionals' behaviour in these lotteries as well as in security scenarios and conclude that security professionals do not minimise expected losses and cannot be considered as rational decision-makers.

We also contrast professionals' behaviour to that of a sample of university students and show that their preferences are measurably different in several respects.
Both samples are found to be susceptible to inconsistencies between WTP and choice decisions.
Risk attitude of participants is found to depend on the probability level of potential losses.

We devise a mechanism to elicit professionals' preferences between security and operability and find that the nature of their employment influences these preferences.
Our findings suggest that security professionals are risk and ambiguity averse and are susceptible to framing effects when assessing and treating risk. Distinct preferences over risk treatment actions are also detected.

We interview renowned experts from the industry and academia about the implications of these findings. We conclude that these factors, being usually overlooked in risk assessment and treatment methodologies, need to be taken into consideration for the development of objective and unbiased risk management. Finally, we discuss implications and recommend approaches for de-biasing decision-making.
Original languageEnglish
Awarding Institution
  • Royal Holloway, University of London
  • Martin, Keith M., Supervisor
  • Seltzer, Andrew, Advisor
  • Hartig, Bjoern, Advisor, External person
Publication statusUnpublished - 2017


  • risk
  • risk attitude
  • risk perception
  • risk management
  • risk assessment
  • information security
  • information
  • security
  • economics
  • behaviour
  • behavior
  • behavioural economics
  • behavioral economics
  • decision making
  • experiment
  • experimental economics
  • bias
  • optimal
  • expected value
  • expected utility
  • prospect theory
  • salience theory
  • lottery
  • prospect
  • salience
  • de-bias
  • biases
  • investment
  • decision-making
  • survey
  • interview
  • spss
  • qualtrics
  • willingness to pay
  • willingness-to-pay
  • preferences
  • elicitation
  • probability
  • probabilities
  • outcome
  • impact
  • loss
  • gain
  • losses
  • gains
  • risk treatment
  • sample
  • objective
  • subjective
  • optimisation
  • threat
  • threats
  • ambiguity
  • uncertainty
  • professionals
  • students
  • measure
  • professional
  • student

Cite this