Are Information Security Professionals Expected Value Maximisers?: An Experimental and Survey-based Test. / Mersinas, Konstantinos; Hartig, Bjoern ; Martin, Keith; Seltzer, Andrew.

In: Journal of Cybersecurity, Vol. 2, No. 1, 22.12.2016, p. 57-70.

Research output: Contribution to journalArticle

Published

Abstract

Information security professionals have to assess risk in order to make investment decisions on security measures. To investigate whether professionals make such decisions optimally, we conduct an online experiment and survey measuring risk attitudes of security professionals. Participants were asked to state their willingness-to-pay to avoid a series of losses-only lotteries and to make choices between such lotteries. We examine their behaviour in these lotteries and conclude that security professionals do not minimize expected losses. Our findings suggest that security professionals are risk and ambiguity averse and are susceptible to framing effects. We contrast their behaviour to that of a random sample of students. We find that the preferences of security professionals are measurably different from those students in several respects. Finally, we devise a mechanism to elicit professionals’ preferences between security and operability. We find that the nature of professionals’ employment influences their security versus operability preferences. These factors are usually overlooked in risk assessment methodologies.
Original languageEnglish
Pages (from-to)57-70
Number of pages14
JournalJournal of Cybersecurity
Volume2
Issue number1
DOIs
StatePublished - 22 Dec 2016
This open access research output is licenced under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

ID: 26877800