Are Information Security Professionals Expected Value Maximisers?: An Experimental and Survey-based Test. / Mersinas, Konstantinos; Hartig, Bjoern ; Martin, Keith; Seltzer, Andrew.

In: Journal of Cybersecurity, Vol. 2, No. 1, 22.12.2016, p. 57-70.

Research output: Contribution to journalArticle

Published

Standard

Are Information Security Professionals Expected Value Maximisers?: An Experimental and Survey-based Test. / Mersinas, Konstantinos; Hartig, Bjoern ; Martin, Keith; Seltzer, Andrew.

In: Journal of Cybersecurity, Vol. 2, No. 1, 22.12.2016, p. 57-70.

Research output: Contribution to journalArticle

Harvard

APA

Vancouver

Author

Mersinas, Konstantinos; Hartig, Bjoern ; Martin, Keith; Seltzer, Andrew / Are Information Security Professionals Expected Value Maximisers?: An Experimental and Survey-based Test.

In: Journal of Cybersecurity, Vol. 2, No. 1, 22.12.2016, p. 57-70.

Research output: Contribution to journalArticle

BibTeX

@article{3e5064910a3c49bea8cf4e866d9e563e,
title = "Are Information Security Professionals Expected Value Maximisers?: An Experimental and Survey-based Test",
author = "Konstantinos Mersinas and Bjoern Hartig and Keith Martin and Andrew Seltzer",
year = "2016",
month = "12",
doi = "10.1093/cybsec/tyw009",
volume = "2",
pages = "57--70",
journal = "Journal of Cybersecurity",
number = "1",

}

RIS

TY - JOUR

T1 - Are Information Security Professionals Expected Value Maximisers?: An Experimental and Survey-based Test

AU - Mersinas,Konstantinos

AU - Hartig,Bjoern

AU - Martin,Keith

AU - Seltzer,Andrew

PY - 2016/12/22

Y1 - 2016/12/22

N2 - Information security professionals have to assess risk in order to make investment decisions on security measures. To investigate whether professionals make such decisions optimally, we conduct an online experiment and survey measuring risk attitudes of security professionals. Participants were asked to state their willingness-to-pay to avoid a series of losses-only lotteries and to make choices between such lotteries. We examine their behaviour in these lotteries and conclude that security professionals do not minimize expected losses. Our findings suggest that security professionals are risk and ambiguity averse and are susceptible to framing effects. We contrast their behaviour to that of a random sample of students. We find that the preferences of security professionals are measurably different from those students in several respects. Finally, we devise a mechanism to elicit professionals’ preferences between security and operability. We find that the nature of professionals’ employment influences their security versus operability preferences. These factors are usually overlooked in risk assessment methodologies.

AB - Information security professionals have to assess risk in order to make investment decisions on security measures. To investigate whether professionals make such decisions optimally, we conduct an online experiment and survey measuring risk attitudes of security professionals. Participants were asked to state their willingness-to-pay to avoid a series of losses-only lotteries and to make choices between such lotteries. We examine their behaviour in these lotteries and conclude that security professionals do not minimize expected losses. Our findings suggest that security professionals are risk and ambiguity averse and are susceptible to framing effects. We contrast their behaviour to that of a random sample of students. We find that the preferences of security professionals are measurably different from those students in several respects. Finally, we devise a mechanism to elicit professionals’ preferences between security and operability. We find that the nature of professionals’ employment influences their security versus operability preferences. These factors are usually overlooked in risk assessment methodologies.

U2 - 10.1093/cybsec/tyw009

DO - 10.1093/cybsec/tyw009

M3 - Article

VL - 2

SP - 57

EP - 70

JO - Journal of Cybersecurity

T2 - Journal of Cybersecurity

JF - Journal of Cybersecurity

IS - 1

ER -