Risk Perception and Attitude in Information Security Decision-making. / Mersinas, Konstantinos.

2017. 291 p.

Research output: ThesisDoctoral Thesis

Unpublished

Standard

Harvard

Mersinas, K 2017, 'Risk Perception and Attitude in Information Security Decision-making', Ph.D., Royal Holloway, University of London.

APA

Vancouver

Author

BibTeX

@phdthesis{398e4b6bba9f481d92da072260e5b3d2,
title = "Risk Perception and Attitude in Information Security Decision-making",
abstract = "In an age in which humanity produces increasingly more data, information security is of critical importance. Risk, ambiguity and uncertainty are inherent features of information security, as potential threats can be known, imperfectly known or unknown.Information security professionals have to assess risk and consequently decide on protective and corrective measures for treating this risk.We investigate whether professionals make such decisions optimally, in an objective way. In order to do so, we conduct online experiments and surveys measuring perception and attitudes of security professionals towards risk. Participants are asked to state their willingness to pay (WTP) to avoid a series of losses-only lotteries, make choices between such lotteries and state their preferences over risk treatment actions.We examine professionals' behaviour in these lotteries as well as in security scenarios and conclude that security professionals do not minimise expected losses and cannot be considered as rational decision-makers. We also contrast professionals' behaviour to that of a sample of university students and show that their preferences are measurably different in several respects.Both samples are found to be susceptible to inconsistencies between WTP and choice decisions.Risk attitude of participants is found to depend on the probability level of potential losses.We devise a mechanism to elicit professionals' preferences between security and operability and find that the nature of their employment influences these preferences.Our findings suggest that security professionals are risk and ambiguity averse and are susceptible to framing effects when assessing and treating risk. Distinct preferences over risk treatment actions are also detected. We interview renowned experts from the industry and academia about the implications of these findings. We conclude that these factors, being usually overlooked in risk assessment and treatment methodologies, need to be taken into consideration for the development of objective and unbiased risk management. Finally, we discuss implications and recommend approaches for de-biasing decision-making.",
keywords = "risk, risk attitude, risk perception, risk management, risk assessment, information security, information, security, economics, behaviour, behavior, behavioural economics, behavioral economics, decision making, experiment, experimental economics, bias, optimal, expected value, expected utility, prospect theory, salience theory, lottery, prospect, salience, de-bias, biases, investment, decision-making, survey, interview, spss, qualtrics, willingness to pay, willingness-to-pay, preferences, elicitation, probability, probabilities, outcome, impact, loss, gain, losses, gains, risk treatment, sample, objective, subjective, optimisation, threat, threats, ambiguity, uncertainty, professionals, students, measure, professional, student",
author = "Konstantinos Mersinas",
year = "2017",
language = "English",
school = "Royal Holloway, University of London",

}

RIS

TY - THES

T1 - Risk Perception and Attitude in Information Security Decision-making

AU - Mersinas, Konstantinos

PY - 2017

Y1 - 2017

N2 - In an age in which humanity produces increasingly more data, information security is of critical importance. Risk, ambiguity and uncertainty are inherent features of information security, as potential threats can be known, imperfectly known or unknown.Information security professionals have to assess risk and consequently decide on protective and corrective measures for treating this risk.We investigate whether professionals make such decisions optimally, in an objective way. In order to do so, we conduct online experiments and surveys measuring perception and attitudes of security professionals towards risk. Participants are asked to state their willingness to pay (WTP) to avoid a series of losses-only lotteries, make choices between such lotteries and state their preferences over risk treatment actions.We examine professionals' behaviour in these lotteries as well as in security scenarios and conclude that security professionals do not minimise expected losses and cannot be considered as rational decision-makers. We also contrast professionals' behaviour to that of a sample of university students and show that their preferences are measurably different in several respects.Both samples are found to be susceptible to inconsistencies between WTP and choice decisions.Risk attitude of participants is found to depend on the probability level of potential losses.We devise a mechanism to elicit professionals' preferences between security and operability and find that the nature of their employment influences these preferences.Our findings suggest that security professionals are risk and ambiguity averse and are susceptible to framing effects when assessing and treating risk. Distinct preferences over risk treatment actions are also detected. We interview renowned experts from the industry and academia about the implications of these findings. We conclude that these factors, being usually overlooked in risk assessment and treatment methodologies, need to be taken into consideration for the development of objective and unbiased risk management. Finally, we discuss implications and recommend approaches for de-biasing decision-making.

AB - In an age in which humanity produces increasingly more data, information security is of critical importance. Risk, ambiguity and uncertainty are inherent features of information security, as potential threats can be known, imperfectly known or unknown.Information security professionals have to assess risk and consequently decide on protective and corrective measures for treating this risk.We investigate whether professionals make such decisions optimally, in an objective way. In order to do so, we conduct online experiments and surveys measuring perception and attitudes of security professionals towards risk. Participants are asked to state their willingness to pay (WTP) to avoid a series of losses-only lotteries, make choices between such lotteries and state their preferences over risk treatment actions.We examine professionals' behaviour in these lotteries as well as in security scenarios and conclude that security professionals do not minimise expected losses and cannot be considered as rational decision-makers. We also contrast professionals' behaviour to that of a sample of university students and show that their preferences are measurably different in several respects.Both samples are found to be susceptible to inconsistencies between WTP and choice decisions.Risk attitude of participants is found to depend on the probability level of potential losses.We devise a mechanism to elicit professionals' preferences between security and operability and find that the nature of their employment influences these preferences.Our findings suggest that security professionals are risk and ambiguity averse and are susceptible to framing effects when assessing and treating risk. Distinct preferences over risk treatment actions are also detected. We interview renowned experts from the industry and academia about the implications of these findings. We conclude that these factors, being usually overlooked in risk assessment and treatment methodologies, need to be taken into consideration for the development of objective and unbiased risk management. Finally, we discuss implications and recommend approaches for de-biasing decision-making.

KW - risk

KW - risk attitude

KW - risk perception

KW - risk management

KW - risk assessment

KW - information security

KW - information

KW - security

KW - economics

KW - behaviour

KW - behavior

KW - behavioural economics

KW - behavioral economics

KW - decision making

KW - experiment

KW - experimental economics

KW - bias

KW - optimal

KW - expected value

KW - expected utility

KW - prospect theory

KW - salience theory

KW - lottery

KW - prospect

KW - salience

KW - de-bias

KW - biases

KW - investment

KW - decision-making

KW - survey

KW - interview

KW - spss

KW - qualtrics

KW - willingness to pay

KW - willingness-to-pay

KW - preferences

KW - elicitation

KW - probability

KW - probabilities

KW - outcome

KW - impact

KW - loss

KW - gain

KW - losses

KW - gains

KW - risk treatment

KW - sample

KW - objective

KW - subjective

KW - optimisation

KW - threat

KW - threats

KW - ambiguity

KW - uncertainty

KW - professionals

KW - students

KW - measure

KW - professional

KW - student

M3 - Doctoral Thesis

ER -