Use this URL to cite or link to this record in EThOS: https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.792630
Title: Risk perception and attitude in information security decision-making
Author: Mersinas, Konstantinos
ISNI:       0000 0004 8499 3811
Awarding Body: Royal Holloway, University of London
Current Institution: Royal Holloway, University of London
Date of Award: 2017
Availability of Full Text:
Access from EThOS:
Access from Institution:
Abstract:
In an age in which humanity produces increasingly more data, information security is of critical importance. Risk, ambiguity and uncertainty are inherent features of information security, as potential threats can be known, imperfectly known or unknown. Information security professionals have to assess risk and consequently decide on protective and corrective measures for treating this risk. We investigate whether professionals make such decisions optimally, in an objective way. In order to do so, we conduct online experiments and surveys measuring perception and attitudes of security professionals towards risk. Participants are asked to state their willingness to pay (WTP) to avoid a series of losses-only lotteries, make choices between such lotteries and state their preferences over risk treatment actions. We examine professionals' behaviour in these lotteries as well as in security scenarios and conclude that security professionals do not minimise expected losses and cannot be considered as rational decision-makers. We also contrast professionals' behaviour to that of a sample of university students and show that their preferences are measurably different in several respects. Both samples are found to be susceptible to inconsistencies between WTP and choice decisions. Risk attitude of participants is found to depend on the probability level of potential losses. We devise a mechanism to elicit professionals' preferences between security and operability and find that the nature of their employment influences these preferences. Our findings suggest that security professionals are risk and ambiguity averse and are susceptible to framing effects when assessing and treating risk. Distinct preferences over risk treatment actions are also detected. We interview renowned experts from the industry and academia about the implications of these findings. We conclude that these factors, being usually overlooked in risk assessment and treatment methodologies, need to be taken into consideration for the development of objective and unbiased risk management. Finally, we discuss implications and recommend approaches for de-biasing decision-making.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID: uk.bl.ethos.792630  DOI: Not available
Keywords: risk ; risk attitude ; risk perception ; risk management ; risk assessment ; information security ; information ; security ; economics ; behaviour ; behavioural economics ; behavioral economics ; decision making ; experiment ; experimental economics ; bias ; optimal ; expected value ; expected utility ; prospect theory ; salience theory ; lottery ; prospect ; salience ; de-bias ; biases ; investment ; decision-making ; survey ; interview ; spss ; qualtrics ; willingness-to-pay ; preferences ; elicitation ; probability ; probabilities ; outcome ; impact ; loss ; gain ; losses ; gains ; risk treatment ; sample ; objective ; subjective ; optimisation ; threats ; ambiguity ; uncertainty ; professionals ; students ; measure ; professional
Share: