Abstract
Existing instruments for measuring risk perception have focused on an abstract version of the concept, without diving into the the details of what forms the perception of likelihood and impact. However, as information security risks become increasingly complex and difficult for users to understand, this approach may be less feasible. The average user may be able to imagine the worst case scenario should an asset be compromised by an attacker, but he has few means to determine the likelihood of this happening. In this paper we therefore propose a different approach to measuring risk perception. Based on well established concepts from formal risk analysis, we define an instrument to measure users’ risk perception that combines the strengths of both traditional risk perception and formal risk analysis. By being more explicit and specific concerning possible attackers, existing security measures and vulnerabilities, users will be more able to give meaningful answers to scale items, thereby providing a better and more explanatory measure of risk perception. As part of the instrument development we also elaborate on construct definitions, construct types and the relationship between these and the corresponding risk perception instrument. Although it remains to be verified empirically, the validity of the measure is discussed by linking it to well established theory and practice.
Chapter PDF
References
Bélanger, F., Carter, L.: Trust and risk in e-government adoption. The Journal of Strategic Information Systems 17(2), 165–176 (2008)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34(3), 523–548 (2010)
Caralli, R.A., Stevens, J.F., Young, L.R., Wilson, W.R.: Introducing octave allegro: Improving the information security risk assessment process. Technical report CMU/SEI-2007-TR-012, Software Engineering Institute, Carnegie Mellon University (May 2007)
Chenoweth, T., Minch, R., Gattiker, T.: Application of protection motivation theory to adoption of protective technologies. In: 42nd Hawaii International Conference on System Sciences, HICSS 2009, pp. 1–10 (January 2009)
Crites, S.L., Fabrigar, L.R., Petty, R.E.: Measuring the affective and cognitive properties of attitudes: Conceptual and methodological issues. Personality and Social Psychology Bulletin 20(6), 619–634 (1994)
Crossler, R.: Protection motivation theory: Understanding determinants to backing up personal data. In: 2010 43rd Hawaii International Conference on System Sciences (HICSS), pp. 1–10 (January 2010)
Epstein, S.: Integration of the cognitive and the psychodynamic unconscious. American Psychologist 49(8), 709–724 (1994)
Featherman, M.S., Pavlou, P.A.: Predicting e-services adoption: a perceived risk facets perspective. International Journal of Human-Computer Studies 59(4), 451–474 (2003)
Finucane, M.L., Alhakami, A., Slovic, P., Johnson, S.M.: The affect heuristic in judgements of risks and benefits. Journal of Behavioral Decision Making 13(1), 1–17 (2000)
Fischhoff, B., Slovic, P., Lichtenstein, S., Read, S., Combs, B.: How safe is safe enough? a psychometric study of attitudes towards technological risks and benefits. Policy Sciences 9, 127–152 (1978), doi:10.1007/BF00143739
Herath, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 18(2), 106–125 (2009)
Horst, M., Kuttschreuter, M., Gutteling, J.M.: Perceived usefulness, personal experiences, risk perception and trust as determinants of adoption of e-government services in the netherlands. Computers in Human Behavior 23(4), 1838–1852 (2007)
ISO/IEC 27005: Information technology — Security techniques — Information security risk management. International Organisation for Standardisation, Geneva, Switzerland (2011)
Jarvis, C.B., MacKenzie, S.B., Podsakoff, P.M.: A critical review of construct indicators and measurement model misspecification in marketing and consumer research. Journal of Consumer Research 30(2), 199–218 (2003)
Jøsang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decision Support Systems 43(2), 618–644 (2007)
Kahneman, D.: A perspective on judgment and choice: Mapping bounded rationality. American Psychologist 58(9), 697–720 (2003)
Kahneman, D., Frederick, S.: Representativeness revisited: Attribute substitution in intuitive judgment. In: Gilovich, T., Griffin, D., Kahneman, D. (eds.) Heuristics and Biases: The Psychology of Intuitive Judgment, pp. 49–81. Cambridge University Press (2002)
Kim, D.J., Ferrin, D.L., Rao, H.R.: A trust-based consumer decision-making model in electronic commerce: The role of trust, perceived risk, and their antecedents. Decision Support Systems 44(2), 544–564 (2008)
Loewenstein, G.F., Weber, E.U., Hsee, C.K., Welch, N.: Risk as feelings. Psychological Bulletin 127(2), 267–286 (2001)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer (2011)
Mayer, R.C., Davis, J.H., Schoorman, F.D.: An integrative model of organizational trust. The Academy of Management Review 20(3), 709–734 (1995)
Nyre, Å.A., Jaatun, M.G.: Usage control in inter-organisational collaborative environments – A case study from an industry perspective. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds.) CD-ARES 2012. LNCS, vol. 7465, pp. 317–331. Springer, Heidelberg (2012)
Nyre, Å.A., Jaatun, M.G.: On the adoption of usage control technology in collaborative environments. In: Proceedings of the 12th International Conference on Innovative Internet Community Systems, Trondheim, Norway, June 13-15, pp. 142–153 (2012)
OWASP: OWASP testing guide v3. Tech. rep., The Open Web Application Security Project (2008), https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
Pavlou, P.A.: Consumer acceptance of electronic commerce: Integrating trust and risk with the technology acceptance model. International Journal of Electronic Commerce 7(3), 101–134 (2003)
Petter, S., Straub, D., Rai, A.: Specifying formative constructs in information systems research. MIS Q 31(4), 623–656 (2007)
Rogers, R.W.: A protection motivation theory of fear appeals and attitude. Journal of Psychology 91(1) (1975)
Siponen, M., Pahnila, S., Mahmood, A.: Employees’ adherence to information security policies: An empirical study. In: Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) Fundamentals of Artificial Intelligence. IFIP, vol. 232, pp. 133–144. Springer, Heidelberg (1986)
Sjöberg, L., Moen, B.E., Rundmo, T.: Explaining risk perception: An evaluation of the psychometric paradigm in risk perception research. Rotunde, vol. 84. Norwegian Univeristy of Science and Technology (2004)
Slovic, P.: Perception of risk. Science 236(4799), 280–285 (1987)
Slovic, P., Fischhoff, B., Lichtenstein, S.: Rating the risks. Environment 21(3), 14–20, 36–39 (1979)
Slovic, P.: The Feeling of Risk - New perspectives on risk perception. Earthscan, London (2010)
Slovic, P., Finucane, M.L., Peters, E., MacGregor, D.G.: Risk as analysis and risk as feelings: Some thoughts about affect, reason, risk, and rationality. Risk Analysis 24(2), 311–322 (2004)
Slovic, P., Finucane, M.L., Peters, E., MacGregor, D.G.: The affect heuristic. European Journal of Operational Research 177(3), 1333–1352 (2007)
Slovic, P., Fischhoff, B., Lichtenstein, S.: Why study risk perception? Risk Analysis 2(2), 83–93 (1982)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30, National Institute of Standards and Technology (2002)
Woon, I., Tan, G., Low, R.: A protection motivation theory approach to home wireless security. In: Proceedings of the Twenty-Sixth International Conference on Information Systems, pp. 367–380 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Nyre, Å.A., Jaatun, M.G. (2013). Seeking Risks: Towards a Quantitative Risk Perception Measure. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds) Availability, Reliability, and Security in Information Systems and HCI. CD-ARES 2013. Lecture Notes in Computer Science, vol 8127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40511-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-40511-2_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40510-5
Online ISBN: 978-3-642-40511-2
eBook Packages: Computer ScienceComputer Science (R0)