Cyber security often depends on decisions made by human operators, who are commonly considered a major cause of security failures. We conducted 2 behavioral experiments to explore whether and how cyber security decision-making responses depend on gain–loss framing and salience of a primed recall prior experience. In Experiment I, we employed a 2 × 2 factorial design, manipulating the frame (gain vs. loss) and the presence versus absence of a prior near-miss experience. Results suggest that the experience of a near-miss significantly increased respondents’ endorsement of safer response options under a gain frame. Overall, female respondents were more likely to select a risk averse (safe) response compared with males. Experiment II followed the same general paradigm, framing all consequences in a loss frame and manipulating recall to include one of three possible prior experiences: false alarm, near-miss, or a hit involving a loss of data. Results indicate that the manipulated prior hit experience significantly increased the likelihood of respondents’ endorsement of a safer response relative to the manipulated prior near-miss experience. Conversely, the manipulated prior false-alarm experience significantly decreased respondents’ likelihood of endorsing a safer response relative to the manipulated prior near-miss experience. These results also showed a main effect for age and were moderated by respondent’s income level.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Since the four scenarios are in a constant order, a second analysis was run that ignored the manipulated factors and included scenario/order as a repeated factor. A one-way repeated measure ANOVA found a significant scenario/order effect: F (3, 265) = 30.42, p < .001, η 2 = .10. Over time, respondents were more likely to endorse the risky option. Because the nature of the dilemma scenario and order are confounded, it is impossible to determine whether the significant main effect indicates an order effect or a scenarios effect or a combination of both. The counterbalanced design distributed all 4 combinations of framing and prior experience recall evenly across the four scenario dilemmas. Order and/or scenario effects are independent of the manipulated factors, and thus are included in the error term in the ANOVA.
As in Exp I, a one-way repeated measure ANOVA shows there is a significant scenario/order effect: F (2, 265) =4.47, p = .035, η 2 = .02. Over time and/or scenario, respondents were more likely to endorse the risky option. However, as in Experiment I, it is difficult to determine whether the main effect is for the scenarios or the order effect. The study design we used overcame this limitation by using a counterbalanced design.
Acquisti A, Grossklags J (2007) What can behavioral economics teach us about privacy. In: Acquisti A, Gritzalis S, Lambrinoudakis C, Vimercati S (eds) Digital privacy: theory, technologies and practices. Auerbach Publications, Florida, pp 363–377
Alshalan A (2006) Cyber-crime fear and victimization: an analysis of a national survey. Dissertation, Mississippi State University
Aytes K, Connolly T (2004) Computer security and risky computing practices: a rational choice perspective. J Organ End User Comput 16:22–40
Barnes LR, Gruntfest EC, Hayden MH, Schultz DM, Benight C (2007) False alarms and close calls: a conceptual model of warning accuracy. Weather Forecast 22:1140–1147
Bateman JM, Edwards B (2002) Gender and evacuation: a closer look at why women are more likely to evacuate for hurricanes. Nat Hazard Rev 3:107–117
Bourque LB, Regan R, Kelley MM, Wood MM, Kano M, Mileti DS (2012) An examination of the effect of perceived risk on preparedness behavior. Environ Behav 45:615–649
Breznitz S (2013) Cry wolf: the psychology of false alarms. Psychology Press, Florida
Buhrmester M, Kwang T, Gosling SD (2011) Amazon’s Mechanical Turk: a new source of inexpensive, yet high-quality, data? Perspect Psychol Sci 6:3–5
Cameron L, Shah M (2012) Risk-taking behavior in the wake of natural disasters. IZA Discussion Paper No. 6756. http://ssrn.com/abstract=2157898
Dillon RL, Tinsley CH, Cronin M (2011) Why near-miss events can decrease an individual’s protective response to hurricanes. Risk Anal 31:440–449
Donner WR, Rodriguez H, Diaz W (2012) Tornado warnings in three southern states: a qualitative analysis of public response patterns. J Homel Secur Emerg Manage 9:1547–7355
Dow K, Cutter SL (1998) Crying wolf: repeat responses to hurricane evacuation orders. Coast Manage 26:237–252
Downs DM, Ademaj I, Schuck AM (2008) Internet security: who is leaving the ‘virtual door’ open and why? First Monday 14. doi:10.5210%2Ffm.v14i1.2251
Flynn J, Slovic P, Mertz CK (1994) Gender, race, and perception of environmental health risks. Risk Anal 14:1101–1108
Garg V, Camp J (2013) Heuristics and biases: implications for security design. IEEE Technol Soc Mag 32:73–79
Harris C, Jenkins M, Glaser D (2006) Gender differences in risk assessment: why do women take fewer risks than men? Judgm Decis Mak 1:48–63
Helander MG, Khalid HM (2000) Modeling the customer in electronic commerce. Appl Ergon 31:609–619
Herath T, Rao HR (2009) Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Support Syst 47:154–165
Ho MC, Shaw D, Lin S, Chiu YC (2008) How do disaster characteristics influence risk perception? Risk Anal 28:635–643
Hoofnagle C, King J, Li S, Turow J (2010) How different are young adults from older adults when it comes to information privacy attitudes and policies? April 14, 2010. http://ssrn.com/abstract=1589864
Kahneman D, Tversky A (1979) Prospect theory: an analysis of decision under risk. Econom J Econom Soc 47:263–291
Kung YW, Chen SH (2012) Perception of earthquake risk in Taiwan: effects of gender and past earthquake experience. Risk Anal 32:1535–1546
Kunreuther H, Pauly M (2004) Neglecting disaster: why don’t people insure against large losses? J Risk Uncertain 28:5–21
Mason W, Suri S (2012) Conducting behavioral research on Amazon’s Mechanical Turk. Behav Res Methods 44:1–23
Milne GR, Labrecque LI, Cromer C (2009) Toward an understanding of the online consumer’s risky behavior and protection practices. J Consum Aff 43:449–473
Paolacci G, Chandler J, Ipeirotis P (2010) Running experiments on Amazon Mechanical Turk. Judgm Decis Mak 5:411–419
Shankar V, Urban GL, Sultan F (2002) Online trust: a stakeholder perspective, concepts, implications, and future directions. J Strateg Inf Syst 11:325–344
Siegrist M, Gutscher H (2008) Natural hazards and motivation for mitigation behavior: people cannot predict the affect evoked by a severe flood. Risk Anal 28:771–778
Simmons KM, Sutter D (2009) False alarms, tornado warnings, and tornado casualties. Weather Clim Soc 1:38–53
Slovic P, Peters E, Finucane ML, MacGregor DG (2005) Affect, risk, and decision making. Health Psychol 24:S35–S40
Tinsley CH, Dillon RL, Cronin MA (2012) How near-miss events amplify or attenuate risky decision making. Manage Sci 58:1596–1613
Tversky A, Kahneman D (1986) Rational choice and the framing of decisions. J Bus 59:S251–S278
Verendel V (2008) A prospect theory approach to security. Technical Report No. 08-20. Sweden. Department of Computer Science and Engineering, Chalmers University of Technology/Goteborg University. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.154.9098&rep=rep1&type=pdf
This research was supported by the U.S. Department of Homeland Security (DHS) through the National Center for Risk and Economic Analysis of Terrorism Events. However, any opinions, findings, conclusions, and recommendations in this article are those of the authors and do not necessarily reflect the views of DHS. We would like to thank Society for Risk Analysis (SRA) conference attendees for their feedback on this work at a session at the 2012 SRA Annual Meeting in San Francisco. We would also thank the blind reviewers for their time and comments, as they were extremely valuable in developing this paper.
About this article
Cite this article
Rosoff, H., Cui, J. & John, R.S. Heuristics and biases in cyber security dilemmas. Environ Syst Decis 33, 517–529 (2013). https://doi.org/10.1007/s10669-013-9473-2
- Cyber security
- Framing effect
- Decision making