Skip to main content

Heuristics and biases in cyber security dilemmas

Abstract

Cyber security often depends on decisions made by human operators, who are commonly considered a major cause of security failures. We conducted 2 behavioral experiments to explore whether and how cyber security decision-making responses depend on gain–loss framing and salience of a primed recall prior experience. In Experiment I, we employed a 2 × 2 factorial design, manipulating the frame (gain vs. loss) and the presence versus absence of a prior near-miss experience. Results suggest that the experience of a near-miss significantly increased respondents’ endorsement of safer response options under a gain frame. Overall, female respondents were more likely to select a risk averse (safe) response compared with males. Experiment II followed the same general paradigm, framing all consequences in a loss frame and manipulating recall to include one of three possible prior experiences: false alarm, near-miss, or a hit involving a loss of data. Results indicate that the manipulated prior hit experience significantly increased the likelihood of respondents’ endorsement of a safer response relative to the manipulated prior near-miss experience. Conversely, the manipulated prior false-alarm experience significantly decreased respondents’ likelihood of endorsing a safer response relative to the manipulated prior near-miss experience. These results also showed a main effect for age and were moderated by respondent’s income level.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3

Notes

  1. 1.

    Since the four scenarios are in a constant order, a second analysis was run that ignored the manipulated factors and included scenario/order as a repeated factor. A one-way repeated measure ANOVA found a significant scenario/order effect: F (3, 265) = 30.42, p < .001, η 2 = .10. Over time, respondents were more likely to endorse the risky option. Because the nature of the dilemma scenario and order are confounded, it is impossible to determine whether the significant main effect indicates an order effect or a scenarios effect or a combination of both. The counterbalanced design distributed all 4 combinations of framing and prior experience recall evenly across the four scenario dilemmas. Order and/or scenario effects are independent of the manipulated factors, and thus are included in the error term in the ANOVA.

  2. 2.

    As in Exp I, a one-way repeated measure ANOVA shows there is a significant scenario/order effect: F (2, 265) =4.47, p = .035, η 2 = .02. Over time and/or scenario, respondents were more likely to endorse the risky option. However, as in Experiment I, it is difficult to determine whether the main effect is for the scenarios or the order effect. The study design we used overcame this limitation by using a counterbalanced design.

References

  1. Acquisti A, Grossklags J (2007) What can behavioral economics teach us about privacy. In: Acquisti A, Gritzalis S, Lambrinoudakis C, Vimercati S (eds) Digital privacy: theory, technologies and practices. Auerbach Publications, Florida, pp 363–377

    Google Scholar 

  2. Alshalan A (2006) Cyber-crime fear and victimization: an analysis of a national survey. Dissertation, Mississippi State University

  3. Aytes K, Connolly T (2004) Computer security and risky computing practices: a rational choice perspective. J Organ End User Comput 16:22–40

    Article  Google Scholar 

  4. Barnes LR, Gruntfest EC, Hayden MH, Schultz DM, Benight C (2007) False alarms and close calls: a conceptual model of warning accuracy. Weather Forecast 22:1140–1147

    Article  Google Scholar 

  5. Bateman JM, Edwards B (2002) Gender and evacuation: a closer look at why women are more likely to evacuate for hurricanes. Nat Hazard Rev 3:107–117

    Article  Google Scholar 

  6. Bourque LB, Regan R, Kelley MM, Wood MM, Kano M, Mileti DS (2012) An examination of the effect of perceived risk on preparedness behavior. Environ Behav 45:615–649

    Article  Google Scholar 

  7. Breznitz S (2013) Cry wolf: the psychology of false alarms. Psychology Press, Florida

    Google Scholar 

  8. Buhrmester M, Kwang T, Gosling SD (2011) Amazon’s Mechanical Turk: a new source of inexpensive, yet high-quality, data? Perspect Psychol Sci 6:3–5

    Article  Google Scholar 

  9. Cameron L, Shah M (2012) Risk-taking behavior in the wake of natural disasters. IZA Discussion Paper No. 6756. http://ssrn.com/abstract=2157898

  10. Dillon RL, Tinsley CH, Cronin M (2011) Why near-miss events can decrease an individual’s protective response to hurricanes. Risk Anal 31:440–449

    Article  Google Scholar 

  11. Donner WR, Rodriguez H, Diaz W (2012) Tornado warnings in three southern states: a qualitative analysis of public response patterns. J Homel Secur Emerg Manage 9:1547–7355

    Google Scholar 

  12. Dow K, Cutter SL (1998) Crying wolf: repeat responses to hurricane evacuation orders. Coast Manage 26:237–252

    Article  Google Scholar 

  13. Downs DM, Ademaj I, Schuck AM (2008) Internet security: who is leaving the ‘virtual door’ open and why? First Monday 14. doi:10.5210%2Ffm.v14i1.2251

  14. Flynn J, Slovic P, Mertz CK (1994) Gender, race, and perception of environmental health risks. Risk Anal 14:1101–1108

    Article  CAS  Google Scholar 

  15. Garg V, Camp J (2013) Heuristics and biases: implications for security design. IEEE Technol Soc Mag 32:73–79

    Article  Google Scholar 

  16. Harris C, Jenkins M, Glaser D (2006) Gender differences in risk assessment: why do women take fewer risks than men? Judgm Decis Mak 1:48–63

    Google Scholar 

  17. Helander MG, Khalid HM (2000) Modeling the customer in electronic commerce. Appl Ergon 31:609–619

    Article  CAS  Google Scholar 

  18. Herath T, Rao HR (2009) Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Support Syst 47:154–165

    Article  Google Scholar 

  19. Ho MC, Shaw D, Lin S, Chiu YC (2008) How do disaster characteristics influence risk perception? Risk Anal 28:635–643

    Article  Google Scholar 

  20. Hoofnagle C, King J, Li S, Turow J (2010) How different are young adults from older adults when it comes to information privacy attitudes and policies? April 14, 2010. http://ssrn.com/abstract=1589864

  21. Kahneman D, Tversky A (1979) Prospect theory: an analysis of decision under risk. Econom J Econom Soc 47:263–291

    Google Scholar 

  22. Kung YW, Chen SH (2012) Perception of earthquake risk in Taiwan: effects of gender and past earthquake experience. Risk Anal 32:1535–1546

    Article  Google Scholar 

  23. Kunreuther H, Pauly M (2004) Neglecting disaster: why don’t people insure against large losses? J Risk Uncertain 28:5–21

    Article  Google Scholar 

  24. Mason W, Suri S (2012) Conducting behavioral research on Amazon’s Mechanical Turk. Behav Res Methods 44:1–23

    Article  Google Scholar 

  25. Milne GR, Labrecque LI, Cromer C (2009) Toward an understanding of the online consumer’s risky behavior and protection practices. J Consum Aff 43:449–473

    Article  Google Scholar 

  26. Paolacci G, Chandler J, Ipeirotis P (2010) Running experiments on Amazon Mechanical Turk. Judgm Decis Mak 5:411–419

    Google Scholar 

  27. Shankar V, Urban GL, Sultan F (2002) Online trust: a stakeholder perspective, concepts, implications, and future directions. J Strateg Inf Syst 11:325–344

    Article  Google Scholar 

  28. Siegrist M, Gutscher H (2008) Natural hazards and motivation for mitigation behavior: people cannot predict the affect evoked by a severe flood. Risk Anal 28:771–778

    Article  Google Scholar 

  29. Simmons KM, Sutter D (2009) False alarms, tornado warnings, and tornado casualties. Weather Clim Soc 1:38–53

    Article  Google Scholar 

  30. Slovic P, Peters E, Finucane ML, MacGregor DG (2005) Affect, risk, and decision making. Health Psychol 24:S35–S40

    Article  Google Scholar 

  31. Tinsley CH, Dillon RL, Cronin MA (2012) How near-miss events amplify or attenuate risky decision making. Manage Sci 58:1596–1613

    Article  Google Scholar 

  32. Tversky A, Kahneman D (1986) Rational choice and the framing of decisions. J Bus 59:S251–S278

    Article  Google Scholar 

  33. Verendel V (2008) A prospect theory approach to security. Technical Report No. 08-20. Sweden. Department of Computer Science and Engineering, Chalmers University of Technology/Goteborg University. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.154.9098&rep=rep1&type=pdf

Download references

Acknowledgments

This research was supported by the U.S. Department of Homeland Security (DHS) through the National Center for Risk and Economic Analysis of Terrorism Events. However, any opinions, findings, conclusions, and recommendations in this article are those of the authors and do not necessarily reflect the views of DHS. We would like to thank Society for Risk Analysis (SRA) conference attendees for their feedback on this work at a session at the 2012 SRA Annual Meeting in San Francisco. We would also thank the blind reviewers for their time and comments, as they were extremely valuable in developing this paper.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Heather Rosoff.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Rosoff, H., Cui, J. & John, R.S. Heuristics and biases in cyber security dilemmas. Environ Syst Decis 33, 517–529 (2013). https://doi.org/10.1007/s10669-013-9473-2

Download citation

Keywords

  • Cyber security
  • Framing effect
  • Near-miss
  • Decision making