Social Preferences in Decision Making Under Cybersecurity Risks and Uncertainties
- 1.1k Downloads
Abstract
The most costly cybersecurity incidents for organizations result from the failures of their third parties. This means that organizations should not only invest in their own protection and cybersecurity measures, but also pay attention to that of their business and operational partners. While economic impact and real extent of third parties cybersecurity risks is hard to quantify, decision makers inevitably compare their decisions with other entities in their network. This paper presents a theoretically derived model to analyze the impact of social preferences and other factors on the willingness to cooperate in third party ecosystems. We hypothesize that willingness to cooperate among the organizations in the context of cybersecurity increases following the experience of cybersecurity attacks and increased perceived cybersecurity risks. The effects are mediated by perceived cybersecurity value and moderated by social preferences. These hypotheses are tested using a variance-based structural equation modeling analysis based on feedback from a sample of Norwegian organizations. Our empirical results confirm the strong positive impact of social preferences and cybersecurity attack experience on the willingness to cooperate, and support the reciprocal behavior of cybersecurity decision makers. We further show that more perception of cybersecurity risk and value deter the decision makers to cooperate with other organizations.
Keywords
Social preferences Behavioral economics Cybersecurity decision making Structural Equation Modeling Theory development Perceived Cybersecurity RiskNotes
Acknowledgement
We would like to express our special thanks of gratitude to The Norwegian Business and Industry Security Council (NSR) as well as Mr. Adam Szekeres and Mr. EivindKristoffersen Ph.D. Candidates in Information Security, that helped us to design and distribute the survey of this study.
References
- 1.Bernstein, P.L., Bernstein, P.L.: Against the Gods: The Remarkable Story of Risk. Wiley, New York (1996)Google Scholar
- 2.Managing Insider Risk Through Training and Culture Report (2016)Google Scholar
- 3.Kowalski, S.: IT insecurity: a multi-disciplinary inquiry (1996)Google Scholar
- 4.Øverby, H., Audestad, J.A.: Digital Economics (2018)Google Scholar
- 5.IT Security: cost-center or strategic investment? (2017)Google Scholar
- 6.HIPAA Journal: 31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHINo Title (2019). https://www.hipaajournal.com/31876-managed-health-services-indiana-members-data-breaches/
- 7.Arghire, I.: New Magecart Group Targets French Ad Agency (2019). https://www.securityweek.com/new-magecart-group-targets-french-ad-agency. Accessed 25 Jan 2019
- 8.Anderson, R., Moore, T.: The economics of information security. Science (80) (2006)Google Scholar
- 9.Vishik, C., Sheldon, F., Ott, D.: Economic incentives for cybersecurity: using economics to design technologies ready for deployment. In: Reimer, H., Pohlmann, N., Schneider, W. (eds.) ISSE 2013 Securing Electronic Business Processes, pp. 133–147. Springer, Wiesbaden (2013). https://doi.org/10.1007/978-3-658-03371-2_12CrossRefGoogle Scholar
- 10.Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(4), 438–457 (2002)CrossRefGoogle Scholar
- 11.Cartwright, E.: Behavioral Economics. Routledge (2014)Google Scholar
- 12.Arney, C.: Predictably irrational: the hidden forces that shape our decisions. Math. Comput. Educ. 44(1), 68 (2010)Google Scholar
- 13.Thaler, R.H.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press, New Haven, London (2008)Google Scholar
- 14.Kahneman, D., Egan, P.: Thinking, Fast and Slow, vol. 1. Farrar, Straus and Giroux, New York (2011)Google Scholar
- 15.Rogers, R.W.: A protection motivation theory of fear appeals and attitude change1. J. Psychol. 91(1), 93–114 (1975)CrossRefGoogle Scholar
- 16.Dolan, P., Hallsworth, M., Halpern, D., King, D., Metcalfe, R., Vlaev, I.: Influencing behaviour: the mindspace way. J. Econ. Psychol. 33(1), 264–277 (2012)CrossRefGoogle Scholar
- 17.Briggs, P., Jeske, D., Coventry, L.: Behavior change interventions for cybersecurity. Behav. Change Res. Theor., 115–136 (2017)Google Scholar
- 18.Fishbein, M., Ajzen, I.: Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research (1977)Google Scholar
- 19.Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process. 50(2), 179–211 (1991)CrossRefGoogle Scholar
- 20.Michie, S., West, R., Campbell, R., Brown, J., Gainforth, H.: ABC of Behaviour Change Theories (ABC of Behavior Change): An Essential Resource for Researchers, Policy Makers and Practitioners. Silverback Publishing (Silverback IS), Croydon (2014)Google Scholar
- 21.Sommestad, T., Hallberg, J., Lundholm, K., Bengtsson, J.: Variables influencing information security policy compliance: a systematic review of quantitative studies. Inf. Manag. Comput. Secur. 22(1), 42–75 (2014)CrossRefGoogle Scholar
- 22.Cisco: What Are the Most Common Cyberattacks? (2018). https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html. Accessed 25 Nov 2018
- 23.Ponemon Institute: Data risk in the third-party ecosystem, Ponemon Institute 2016 Research report (2016). http://www.buckleysandler.com
- 24.Ferraro, K.F., Grange, R.L.: The measurement of fear of crime. Sociol. Inq. 57(1), 70–97 (1987)CrossRefGoogle Scholar
- 25.Visser, M., Scholte, M., Scheepers, P.: Fear of crime and feelings of unsafety in European countries: macro and micro explanations in cross-national perspective. Sociol. Q. 54(2), 278–301 (2013)CrossRefGoogle Scholar
- 26.Cybersecurity as a Growth Advantage (2016)Google Scholar
- 27.Wilde, O., Schmalenbach, W., Leonhardi, A.: Lady Windermere’s Fan. Library Editions LLP 4001 (1947)Google Scholar
- 28.Schwartz, S.H.: Universals in the content and structure of values: theoretical advances and empirical tests in 20 countries. In: Advances in Experimental Social Psychology, vol. 25, pp. 1–65. Elsevier (1992)Google Scholar
- 29.Sagiv, L., Schwartz, S.H.: Value priorities and subjective well-being: direct relations and congruity effects. Eur. J. Soc. Psychol. 30(2), 177–198 (2000)CrossRefGoogle Scholar
- 30.Sagiv, L., Sverdlik, N., Schwarz, N.: To compete or to cooperate? Values’ impact on perception and action in social dilemma games. Eur. J. Soc. Psychol. 41(1), 64–77 (2011)CrossRefGoogle Scholar
- 31.Kline, R.B.: Principles and Practice of Structural Equation Modeling. Guilford Publications (2015)Google Scholar
- 32.Jacoby, J.: Consumer research: a state of the art review. J. Mark., 87–96 (1978)Google Scholar
- 33.Shugan, S.M.: Marketing science, models, monopoly models, and why we need them. Mark. Sci. 21(3), 223–228 (2002)CrossRefGoogle Scholar
- 34.Haenlein, M., Kaplan, A.M.: A beginner’s guide to partial least squares analysis. Underst. Stat. 3(4), 283–297 (2004)CrossRefGoogle Scholar
- 35.Henseler, J., Ringle, C.M., Sinkovics, R.R.: The use of partial least squares path modeling in international marketing. In: New Challenges to International Marketing, pp. 277–319. Emerald Group Publishing Limited (2009)Google Scholar
- 36.Chin, W.W., Newsted, P.R.: Structural equation modeling analysis with small samples using partial least squares. Stat. Strat. Small Sample Res. 1(1), 307–341 (1999)Google Scholar
- 37.Fornell, C., Bookstein, F.L.: Two structural equation models: LISREL and PLS applied to consumer exit-voice theory. J. Mark. Res., 440–452 (1982)CrossRefGoogle Scholar
- 38.Becker, J.-M., Ismail, I.R.: Accounting for sampling weights in PLS path modeling: simulations and empirical examples. Eur. Manag. J. 34(6), 606–617 (2016)CrossRefGoogle Scholar
- 39.Falk, A., Becker, A., Dohmen, T., Huffman, D., Sunde, U.: The preference survey module: a validated instrument for measuring risk, time, and social preferences (2016)Google Scholar
- 40.Fornell, C., Larcker, D.F.: Evaluating structural equation models with unobservable variables and measurement error. J. Mark. Res. 18, 39–50 (1981)CrossRefGoogle Scholar
- 41.Murphy, R.O., Ackermann, K.A., Handgraaf, M.: Measuring Social Value Orientation (2011)Google Scholar
- 42.Featherman, M.S., Pavlou, P.A.: Predicting e-services adoption: a perceived risk facets perspective. Int. J. Hum Comput Stud. 59(4), 451–474 (2003)CrossRefGoogle Scholar
- 43.Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information technologies: the role of national cultural differences. Inf. Syst. J. 19(4), 391–412 (2009)CrossRefGoogle Scholar
- 44.Bauer, J.M., Van Eeten, M.J.G.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecomm. Policy 33(10–11), 706–719 (2009)CrossRefGoogle Scholar
- 45.Zoto, E., Kianpour, M., Kowalski, S.J., Lopez-Rojas, E.A.: A socio-technical systems approach to design and support systems thinking in cybersecurity and risk management education. Complex Syst. Inf. Model. Q. 18, 65–75 (2019)Google Scholar