Social Preferences in Decision Making Under Cybersecurity Risks and Uncertainties

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11594)


The most costly cybersecurity incidents for organizations result from the failures of their third parties. This means that organizations should not only invest in their own protection and cybersecurity measures, but also pay attention to that of their business and operational partners. While economic impact and real extent of third parties cybersecurity risks is hard to quantify, decision makers inevitably compare their decisions with other entities in their network. This paper presents a theoretically derived model to analyze the impact of social preferences and other factors on the willingness to cooperate in third party ecosystems. We hypothesize that willingness to cooperate among the organizations in the context of cybersecurity increases following the experience of cybersecurity attacks and increased perceived cybersecurity risks. The effects are mediated by perceived cybersecurity value and moderated by social preferences. These hypotheses are tested using a variance-based structural equation modeling analysis based on feedback from a sample of Norwegian organizations. Our empirical results confirm the strong positive impact of social preferences and cybersecurity attack experience on the willingness to cooperate, and support the reciprocal behavior of cybersecurity decision makers. We further show that more perception of cybersecurity risk and value deter the decision makers to cooperate with other organizations.


Social preferences Behavioral economics Cybersecurity decision making Structural Equation Modeling Theory development Perceived Cybersecurity Risk 



We would like to express our special thanks of gratitude to The Norwegian Business and Industry Security Council (NSR) as well as Mr. Adam Szekeres and Mr. EivindKristoffersen Ph.D. Candidates in Information Security, that helped us to design and distribute the survey of this study.


  1. 1.
    Bernstein, P.L., Bernstein, P.L.: Against the Gods: The Remarkable Story of Risk. Wiley, New York (1996)Google Scholar
  2. 2.
    Managing Insider Risk Through Training and Culture Report (2016)Google Scholar
  3. 3.
    Kowalski, S.: IT insecurity: a multi-disciplinary inquiry (1996)Google Scholar
  4. 4.
    Øverby, H., Audestad, J.A.: Digital Economics (2018)Google Scholar
  5. 5.
    IT Security: cost-center or strategic investment? (2017)Google Scholar
  6. 6.
    HIPAA Journal: 31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHINo Title (2019).
  7. 7.
    Arghire, I.: New Magecart Group Targets French Ad Agency (2019). Accessed 25 Jan 2019
  8. 8.
    Anderson, R., Moore, T.: The economics of information security. Science (80) (2006)Google Scholar
  9. 9.
    Vishik, C., Sheldon, F., Ott, D.: Economic incentives for cybersecurity: using economics to design technologies ready for deployment. In: Reimer, H., Pohlmann, N., Schneider, W. (eds.) ISSE 2013 Securing Electronic Business Processes, pp. 133–147. Springer, Wiesbaden (2013). Scholar
  10. 10.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(4), 438–457 (2002)CrossRefGoogle Scholar
  11. 11.
    Cartwright, E.: Behavioral Economics. Routledge (2014)Google Scholar
  12. 12.
    Arney, C.: Predictably irrational: the hidden forces that shape our decisions. Math. Comput. Educ. 44(1), 68 (2010)Google Scholar
  13. 13.
    Thaler, R.H.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press, New Haven, London (2008)Google Scholar
  14. 14.
    Kahneman, D., Egan, P.: Thinking, Fast and Slow, vol. 1. Farrar, Straus and Giroux, New York (2011)Google Scholar
  15. 15.
    Rogers, R.W.: A protection motivation theory of fear appeals and attitude change1. J. Psychol. 91(1), 93–114 (1975)CrossRefGoogle Scholar
  16. 16.
    Dolan, P., Hallsworth, M., Halpern, D., King, D., Metcalfe, R., Vlaev, I.: Influencing behaviour: the mindspace way. J. Econ. Psychol. 33(1), 264–277 (2012)CrossRefGoogle Scholar
  17. 17.
    Briggs, P., Jeske, D., Coventry, L.: Behavior change interventions for cybersecurity. Behav. Change Res. Theor., 115–136 (2017)Google Scholar
  18. 18.
    Fishbein, M., Ajzen, I.: Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research (1977)Google Scholar
  19. 19.
    Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process. 50(2), 179–211 (1991)CrossRefGoogle Scholar
  20. 20.
    Michie, S., West, R., Campbell, R., Brown, J., Gainforth, H.: ABC of Behaviour Change Theories (ABC of Behavior Change): An Essential Resource for Researchers, Policy Makers and Practitioners. Silverback Publishing (Silverback IS), Croydon (2014)Google Scholar
  21. 21.
    Sommestad, T., Hallberg, J., Lundholm, K., Bengtsson, J.: Variables influencing information security policy compliance: a systematic review of quantitative studies. Inf. Manag. Comput. Secur. 22(1), 42–75 (2014)CrossRefGoogle Scholar
  22. 22.
    Cisco: What Are the Most Common Cyberattacks? (2018). Accessed 25 Nov 2018
  23. 23.
    Ponemon Institute: Data risk in the third-party ecosystem, Ponemon Institute 2016 Research report (2016).
  24. 24.
    Ferraro, K.F., Grange, R.L.: The measurement of fear of crime. Sociol. Inq. 57(1), 70–97 (1987)CrossRefGoogle Scholar
  25. 25.
    Visser, M., Scholte, M., Scheepers, P.: Fear of crime and feelings of unsafety in European countries: macro and micro explanations in cross-national perspective. Sociol. Q. 54(2), 278–301 (2013)CrossRefGoogle Scholar
  26. 26.
    Cybersecurity as a Growth Advantage (2016)Google Scholar
  27. 27.
    Wilde, O., Schmalenbach, W., Leonhardi, A.: Lady Windermere’s Fan. Library Editions LLP 4001 (1947)Google Scholar
  28. 28.
    Schwartz, S.H.: Universals in the content and structure of values: theoretical advances and empirical tests in 20 countries. In: Advances in Experimental Social Psychology, vol. 25, pp. 1–65. Elsevier (1992)Google Scholar
  29. 29.
    Sagiv, L., Schwartz, S.H.: Value priorities and subjective well-being: direct relations and congruity effects. Eur. J. Soc. Psychol. 30(2), 177–198 (2000)CrossRefGoogle Scholar
  30. 30.
    Sagiv, L., Sverdlik, N., Schwarz, N.: To compete or to cooperate? Values’ impact on perception and action in social dilemma games. Eur. J. Soc. Psychol. 41(1), 64–77 (2011)CrossRefGoogle Scholar
  31. 31.
    Kline, R.B.: Principles and Practice of Structural Equation Modeling. Guilford Publications (2015)Google Scholar
  32. 32.
    Jacoby, J.: Consumer research: a state of the art review. J. Mark., 87–96 (1978)Google Scholar
  33. 33.
    Shugan, S.M.: Marketing science, models, monopoly models, and why we need them. Mark. Sci. 21(3), 223–228 (2002)CrossRefGoogle Scholar
  34. 34.
    Haenlein, M., Kaplan, A.M.: A beginner’s guide to partial least squares analysis. Underst. Stat. 3(4), 283–297 (2004)CrossRefGoogle Scholar
  35. 35.
    Henseler, J., Ringle, C.M., Sinkovics, R.R.: The use of partial least squares path modeling in international marketing. In: New Challenges to International Marketing, pp. 277–319. Emerald Group Publishing Limited (2009)Google Scholar
  36. 36.
    Chin, W.W., Newsted, P.R.: Structural equation modeling analysis with small samples using partial least squares. Stat. Strat. Small Sample Res. 1(1), 307–341 (1999)Google Scholar
  37. 37.
    Fornell, C., Bookstein, F.L.: Two structural equation models: LISREL and PLS applied to consumer exit-voice theory. J. Mark. Res., 440–452 (1982)CrossRefGoogle Scholar
  38. 38.
    Becker, J.-M., Ismail, I.R.: Accounting for sampling weights in PLS path modeling: simulations and empirical examples. Eur. Manag. J. 34(6), 606–617 (2016)CrossRefGoogle Scholar
  39. 39.
    Falk, A., Becker, A., Dohmen, T., Huffman, D., Sunde, U.: The preference survey module: a validated instrument for measuring risk, time, and social preferences (2016)Google Scholar
  40. 40.
    Fornell, C., Larcker, D.F.: Evaluating structural equation models with unobservable variables and measurement error. J. Mark. Res. 18, 39–50 (1981)CrossRefGoogle Scholar
  41. 41.
    Murphy, R.O., Ackermann, K.A., Handgraaf, M.: Measuring Social Value Orientation (2011)Google Scholar
  42. 42.
    Featherman, M.S., Pavlou, P.A.: Predicting e-services adoption: a perceived risk facets perspective. Int. J. Hum Comput Stud. 59(4), 451–474 (2003)CrossRefGoogle Scholar
  43. 43.
    Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information technologies: the role of national cultural differences. Inf. Syst. J. 19(4), 391–412 (2009)CrossRefGoogle Scholar
  44. 44.
    Bauer, J.M., Van Eeten, M.J.G.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecomm. Policy 33(10–11), 706–719 (2009)CrossRefGoogle Scholar
  45. 45.
    Zoto, E., Kianpour, M., Kowalski, S.J., Lopez-Rojas, E.A.: A socio-technical systems approach to design and support systems thinking in cybersecurity and risk management education. Complex Syst. Inf. Model. Q. 18, 65–75 (2019)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Norwegian University of Science and TechnologyGjøvikNorway

Personalised recommendations