Skip to main content

Security Behaviour, Risk Perceptions and Types of Rationality

Security Behaviour, Risk Perceptions and Types of Rationality

Decisions in information security are influenced by the decision-maker’s subjective perceptions of risk. This fact holds for security professionals, e.g. CISOs, who, in the lack of an established economic model have to invest in security controls. It also holds for any other security-related decision, e.g. on users’ behaviours online or why some groups fall more easily for scams and frauds than others (including social engineering and phishing). Additionally to subjectivity, biases and heuristics also influence choices and behaviour. The immediate result is that although humans are often considered as fully rational agents when making decisions (the so-called ‘homo economicus’), such behaviour is not empirically observed. Instead, we – as humans – tend to utilize different types of ‘rationality’ for our choices. Thus, subjectivity, expressed, for example, as preferences, biases, and distorted risk perceptions, and they type of ‘rationality’ utilized along with heuristics, constitute key factors for explaining decisions.    

  • Konstantinos Mersinas (ISG, HIVE) 
  • Keith Martin (ISG) 
  • Bjoern Hartig (Economics) 
  • Andy Selzer (Economics) 
  • Dawn Watling (Psychology, HIVE) 
  • Jane Marriott (Law, HIVE) 

Mersinas, K., Sobb, T., Sample, C., Bakdash, J.Z. and Ormrod, D. (2019) October. Training Data and Rationality. In ECIAIR 2019 European Conference on the Impact of Artificial Intelligence and Robotics(p. 225).  

Mersinas, K., Hartig, B., Martin, K. M., & Seltzer, A. (2016). Are information security professionals expected value maximizers?: An experiment and survey-based test. Journal of Cybersecurity2(1), 57-70. 

Mersinas, K., Hartig, B., Martin, K. M., & Seltzer, A. (2016, June). Measuring Attitude towards Risk Treatment Actions amongst Information Security Professionals: an Experimental Approach. In Workshop on the Economics of Information Security, Berkeley, CA.  

Mersinas, K., Hartig, B., Martin, K. M., & Seltzer, A. (2015, June). Experimental Elicitation of Risk Behaviour amongst Information Security Professionals. Workshop on the Economics of Information Security, Delft, The Netherlands. 

 

Impact: our behavioural experiments have been cited in the 2018 direction-setting report ‘Cyber Risk Economics Capability Gaps Research Strategy’ by the U.S. Department of Homeland Security. 

Funding (HIVE) 

  • Strategic Knowledge Exchange Collaborations: Internal competition, (£22,000), 2020. 
  • Research consultancy with KPMG Netherlands, (£25,000), 2019. 
  • Two projects initially funded by the Higher Education Innovation Fund (HEIF), 2018: 
    i) Protecting adolescents from cyberbullying / cyberstalking, 
    ii) Protecting the elderly from financial abuse. 

 

HIVE - Hub for research into Interdisciplinary Vulnerability to Exploitation 

http://pc.rhul.ac.uk/sites/hive/ 

Explore Royal Holloway