Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG)

Users’ perceptions of risks have important implications for information security because individual users’ actions can compromise entire systems. Therefore, there is a critical need to understand how users perceive and respond to information security risks. Previous research on perceptions of information security risk has chiefly relied on self-reported measures. Although these studies are valuable, risk perceptions are often associated with feelings—such as fear or doubt—that are difficult to measure accurately using survey instruments. Additionally, it is unclear how these self-reported measures map to actual security behavior. This paper contributes to this topic by demonstrating that risk-taking behavior is effectively predicted using electroencephalography (EEG) via event-related potentials (ERPs). Using the Iowa Gambling Task, a widely used technique shown to be correlated with real-world risky behaviors, we show that the differences in neural responses to positive and negative feedback strongly predict users’ information security behavior in a separate laboratory-based computing task. In addition, we compare the predictive validity of EEG measures to that of self-reported measures of information security risk perceptions. Our experiments show that self-reported measures are ineffective in predicting security behaviors under a condition in which information security is not salient. However, we show that, when security concerns become salient, self-reported measures do predict security behavior. Interestingly, EEG measures significantly predict behavior in both salient and non-salient conditions, which indicates that EEG measures are a robust predictor of security behavior

An exploratory study on managerial security concerns in technology start-ups

PACIS 2006 - 10th Pacific Asia Conference on Information Systems: ICT and Innovation Economy189-19

IT Security in the Age of Digitalization – Toward an Understanding of Risk Perceptions and Protective Behaviors of Private Individuals and Managers in Organizations

Nowadays, information technology (IT) has become an integral part of our everyday life. In both the private and business context, we extensively use different IT systems for data production, data organization, data analysis, and communication with others. Due to the extensive usage of IT, the amount of digitalized personal and organizational information is rapidly and incessantly rising — making both private individuals and organizations attractive targets for attackers. The necessity to effectively protect sensitive data from IT security incidents is highly discussed in practice and research, it attracts high media attention, and our society should be actually aware of the importance of IT security in today’s digital world. However, recent reports demonstrate that organizations as well as private individuals — even though they are afraid of the rapid evolution of IT security risks — still often refrain from adopting the necessary IT security safeguards. To better prepare our society for the ongoing risks arising from extensive IT usage, a better understanding of how IT security is perceived by private individuals and managers is required. Motivated by the findings and theoretical underpinnings from previous research, this thesis addresses several research questions with respect to IT security perceptions and behaviors of private individuals and managers in organizations. By conducting four studies — one among private individuals and three among managers in organizations — the thesis not only contributes to the current research but also provides useful recommendations for practice. Suppliers of IT and IT security products as well as managers in customer organizations can especially learn from the findings of the studies. First, research paper A is focused on the private context and analyzes the gender differences in mobile users’ IT security perceptions and protective behaviors. Drawing on Gender Schema Theory and Protection Motivation Theory, a mixed-method study (survey, experiment, and interviews) under laboratory conditions is conducted. The results show that IT security perceptions of females and males are based on different downstream beliefs and indicate that females are more likely to translate their intention to take precautionary actions into actual behavior than males. The studies presented in research papers B, C, and D are conducted within the business context and focus on the IT security perceptions and behaviors of managers in organizations. Research paper B analyzes top managers’ IT security awareness. Since previous research predominantly investigated IT security awareness at the employee level, a comprehensive conceptualization of IT security awareness at the management level is currently missing. To address this research gap, a structured literature review and expert interviews are performed in order to develop and test a comprehensive conceptualization — including both individual and organizational factors — of top managers’ IT security awareness. Within research paper C, managers’ willingness to pay for IT security is in the focus of the investigation. Previous research largely neglected that various IT security safeguards might be differently evaluated by organizations, for example, due to different IT security requirements. By drawing on Kano’s Theory, the study takes into account that — depending on the organization’s individual IT security requirements — the implementation of IT security safeguards can also be associated with disadvantages. Based on interviews and an empirical study among managers, the study reveals that IT security safeguards are differently evaluated and that these different evaluations are associated with different levels of managers’ willingness to pay. Finally, research paper D analyzes managers’ Status Quo-Thinking in risk perception. Based on Prospect Theory, Status Quo Bias research, and an empirical study among managers, the findings indicate that managers’ risk evaluations and decisions to adopt new technologies are highly dependent on their assessments of the systems currently used in the organization. Moreover, the results implicate that the impact of Status Quo-Thinking on managers’ risk assessments and intentions to adopt new technologies is stronger the less experienced a manager is with a new technology, probably resulting in an incorrect risk assessment and inappropriate adoption behavior. Implications for research and practice are discussed in more detail within each research paper and summarized in the final chapter of the thesis