Are information security professionals expected value maximizers?: An experiment and surveybased test

Abstract

Information security professionals have to assess risk in order to make investment decisions on security measures. To investigate whether professionals make such decisions optimally, we conduct an online experiment and survey measuring risk attitudes of security professionals. Participants were asked to state their willingness-to-pay to avoid a series of losses-only lotteries and to make choices between such lotteries. We examine their behaviour in these lotteries and conclude that security professionals do not minimize expected losses. Our findings suggest that security professionals are risk and ambiguity averse and are susceptible to framing effects. We contrast their behaviour to that of a random sample of students. We find that the preferences of security professionals are measurably different from those students in several respects. Finally, we devise a mechanism to elicit professionals' preferences between security and operability. We find that the nature of professionals' employment influences their security versus operability preferences. These factors are usually overlooked in risk assessment methodologies.