Factors influencing network risk judgments: a conceptual inquiry and exploratory analysis

Abstract

Effectively assessing and configuring security controls to minimize network risks requires human judgment. Little is known about what factors network professionals perceive to make judgments of network risk. The purpose of this research was to examine first, what factors are important to network risk judgments (Study 1) and second, how risky/safe each factor is judged (Study 2) by a sample of network professionals. In Study 1, a complete list of factors was generated using a focus group method and validated on a broader sample using a survey method with network professionals. Factors detailing the adversary and organizational network readiness were rated highly important. Study 2 investigated the level of riskiness for each factor that is described in a vignette-based factor scenario. The vignette provided context that was missing in Study 1. The highest riskiness ratings were of factors detailing the adversary and the lowest riskiness ratings detailed the organizational network readiness. A significant relationships existed in Study 2 between the level of agreement on each factor’s rating across our sample of network professionals and the riskiness level each factor was judged. Factors detailing the adversary were highly agreed upon while factors detailing the organizational capability were less agreed upon. Computational risk models and network risk metrics ask professionals to perceive factors and judge overall network risk levels but no published research exists on what factors are important for network risk judgments. These empirical findings address this gap and factors used in models and metrics could be compared to factors generated herein. Future research and implications are discussed at the close of this paper.