INDIVIDUAL PREFERENCES IN SECURITY RISK DECISION MAKING: AN EXPLORATORY STUDY UNDER SECURITY PROFESSIONALS
Price
Free (open access)
Transaction
Volume
206
Pages
13
Page Range
187 - 199
Published
2022
Paper DOI
10.2495/SAFE210161
Copyright
Author(s)
JOHAN J. DE WIT, WOLTER PIETERS, PIETER H. A. J. M. VAN GELDER
Abstract
Risk assessments in the (cyber) security domain are often, if not always, based on subjective expert judgement. For the first time, to the best of our knowledge, the individual preferences of professionals from the security domain are studied. In on online survey they are asked to mention, rate and rank their preferences when assessing a security risk. The survey setup allows to differentiate between easily accessible or “on top of mind” attributes and guided or stimulated attributes. The security professionals are also challenged to both non-compensatory and compensatory decision making on the relevance of the attributes. The results of this explorative study indicate a clear difference and shift in the individual perceived relevance of attributes in these different settings. Another remarkable finding of this study is the predominant focus on impact attributes by the respondents and the less significant position of likelihood or probability. The majority of professionals seem to ignore likelihood in their security risk assessment. This might be due to so called probability neglect as introduced by other scholars. the security in organisations and society is depending on the assessment and judgement of these professionals, understanding their preferences and the influence of cognitive biases is paramount. This study contributes to this body of knowledge and might raise attention to this important topic in both the academic and professional security domain.
Keywords
security risk assessment, decision making, risk management, decision biases, preferences, probability neglect