Mis-spending on information security measures: Theory and experimental evidence |
| |
| Institution: | 1. Bloch School of Management, University of Missouri—Kansas City, 5110 Cherry St, Kansas City, MO 64110, USA;2. Area of Information Systems and Quantitative Sciences, Texas Tech University, 703 Flint Avenue, Lubbock, TX 79409, USA;3. Department of Economics, The University of Kansas, 415 Snow Hall, 1460 Jayhawk Blvd, Lawrence, KS 66045, USA;1. Wright State University, 3640 Colonel Glenn Highway, Dayton, OH, 45435, USA;2. Department of Information Technology and Operations Management, Nanyang Technological University, 50 Nanyang Avenue, Singapore, 639798;1. Department of Telecommunication Engg., M.S Ramaiah Institute of Technology, Bengaluru 560054, India;2. Department of Electrical Engg., Indian Institute of Technology Madras, Chennai 600036, India;1. Department of Strategy and Industry, China Mobile Research Institute, China;2. School of Information Systems, Technology and Management, UNSW Business School, UNSW, Australia;3. Business School, Qingdao University, China;4. School of E-Business and Logistics, Beijing Technology and Business University, China;5. Guanghua School of Management, Peking University, China;1. Indian Institute of Technology, Kanpur, India;2. University of Wisconsin, Milwaukee, Wisconsin, USA;3. University of South Florida, Tampa, Florida, USA |
| |
| Abstract: | Information resources are becoming increasingly important to individuals and organizations, and ensuring their security is a major concern. While research in information security has adopted primarily a quantitative method to determine how and how much to invest in security, most decision makers rely on non-quantitative methods for this purpose, thereby introducing a considerable amount of as yet unexplained subjective judgment to the problem. We use a behavioral decision making approach to investigate factors causing possible inefficiencies of security spending decisions. Decision makers in our experiment performed a series of economic games featuring the key characteristics of a typical security problem. We found several biases in investment decisions. For budgeting their investment between major classes of security measures, decision makers demonstrated a strong bias toward investing in preventive measures rather than in detection and response measures, even though the task was designed to yield the same return on investment for both classes of measures. We term this phenomenon the “Prevention Bias.” Decision makers also reacted to security threats when the risk was so small that no investment was economically justified. For higher levels of risk that warranted some security investment, decision makers showed a strong tendency to overinvest. Theoretical and practical implications of the findings are discussed. |
| |
| Keywords: | Information security investment Prevention Detection and response Decision biases Prevention bias Experiment |
| 本文献已被 ScienceDirect 等数据库收录! |
|
