Experimental Elicitation of Risk Behaviour amongst Information Security Professionals

Information security professionals have to assess risk in order to make investment decisions on security measures. To investigate whether professionals make such decisions unbiased and rationally, we conducted an economic online experiment and survey measuring risk attitude of security professionals and contrasting their behaviour with the general population. Participants were asked to state their willingness-to-pay in order to avoid a series of losses-only lotteries and to make choices between such lotteries. We also devised a mechanism to elicit preferences between security and operability. Our findings suggest that security professionals are risk and ambiguity averse, consider small losses inevitable and take risks when losses are associated with large probabilities. We find that their preferences are measurably different from those of the general population in some of these aspects. We also find that job position influences security and operability preferences and that avoidance of salient (catastrophic) outcomes explains some of the professionals’ behaviour. Moreover, professionals are susceptible to framing effects to the same extent as the general population, and reveal distorted probability perception, factors that are usually overlooked in risk assessment methodologies.