Abstract
Employees continue to be the weakest link in an organizational security ecosystem, exposing organizational assets through carelessness, malicious threats, or apathy towards security policies. Security-related decision making is a complex process that is driven by an individual’s risk perception, self-efficacy, and their propensity to accept risks. Existing behavioral security re-search on user security behavior is rooted in models based on rational choice theory such as protection motivation theory and deterrence theory, both of which focus on using fear appeals and punishments to prompt desired security behavior. Recent research on human rationality suggests that security-related decision making is far more complex and nuanced, not a simple carrot-and-stick related process, and not necessarily grounded in rational reasoning. In reality, a combination of dispositional and situational factors is likely to interact to influence security decisions. In this paper we explore the role of one particular dispositional factor, individual risk acceptance vs. risk aversion. While not refuting the influence of other factors, we argue that this factor plays a key role in influencing security behaviors. We propose a model that depicts the impact of individual dispositional risk propensity and situational risk perception on employees' security-related decisions. We believe this model will lay a foundation for de-signing effective security compliance interventions.
Original language | English |
---|---|
Number of pages | 8 |
Publication status | Published - 7 Oct 2016 |
Event | 2016 Dewald Roode Workshop - New Mexico, United States Duration: 7 Oct 2016 → 8 Oct 2016 https://www.ifiptc11.org/8-news/32-the-2016-dewald-roode-workshop-on-information-systems-security-research |
Conference
Conference | 2016 Dewald Roode Workshop |
---|---|
Country/Territory | United States |
City | New Mexico |
Period | 7/10/16 → 8/10/16 |
Internet address |
Keywords
- information security
- risk disposition
- risk tolerance
- risk aversion