Motivation Approach Design Findings Conclusions Future Work Thank you Are Information Security professionals rational decision-makers? . Konstantinos Mersinas Distance Learning Weekend Conference 2015 Royal Holloway, University of London . . contact: Konstantinos.Mersinas.2011@live.rhul.ac.uk 12-13 September 2015 Mersinas, K., Hartig, B., Martin, K. M., & Seltzer, A., Experimental Elicitation of Risk Behaviour amongst Information Security Professionals. Workshop on the Economics of Information Security (WEIS) 2015. Are Information Security professionals rational decision-makers? – K. Mersinas 1/29
Motivation Approach Design Findings Conclusions Future Work Thank you Motivation 1 Motivation 2 Approach 3 Design 4 Findings 5 Conclusions 6 Future Work 7 Thank you Are Information Security professionals rational decision-makers? – K. Mersinas 2/29
Motivation Approach Design Findings Conclusions Future Work Thank you Motivation Information security professionals have to assess risk in order to make investment decisions on security measures Unbiased? Rationally? All quantitative risk assessment methodologies are subject to three significant limitations: Are based on many approximations These approximations are often biased by perception of risk Involved calculations can be easily manipulated Are Information Security professionals rational decision-makers? – K. Mersinas 3/29
Motivation Approach Design Findings Conclusions Future Work Thank you Simplified Research Question Are Information Security professionals rational decision-makers? – K. Mersinas 4/29
Motivation Approach Design Findings Conclusions Future Work Thank you Research Questions Four Hypotheses: 1) Risk and Ambiguity Aversion 2) Worst-case thinking 3) Other-evaluation ambiguity aversion 4) Security vs Operability Are Information Security professionals rational decision-makers? – K. Mersinas 5/29
Motivation Approach Design Findings Conclusions Future Work Thank you We show that.. We show that: Security professionals exhibit distinct decision-making traits under risk and ambiguity Risk attitudes differ between professionals and the general population Professionals are not rational decision-makers Information security has distinctive aspects Are Information Security professionals rational decision-makers? – K. Mersinas 6/29
Motivation Approach Design Findings Conclusions Future Work Thank you Approach 1 Motivation 2 Approach 3 Design 4 Findings 5 Conclusions 6 Future Work 7 Thank you Are Information Security professionals rational decision-makers? – K. Mersinas 7/29
Motivation Approach Design Findings Conclusions Future Work Thank you Approach Information Security context characteristics: Loss domain Evaluation by other parties Security and operability Background: Behavioural Economics Risk attitudes elicitation Survey Are Information Security professionals rational decision-makers? – K. Mersinas 8/29
Motivation Approach Design Findings Conclusions Future Work Thank you Design 1 Motivation 2 Approach 3 Design 4 Findings 5 Conclusions 6 Future Work 7 Thank you Are Information Security professionals rational decision-makers? – K. Mersinas 9/29
Motivation Approach Design Findings Conclusions Future Work Thank you Experiment & Survey Online Performance-based payment Participants: 55 Professionals and 58 ‘Students’ Pool: distance learning MSc in Information Security (thank you!) and the Economics Lab of RHUL Please, join our next experiment! Are Information Security professionals rational decision-makers? – K. Mersinas 10/29
Motivation Approach Design Findings Conclusions Future Work Thank you WTP Lotteries What is the maximum amount that you are willing to pay in order to avoid playing a lottery in which there is: .. a p % probability of losing $50 and losing nothing otherwise? .. a probability between p 1 % and p 2 % of losing $50? .. a p % probability of losing an amount between $20 and $80 and losing nothing otherwise? .. a probability between p 1 % and p 2 % of losing an amount between $20 and $80 and losing nothing otherwise? Are Information Security professionals rational decision-makers? – K. Mersinas 11/29
Motivation Approach Design Findings Conclusions Future Work Thank you WTP & Comparison Lotteries How much are you willing to pay in order to avoid playing a lottery in which there is: a probability of 85% of losing $50 a probability of 8% of losing $170 a probability of 3.5% of losing $300 a probability of 2.5% of losing $400 a probability of 1% of losing $1000 Are Information Security professionals rational decision-makers? – K. Mersinas 12/29
Motivation Approach Design Findings Conclusions Future Work Thank you Other-evaluation Ambiguity Aversion “ Important note : Your choices and their corresponding possible outcomes in the following experiment will be further viewed and will go through an additional evaluation process , after the completion of the experiment.” Finding: There is no evidence that subjects change their risk behaviour when they are informed that they will be evaluated by other parties Are Information Security professionals rational decision-makers? – K. Mersinas 13/29
Motivation Approach Design Findings Conclusions Future Work Thank you Security vs Operability Scenario 1 Mechanism A Mechanism B Enhances Security of Enhances Operability of the system by 10% the system by 10% Scenario 2 Choice A Mechanism B Choice C Remains at the cur- Reduces Security by x % Indifferent be- rent system state Enhances Operability by 10% tween A and B Are Information Security professionals rational decision-makers? – K. Mersinas 14/29
Motivation Approach Design Findings Conclusions Future Work Thank you Findings 1 Motivation 2 Approach 3 Design 4 Findings 5 Conclusions 6 Future Work 7 Thank you Are Information Security professionals rational decision-makers? – K. Mersinas 15/29
Motivation Approach Design Findings Conclusions Future Work Thank you Risk Aversion Finding: Both professionals and students are risk averse for small probability losses, but become risk seeking for very likely losses Mean Risk Averse (positive) and Risk Taking (negative) WTP of Students and Professionals per lottery. Bars represent ( µ ( WTP ) − ExpectedValue ) . Are Information Security professionals rational decision-makers? – K. Mersinas 16/29
Motivation Approach Design Findings Conclusions Future Work Thank you Ambiguity Aversion Finding: Professionals reveal ambiguity aversion in all of their choices; such aversion is not consistently observed for the general population EV=-2.5 EV=-7.5 EV=-25 Students Professionals Are Information Security professionals rational decision-makers? – K. Mersinas 17/29
Motivation Approach Design Findings Conclusions Future Work Thank you Expected Values Finding: Professionals are better at estimating expected losses than the general population (WTP and Survey question) Interaction of Pro or Student and variable H 1 9 with General Risk as moderator Are Information Security professionals rational decision-makers? – K. Mersinas 18/29
Motivation Approach Design Findings Conclusions Future Work Thank you Worst-case thinking Salience Theory: disproportional focus on the most salient outcomes and quantification of decision weights Finding: The majority of professionals have a distorted perception of probabilities; the general population reveals overall more consistent preferences than security professionals Sum � 9 � 2 1 1.0 ∆ 0.2 0.4 0.6 0.8 � 1 � 2 � 3 � 4 Distortion of probability perception for lotteries L 9 , L 10 : values of salience sum for L 9 ≻ L 10 , δ ∈ ( 0 , 1 ] (Students:47%, Professionals:58%) Are Information Security professionals rational decision-makers? – K. Mersinas 19/29
Motivation Approach Design Findings Conclusions Future Work Thank you Security-Operability across Job Roles Finding: Operability and Security preferences are significantly dependent on job role Job Title / Role Compliance, Risk Senior executive IT & Security Managerial Other Enhance 5 3 7 8 0 Security (42%) Enhance 1 13 7 3 2 Operability (58%) χ 2 ( 4 , N = 55 ) = 12 . 092 , p = . 017 different perspective based on job position Are Information Security professionals rational decision-makers? – K. Mersinas 20/29
Motivation Approach Design Findings Conclusions Future Work Thank you Security and Operability Switching Points Finding: Both groups weighted their favourite attribute twice as much as the attribute they did not choose 5 5 Mean = 5.26 Mean = 5.35 Std. Dev. = 3.018 2.799 Std. Dev. = N = 23 N = 26 4 4 Frequency Frequency 3 3 2 2 1 1 0 0 .00 2.00 4.00 6.00 8.00 10.00 .00 2.00 4.00 6.00 8.00 10.00 SWITCHPOINT_SEC SWITCHPOINT_OPS Security: ( Sec ( x %) , Ops ( 10 %)) Operability: ( Sec ( 10 %) , Ops ( x %)) Are Information Security professionals rational decision-makers? – K. Mersinas 21/29
Recommend
More recommend