The human factor Tyler Moore Tandy School of Computer Science, University of Tulsa
Outline Behavioral economics and cybersecurity 1 Prospect theory Misperception of risk Decision-making shortcuts Behavioral economics of privacy Psychology of scam victims 2 2 / 33
Behavioral economics and cybersecurity Outline Behavioral economics and cybersecurity 1 Prospect theory Misperception of risk Decision-making shortcuts Behavioral economics of privacy Psychology of scam victims 2 3 / 33
Behavioral economics and cybersecurity Limits of rationality Economics models traditionally assume that individuals and firms behave rationally In many circumstances, this is an acceptable assumption Yet there are clearly times when people do not make decisions in a rational way, and frequently this happens in cybersecurity applications Behavioral economics studies the heuristics that people use to make decisions, along with the biases that affect our decision-making 4 / 33
Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Get $1000 Option 2: Get $2000 with a 50% chance, $0 otherwise Which would you choose? 5 / 33
Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Get $1000 Option 2: Get $2000 with a 50% chance, $0 otherwise Which would you choose? E [ U ] = 0 . 5 ∗ $2000 + 0 . 5 ∗ $0 = $1000 5 / 33
Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Get $1000 Option 2: Get $2000 with a 50% chance, $0 otherwise Which would you choose? E [ U ] = 0 . 5 ∗ $2000 + 0 . 5 ∗ $0 = $1000 Most people prefer option 1 5 / 33
Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Lose $1000 Option 2: Lose $2000 with a 50% chance Which would you choose? 6 / 33
Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Lose $1000 Option 2: Lose $2000 with a 50% chance Which would you choose? E [ U ] = 0 . 5 ∗ − $2000 + 0 . 5 ∗ $0 = − $1000 6 / 33
Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Lose $1000 Option 2: Lose $2000 with a 50% chance Which would you choose? E [ U ] = 0 . 5 ∗ − $2000 + 0 . 5 ∗ $0 = − $1000 Most people prefer option 2 6 / 33
Behavioral economics and cybersecurity Prospect theory Prospect theory (Kahneman and Tversky 1979) 1 A sure gain is preferred over a chance at a greater gain “A bird in the hand is worth two in the bush” 2 An uncertain loss is preferred over a sure smaller loss “Run away to fight another day” 7 / 33
Behavioral economics and cybersecurity Prospect theory Implications for cybersecurity (Schneier 2008) Most security investment decisions involve taking a small, but certain, loss rather risk a bigger loss if attacked For example: buy a data-loss-prevention solution to reduce your exposure to a data breach that might cost your company millions Prospect theory suggests that most people would rather risk the larger loss than pay up for protection now To sell security, one should frame the choice in terms of a certain gain, rather than uncertain loss avoided 8 / 33
Behavioral economics and cybersecurity Prospect theory Framing effect (KT81) Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program A: If adopted, 200 people will be saved Program B: If adopted, 1/3 probability 600 will be saved, and 2/3 probability no one is saved. Which program do you prefer? 9 / 33
Behavioral economics and cybersecurity Prospect theory Framing effect (KT81) Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program A: If adopted, 200 people will be saved Program B: If adopted, 1/3 probability 600 will be saved, and 2/3 probability no one is saved. Which program do you prefer? 72% of respondents said Program A 9 / 33
Behavioral economics and cybersecurity Prospect theory Framing effect (KT81) Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program C: If adopted, 400 people will die. Program D: If adopted, 1/3 probability nobody will die, and 2/3 probability that 600 people will die. Which program do you prefer? 10 / 33
Behavioral economics and cybersecurity Prospect theory Framing effect (KT81) Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program C: If adopted, 400 people will die. Program D: If adopted, 1/3 probability nobody will die, and 2/3 probability that 600 people will die. Which program do you prefer? 78% of respondents said Program D 10 / 33
Behavioral economics and cybersecurity Prospect theory Framing effect and cybersecurity To increase the chances a security decision will be taken, frame the decision in terms of the certain benefits If framed in terms of the negative outcomes, emphasize uncertain outcomes 11 / 33
Behavioral economics and cybersecurity Prospect theory Prospect theory: Role of probabilities Gains Losses High probability 100% chance to gain $900 preferred 95% chance to lose $1k preferred over 95% chance to gain $1k over 100% chance to lose $900 Certainty Effect Risk-averse Risk-seeking Low probability 5% chance to gain $1k preferred 100% chance to lose $60preferred over 100% chance to gain $60 over 5% chance to lose $1k Possibility Effect Risk-seeking Risk-averse Discussion: Can you identify cybersecurity scenarios to fit each quadrant? 12 / 33
Behavioral economics and cybersecurity Prospect theory Prospect theory: Role of probabilities Gains Losses High probability 100% chance to gain $900 preferred 95% chance to lose $1k preferred over 95% chance to gain $1k over 100% chance to lose $900 Certainty Effect Risk-averse Risk-seeking Low probability 5% chance to gain $1k preferred 100% chance to lose $60preferred over 100% chance to gain $60 over 5% chance to lose $1k Possibility Effect Risk-seeking Risk-averse Discussion: Can you identify cybersecurity scenarios to fit each quadrant? Discussion: How does the perceived probability of different cyber threats influence when to invest in countermeasures? 12 / 33
Behavioral economics and cybersecurity Misperception of risk Misperception of risk Prospect theory has shown that we are bad at dealing with low-probability events We tend to overestimate low-probability, costly events (e.g., cyber terrorism) We are more afraid of risks when we lack control We are more afraid of risks that we have been sensitized to (e.g., by media exposure) In everyday life people are more afraid of flying than driving, even though driving is far more dangerous In cyber people are more afraid of attacks on critical infrastructure than getting infected by a drive-by-download, even though the latter is much more likely to affect them 13 / 33
Behavioral economics and cybersecurity Misperception of risk Indirect costs of cyber insecurity Even if the direct costs of a cybersecurity threat is small, we must consider the indirect costs of changed behavior in response to fear of the threat If people stop using online banking due to fear of losing their money, banks stand to lose much more than cybercriminals can actually steal If people refuse to adopt electronic health records over privacy concerns, hospitals will miss out on huge efficiency gains The perception of security matters as much as the reality 14 / 33
Behavioral economics and cybersecurity Decision-making shortcuts Status quo bias Preference for the current situation such that any deviation is seen as negative Experimental evidence Consider two equivalent outcomes A and B People who start in outcome A and switch to B view the switch as negative But people who start in outcome B and switch to A view that switch as negative too! 15 / 33
Behavioral economics and cybersecurity Decision-making shortcuts Endowment effect People value things more merely because they have them Experimental evidence People are willing to pay more to keep something they own than they will pay to acquire an equivalent good This effect holds even for goods acquired only minutes ago! 16 / 33
Behavioral economics and cybersecurity Decision-making shortcuts Availability heuristic Easily remembered information and examples are relied upon to make decisions Anecdotes drive decisions, even when the bigger risk may be due to an issue not easily recalled 17 / 33
Recommend
More recommend