An Investigation of Decision-Making and the Tradeoffs involving Computer Security Risk
A Research paper by Li-Chiou Chen & Daniel Farkas
Would you tradeoff your computer security for US$10? No! How about US$10,000? There is a price for everything. The price depends on the perceived value of the info inside your PC. It’s hard for an individual to fathom the monetary value of the data inside one’s PC. However, if you read the recent news about cyber fraud, you would understand even
you did not store critical data on your PC, an email phishing might cost an individual millions of dollars.
Published by the Americas Conference on Information Systems (AMCIS), a study sought to understand how people make computer security decisions, conducted by researchers Li-Chiou Chen and Daniel Farkas at Pace University, New York. They wanted to know if users would be willing to buy from a shady website if the price was lower than at a more secure online store. They sought to understand how much lower the price would have to be for the user to purchase on the shady website.
Monetary Rewards, Culture, and Security Skills
The study involved 131 undergraduate and graduate students taking courses both in-person and online at a university in the U.S. and online graduate students from India, 121 of which completed the whole survey.
In one scenario, the participants were presented with a situation where they could buy a digital camera at a low price but from a shady website, which has a high security risk. 41% chose to buy the camera while 59% declined regardless of how much cheaper the camera was offered.
Other findings of the study include:
- Culture was an important factor in whether a participant was willing to tradeoff security for a reward. The Indian students accepted the reward at a higher rate than non-Indian students.
- Students who had more security skills, like using software that detects spyware, or encryption in emails, were more likely to reject monetary rewards than those with no security skills. Learned PC users were unwilling to accept a monetary reward because of the possibility that doing so could compromise their computer security. Training users in computer security is the key to reducing cybersecurity risks.
The results of this study provide insights that companies can use in computer security risk management. While most participants (about 53%) avoided security risk regardless of the tradeoff, the 47% that accepted the security risk is a significant percentage in computer security. Given that risk perception seems to be a significant factor in whether users are willing to compromise their security for a reward, companies could benefit from computer security risk training.