Top

Information Systems Frontiers

Published in:

30-05-2022

Detecting Cybersecurity Threats: The Role of the Recency and Risk Compensating Effects

Authors: Roozmehr Safi, Glenn J. Browne

Published in: Information Systems Frontiers | Issue 3/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Detecting and responding to information security threats quickly and effectively is becoming increasingly crucial as modern attackers continue to engineer their attacks to operate covertly to maintain long-term access to victims’ systems after the initial penetration. We conducted an experiment to investigate various aspects of decision makers’ behavior in monitoring for threats in systems that potentially have been compromised by intrusions. In checking for threats, decision makers showed a recency effect: they deviated from optimal monitoring behavior by altering their checking pattern in response to recent random incidents. Decision makers’ monitoring behavior was also adversely affected when there was an increase in security, exhibiting a risk compensating behavior through which heightened security leads to debilitated security behaviors. Although the magnitude of the risk compensating behavior was significant, it was not enough to fully offset the benefits from added security. We discuss implications for theory and practice of information security.

previous article An AI-based Decision Support System for Predicting Mental Health Disorders

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

As we discuss later, from a probability perspective, the occurrence of security incidents is not completely without pattern. Rather, in most everyday situations the number of incidents in a unit of time (e.g., in a day) can be modelled using the Poisson distribution and the time between successive incidents can be modelled using the exponential distribution.

In fact, NIST, one of the most-widely used security frameworks (Cieslak, 2016) is voluntary to adopt and is deliberately designed not to be restrictive in its guidelines (National Institute of Standards and Technology, 2018).

Denoting the average time between incidents by α, the inspection cost by C_1, and the cost of every undetected unit of time by C₂, the optimum inspection time x is approximately equal to: \(x = \sqrt {\frac{{2\alpha {C_1}}}{{{C_2}}}} \)

In fact, this is a special case in which the optimum inspection time equals the average time between incidents. We intentionally chose C₁ and C₂ such that subjects’ intuitive answer to the problem coincided with the right inspection time (i.e., “the incident happens once every 30 seconds, so I might as well inspect once every 30 seconds”). It must be noted that this study is not particularly concerned with how accurately subjects assess the objectively-correct inspection interval. Rather, our goal is to understand differences in checking patterns in response to factors such as the outcome of previous checks, etc.

Prior research on risk compensating behavior shows that those who voluntarily adopt safety measures tend to behave more cautiously despite being safer (Scott et al., 2007). Although we do not test this hypothesis here, the voluntary nature of security in this task can therefore be expected to make the observed results more conservative than if all participants purchased security.

Since mean check intervals varied across conditions and rounds, directly comparing standard deviations was not justified; thus, we used the coefficients of variation.

The Payment Card Industry Data Security Standard (2018), Requirement 10: Security Tracking and Monitoring (https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf).

Readers are referred to (Warkentin at al., 2012) for a discussion on the benefits and drawbacks of using various research methodologies in studying risk compensating behaviors in information security.

Adams, J. G. (1988). Risk homeostasis and the purpose of safety regulation. Ergonomics, 31(4), 407–428CrossRef

Balozian, P., & Leidner, D. (2017). Review of IS security policy compliance: Toward the building blocks of an IS security theory. ACM SIGMIS Database: The DATABASE for Advances in Information Systems, 48(3), 11–43CrossRef

Barlow, R., Hunter, L., & Proschan, F. (1963). Optimum Checking Procedures. Journal of the Society for Industrial and Applied Mathematics, 11(4), 1078–1095. https://doi.org/10.1137/0111080CrossRef

Baskerville, R. (1993). Information systems security design methods: Implications for information systems development. ACM Comput. Surv, 25(4), 375–414. https://doi.org/10.1145/162124.162127CrossRef

Bazerman, M. H., & Moore, D. A. (2013). Judgment in Managerial Decision Making (8th ed.). Wiley

Bijttebier, P., Vertommen, H., & Steene, G. V. (2001). Assessment of cognitive coping styles. Clinical Psychology Review, 21(1), 85–104. https://doi.org/10.1016/S0272-7358(99)00041-0CrossRef

Blakley, B., McDermott, E., & Geer, D. (2001). Information security is information risk management. Proceedings of the 2001 Workshop on New Security Paradigms - NSPW ’01, 97. https://doi.org/10.1145/508171.508187

Bodin, L. D., Gordon, L. A., & Loeb, M. P. (2008). Information security and risk management. Communications of the ACM, 51(4), 64–68. https://doi.org/10.1145/1330311.1330325CrossRef

Boss, S., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, W. (2009). If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. European Journal of Information Systems, 18(2), 151–164CrossRef

Brandimarte, L., Acquisti, A., & Loewenstein, G. (2013). Misplaced confidences: Privacy and the control paradox. Social Psychological and Personality Science, 4(3), 340–347CrossRef

Butow, T., Kehoe, M., Holler, J., Lester, R., Keene, R., & Pritchard, J. (2018). Reducing MTTD for High-Severity Incidents: A How-To Guide for SREs (V. Wilson, Ed.; 1st ed.). O’Reilly Media. https://www.gremlin.com/oreilly-reducing-mttd-for-high-severity-incidents/?utm_source=google&utm_medium=cpc&gclid=CjwKCAjwk93rBRBLEiwAcMapUVYMjsmS_C1ECUi980QZICiDti0KZwXbVEsTvu1DUAV_nca7Cz8WJxoC0fIQAvD_BwE

Cassell, M. M., Halperin, D. T., Shelton, J. D., & Stanton, D. (2006). Risk compensation: The Achilles’ heel of innovations in HIV prevention? Bmj, 332(7541), 605–607CrossRef

Cerullo, V., & Cerullo, M. J. (2004). Business Continuity Planning: A Comprehensive Approach. Information Systems Management, 21(3), 70–78. https://doi.org/10.1201/1078/44432.21.3.20040601/82480.11CrossRef

Chen, M., Qian, C., & Nakagawa, T. (2011). Periodic and Random Inspection Policies for Computer Systems. In T. Kim, H. Adeli, H. Kim, H. Kang, K. J. Kim, A. Kiumi, & B. H. Kang (Eds.), Software Engineering, Business Continuity, and Education (pp. 346–353). Berlin Heidelberg: SpringerCrossRef

Chen, P., Desmet, L., & Huygens, C. (2014). A study on advanced persistent threats. Communications and Multimedia Security, 63–72. https://doi.org/10.1007/978-3-662-44885-4_5

Chong, A., & Restrepo, P. (2017). Regulatory protective measures and risky behavior: Evidence from ice hockey. Journal of Public Economics, 151, 1–11CrossRef

Christin, N., Egelman, S., Vidas, T., & Grossklags, J. (2012). It’s All about the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice. In G. Danezis (Ed.), Financial Cryptography and Data Security (pp. 16–30). Berlin Heidelberg: SpringerCrossRef

Cieslak, N. (2016, March 29). NIST cybersecurity framework adoption on the rise. Https://Www.Tenable.Com/Blog/Nist-Cybersecurity-Framework-Adoption-on-the-Rise. https://www.tenable.com/blog/nist-cybersecurity-framework-adoption-on-the-rise

Cohen, J. (1988). Statistical power analysis for the behavioral sciences (2nd ed.). L. Erlbaum Associates

Croson, R., & Sundali, J. (2005). The Gambler’s Fallacy and the Hot Hand: Empirical Data from Casinos. Journal of Risk and Uncertainty; New York, 30(3), 195–209. https://doi.org/10.1007/s11166-005-1153-2. http://dx.doi.org.proxy.library.umkc.edu/CrossRef

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32, 90–101. https://doi.org/10.1016/j.cose.2012.09.010CrossRef

Evans, L. (1986). Risk Homeostasis Theory and Traffic Accident Data. Risk Analysis, 6(1), 81–94CrossRef

Ezhei, M., & Tork Ladani, B. (2020). Interdependency Analysis in Security Investment against Strategic Attacks. Information Systems Frontiers, 22(1), 187–201. https://doi.org/10.1007/s10796-018-9845-8CrossRef

FireEye (2019). M-Trends Cyber Security Trends.FireEye Mandiant Services. https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html

Fox, C. R., & Ülkümen, G. (2011). Distinguishing two dimensions of uncertainty. In W. Brun, G. Keren, G. Kirkebøen, & H. Montgomery (Eds.), Perspectives on thinking, judging, and decision making. Universitetsforlaget

Fritz, C. O., Morris, P. E., & Richler, J. J. (2012). Effect size estimates: Current use, calculations, and interpretation. Journal of Experimental Psychology: General, 141(1), 2–18. https://doi.org/10.1037/a0024338CrossRef

Galletta, D. F., & Zhang, P. (2009). Introducing AIS Transactions on Human-Computer Interaction. AIS Transactions on Human-Computer Interaction, 1(1), 7–12CrossRef

Glendon, A. I., Hoyes, T., Haigney, D., & Taylor, R. (1996). A review of risk homeostasis theory in simulated environments. Safety Science, 22(1–3), 15–25CrossRef

Gutzwiller, R. S., Fugate, S., Sawyer, B. D., & Hancock, P. (2015). The human factors of cyber network defense. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 59, 322–326

Hedlund, J. (2000). Risky business: Safety regulations, risk compensation, and individual behavior. Injury Prevention, 6(2), 82–90. https://doi.org/10.1136/ip.6.2.82CrossRef

Herath, H., & Herath, T. C. (2008). Investments in Information Security: A Real Options Perspective with Bayesian Postaudit. Journal of Management Information Systems, 25(3), 337–375. https://doi.org/10.2753/MIS0742-1222250310CrossRef

Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154–165CrossRef

Ho, S. M., & Warkentin, M. (2017). Leader’s dilemma game: An experimental design for cyber insider threat research. Information Systems Frontiers, 19(2), 377–396. https://doi.org/10.1007/s10796-015-9599-5CrossRef

Jarvik, M. (1951). Probability learning and a negative recency effect in the serial anticipation of alternative symbols. Journal of Experimental Psychology, 41(4), 291–297CrossRef

Johnson, C. K., Gutzwiller, R. S., Ferguson-Walter, K., & Fugate, S. (2020). A Cyber-Relevant Table of Decision Making Biases and their Definitions (Version 1). Arizona State University. https://doi.org/10.13140/RG.2.2.14891.87846/1

Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. (2016). Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems, 25(3), 231–251CrossRef

Kabacoff, R. I. (2015). R in Action; R in Action, Data Analysis and Graphics with R (2nd ed.). Manning

Kahneman, D. (2011). Thinking, Fast and Slow. Farrar, Straus and Giroux

Kam, H. J., Mattson, T., & Goel, S. (2020). A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness. Information Systems Frontiers, 22(5), 1241–1264. https://doi.org/10.1007/s10796-019-09927-9CrossRef

Kuo, H. C., & Varki, S. (2014). Are Firms Perceived As Safer After an Information Breach? ACR North American Advances, NA-42. http://acrwebsite.org/volumes/1017691/volumes/v42/NA-42

Kweon, E., Lee, H., Chai, S., & Yoo, K. (2021). The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence. Information Systems Frontiers, 23(2), 361–373. https://doi.org/10.1007/s10796-019-09977-zCrossRef

Laury, S. K., McInnes, M. M., & Swarthout, J. T. (2009). Insurance decisions for low-probability losses. Journal of Risk and Uncertainty, 39(1), 17–44. https://doi.org/10.1007/s11166-009-9072-2CrossRef

Lee, R., & Lee, R. (2016). The Who, What, Where, When, Why and How of Effective Threat Hunting (SANS Institute: Reading Room - Analyst Papers). SANS. https://www.sans.org/reading-room/whitepapers/analyst/membership/36785

Maloney, S. (2018, September 1). What is an Advanced Persistent Threat (APT)? https://www.cybereason.com/blog/advanced-persistent-threat-apt

McNeil, B. J., Pauker, S. G., Sox, H. C., & Tversky, A. (1982). On the elicitation of preferences for alternative therapies. The New England Journal of Medicine, 306(21), 1259–1262. https://doi.org/10.1056/NEJM198205273062103CrossRef

Meyer-Delius, J., & Liebl, L. (1976). Evaluation of Vigilance Related to Visual Perception. In T. B. Sheridan & G. Johannsen (Eds.), Monitoring Behavior and Supervisory Control (pp. 97–106). Springer US. https://doi.org/10.1007/978-1-4684-2523-9_9

National Institute of Standards and Technology (2018). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (NIST Cybersecurity White Paper). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.CSWP.04162018

Northcraft, G. B., & Neale, M. A. (1987). Experts, amateurs, and real estate: An anchoring-and-adjustment perspective on property pricing decisions. Organizational Behavior and Human Decision Processes, 39(1), 84–97. https://doi.org/10.1016/0749-5978(87)90046-XCrossRef

Peltzman, S. (1975). The Effects of Automobile Safety Regulation. Journal of Political Economy, 83(4), 677–725. https://doi.org/10.1086/260352CrossRef

Posey, C., Roberts, T., Lowry, P. B., Bennett, B., & Courtney, J. (2013). Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors (SSRN Scholarly Paper ID 2173642). Social Science Research Network. https://papers.ssrn.com/abstract=2173642

Rabin, M. (2002). Inference by Believers in the Law of Small Numbers. The Quarterly Journal of Economics, 117(3), 775–816CrossRef

Rajivan, P., Aharonov-Majar, E., & Gonzalez, C. (2020). Update now or later? Effects of experience, cost, and risk preference on update decisions. Journal of Cybersecurity, 6(1), tyaa002. https://doi.org/10.1093/cybsec/tyaa002CrossRef

Renaud, K., & Warkentin, M. (2017). Risk Homeostasis in Information Security: Challenges in Confirming Existence and Verifying Impact. Proceedings of the 2017 New Security Paradigms Workshop, 57–69. https://doi.org/10.1145/3171533.3171534

Reyna, V. F., Chick, C. F., Corbin, J. C., & Hsia, A. N. (2014). Developmental reversals in risky decision making: Intelligence agents show larger decision biases than college students. Psychological Science, 25(1), 76–84. https://doi.org/10.1177/0956797613497022CrossRef

Sagberg, F., Fosser, S., & Saetermo, I. A. (1997). An investigation of behavioural adaptation to airbags and antilock brakes among taxi drivers. Accident; Analysis and Prevention, 29(3), 293–302. https://doi.org/10.1016/S0001-4575(96)00083-8CrossRef

Saltzer, J. H., & Schroeder, M. D. (1975). The protection of information in computer systems. Proceedings of the IEEE, 63(9), 1278–1308

Scott, M. D., Buller, D. B., Andersen, P. A., Walkosz, B. J., Voeks, J. H., Dignan, M. B., & Cutter, G. R. (2007). Testing the risk compensation hypothesis for safety helmets in alpine skiing and snowboarding. Injury Prevention, 13(3), 173–177. https://doi.org/10.1136/ip.2006.014142CrossRef

Sheridan, T. B., & Johannsen, G. (Eds.). (1976). Monitoring Behavior and Supervisory Control (1st ed. 1976). Imprint: Springer

Shimao, H., Khern-am-nuai, W., & Kannan, K. N. (2019). So You Think You Are Safe: Implications of Quality Uncertainty in Security Software (SSRN Scholarly Paper ID 2621846). Social Science Research Network. https://papers.ssrn.com/abstract=2621846

Siponen, M., & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management, 46(5), 267–270. https://doi.org/10.1016/j.im.2008.12.007CrossRef

Slovic, P. (2010). The Feeling of Risk: New Perspectives on Risk Perception. Earthscan

Smith, V. L. (1994). Economics in the laboratory. Journal of Economic Perspectives, 8(1), 113–131. https://doi.org/10.1257/jep.8.1.113CrossRef

Stafford, T., Deitz, G., & Li, Y. (2018). The role of internal audit and user training in information security policy compliance. Managerial Auditing Journal, 33(4), 410–424CrossRef

Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making.MIS Quarterly,441–469

Streff, F. M., & Geller, E. S. (1988). An experimental test of risk compensation: Between-subject versus within-subject analyses. Accident; Analysis and Prevention, 20(4), 277–287. https://doi.org/10.1016/0001-4575(88)90055-3CrossRef

Tola, B., Jiang, Y., & Helvik, B. E. (2017). Failure process characteristics of cloud-enabled services. 2017 9th International Workshop on Resilient Networks Design and Modeling (RNDM), 1–7. https://doi.org/10.1109/RNDM.2017.8093033

Trimpop, R. M. (1994). The Psychology of Risk Taking Behavior. Elsevier

Tversky, A., & Kahneman, D. (1971). Belief in the law of small numbers. Psychological Bulletin, 76(2), 105–110. https://doi.org/10.1037/h0031322CrossRef

Verizon (2018). 2018 data breach investigations report, 11th edition (Research Report No. 11th). Verizon. verizonenterprise.com/DBIR2018

Wang, J., Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS Q, 39(1), 91–112. https://doi.org/10.25300/MISQ/2015/39.1.05CrossRef

Warkentin, M., Crossler, R. E., & Malimage, N. (2012). Are You Sure You’re Safe? Perceived Security Protection as an Enabler of Risky IT Behavior. Proceedings of the 2012 International Federation of Information Processing (IFIP) International Workshop on Information Systems Security Research, Dewald Roode Information Security Workshop

Warkentin, M., Goel, S., Williams, K. J., & Renaud, K. (2018). Are we Predisposed to Behave Securely? Influence of Risk Disposition on Individual Security Behaviours. ECIS, 25

Weeger, A., Wang, X., Gewald, H., Raisinghani, M., Sanchez, O., Grant, G., & Pittayachawan, S. (2020). Determinants of Intention to Participate in Corporate BYOD-Programs: The Case of Digital Natives. Information Systems Frontiers, 22(1), 203–219. https://doi.org/10.1007/s10796-018-9857-4CrossRef

Wickens, C. D., Gordon, S. E., & Liu, Y. (1998). & others. An introduction to human factors engineering

Wilde, G. (1994). Target risk: Dealing with the danger of death, disease and damage in everyday decisions. Castor & Columba

Wilde, G. (1998). Risk homeostasis theory: An overview. Injury Prevention, 4(2), 89–91CrossRef

Zhang, P., Li, N., Scialdone, M., & Carey, J. (2009). The intellectual advancement of human-computer interaction research: A critical assessment of the MIS literature (1990–2008). AIS Transactions on Human-Computer Interaction, 1(3), 55–107CrossRef

Title: Detecting Cybersecurity Threats: The Role of the Recency and Risk Compensating Effects
Authors: Roozmehr Safi
Glenn J. Browne
Publication date: 30-05-2022
Publisher: Springer US
Published in: Information Systems Frontiers / Issue 3/2023
Print ISSN: 1387-3326
Electronic ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-022-10274-5

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2023

Cognitive Dissonance in Technology Adoption: A Study of Smart Home Users

Disruption and Legitimacy: Big Data in Society

An Assessment of the Barriers Impacting Responsible Artificial Intelligence

Authenticity in Objects and Activities: Determinants of Satisfaction with Virtual Reality Experiences of Heritage and Non-Heritage Tourism Sites

How Do Users Feel When They Use Artificial Intelligence for Decision Making? A Framework for Assessing Users’ Perception

Pathways to Digital Service Innovation: The Role of Digital Transformation Strategies in Established Organizations

Premium Partner