ABSTRACT
The central premise behind risk homeostasis theory is that humans adapt their behaviors, based on external factors, to align with a personal risk tolerance level. In essence, this means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this effect exists, it serves to restrict the ability of risk mitigation techniques to effect improvements.
The concept is hotly debated in the safety area. Some authors agree that the effect exists, but also point out that it is poorly understood and unreliably predicted. Other re-searchers consider the entire concept fallacious. It is important to gain clarity about whether the effect exists, and to gauge its impact if such evidence can indeed be found.
In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, information security could well be impaired if a risk homeostasis effect neutralizes the potential benefits of risk mitigation measures. If the risk homeostasis effect does indeed exist and does impact risk-related behaviors, people will simply elevate risky behaviors in response to feeling less vulnerable due to following security procedures and using protective technologies.
Here we discuss, in particular, the challenges we face in confirming the existence and impact of the risk homeostasis effect in information security, especially in an era of ethical research practice.
- John Adams and Mayer Hillman. 2001. The risk compensation theory and bicycle helmets. Injury Prevention 7, 2 (2001), 89--91.Google ScholarCross Ref
- John G U Adams. 1983. Public safety legislation and the risk compensation hypothesis: the example of motorcycle helmet legislation. Environment and Planning C: Government and Policy 1, 2 (1983), 193--203.Google ScholarCross Ref
- Icek Ajzen. 2002. Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. Journal of Applied Social Psychology 32, 4 (2002), 665--683.Google ScholarCross Ref
- Icek Ajzen. 2005. Attitudes, Personality, and Behavior. McGraw-Hill Education (UK), Berkshire, England.Google Scholar
- Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice in Warning-land: A Large-Scale Field Study of Browser Security Warning Effectiveness. In USENIX security symposium, Vol. 13. Google ScholarDigital Library
- Robert M Arthur. 2011. Examining traffic flow and speed data: Determining imitative behavior. Traffic Injury Prevention 12, 3 (2011), 266--273.Google ScholarCross Ref
- Lisa G Aspinwall and Susanne M Brunhart. 1996. Distinguishing optimism from denial: Optimistic beliefs predict attention to health threats. Personality and Social Psychology Bulletin 22, 10 (1996), 993--1003.Google ScholarCross Ref
- David E Bell. 1985. Disappointment in decision making under uncertainty. Operations Research 33, 1 (1985), 1--27. Google ScholarDigital Library
- Claude Bernard. 1879. Leçons sur les phénomènes de la vie commune aux animaux et aux végétaux. Baillière.Google Scholar
- Wiebke Bleidorn, Christopher J Hopwood, and Richard E Lucas. 2016. Life Events and Personality Trait Change. Journal of Personality (2016).Google Scholar
- Nils I Bohlin. 1967. A statistical analysis of 28,000 accident cases with emphasis on occupant restraint value. Technical Report. SAE Technical Paper.Google Scholar
- Cristian Bravo-Lillo, Saranga Komanduri, Lorrie Faith Cranor, Robert W Reeder, Manya Sleeper, Julie Downs, and Stuart Schechter. 2013. Your attention please: designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM, 6. Google ScholarDigital Library
- Bonnie Brinton Anderson, Anthony Vance, C Brock Kirwan, David Eargle, and Jeffrey L Jenkins. 2016. How users perceive and respond to security messages: a NeuroIS research agenda and empirical study. European Journal of Information Systems 25, 4 (2016), 364--390.Google ScholarCross Ref
- Wibecke Brun. 1992. Cognitive components in risk perception: Natural versus manmade risks. Journal of Behavioral Decision Making 5, 2 (1992), 117--132.Google ScholarCross Ref
- John Chapin and JoAnn Chirico. 2001. Why It Won't Happen to Me: How Older Adolescents Make Personal Risk Assessments. In Annual Meeting of the National Communication Association (87th, Atlanta, GA). ERIC. November 1-4.Google Scholar
- Vincent Covello and Peter M Sandman. 2001. Risk communication: evolution and revolution. Solutions to an Environment in Peril (2001), 164--178.Google Scholar
- Sadie Creese, Duncan Hodges, Sue Jamison-Powell, and Monica Whitty. 2013. Relationships between password choices, perceptions of risk and security expertise. In International Conference on Human Aspects of Information Security, Privacy, and Trust. Springer, 80--89.Google ScholarCross Ref
- Robert E Crossler, Allen C Johnston, Paul Benjamin Lowry, Qing Hu, Merrill Warkentin, and Richard Baskerville. 2013. Future directions for behavioral information security research. Computers & Security 32 (2013), 90--101.Google ScholarCross Ref
- David G Curry, Robert D Quinn, David R Atkins, and Tage CG Carlson. 2004. Injuries & the Experienced Worker. Professional Safety 49, 9 (2004), 30--34.Google Scholar
- Antonio Damasio and Hanna Damasio. 2016. Exploring the concept of homeostasis and considering its implications for economics. Journal of Economic Behavior & Organization 126 (2016), 125--129.Google ScholarCross Ref
- Robyn M Dawes. 2001. Everyday irrationality: How pseudo-scientists, lunatics, and the rest of us systematically fail to think rationally. Westview Press, Boulder, CO.Google Scholar
- Department of Health, Education, and Welfare. 1979. The Belmont Report. (1979). tps://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/.Google Scholar
- Mary Douglas. 1986. Risk acceptability according to the social sciences. Vol. 11. Russell Sage Foundation, USA.Google Scholar
- Serge Egelman and Stuart Schechter. 2013. The importance of being earnest {in security warnings}. In International Conference on Financial Cryptography and Data Security. Springer, 52--59.Google ScholarCross Ref
- Louise Eriksson. 2014. Risk perception and responses among private forest owners in Sweden. Small-Scale Forestry 13, 4 (2014), 483--500.Google ScholarCross Ref
- Leonard Evans. 1986. Risk homeostasis theory and traffic accident data. Risk Analysis 6, 1 (1986), 81--94.Google ScholarCross Ref
- Leonard Evans, Paul Wasielewski, and Calvin R Von Buseck. 1982. Compulsory seat belt usage and driver risk-taking behavior. Human Factors 24, 1 (1982), 41--48.Google ScholarCross Ref
- Ezzat A Fattah. 1993. The rational choice/opportunity perspectives as a vehicle for integrating criminological and victimological theories. Routine Activity and Rational Choice: Advances in Criminological Theory 5 (1993), 225--258.Google Scholar
- Martin Fishbein and Icek Ajzen. 1977. Belief, attitude, intention, and behavior: An introduction to theory and research. Addison-Wesley, Reading, MA.Google Scholar
- Pamela Grimm. 2010. Social desirability bias. Wiley International Encyclopedia of Marketing (2010).Google Scholar
- Brent Hagel and Willem Meeuwisse. 2004. Risk compensation: a "side effect" of sport injury prevention? Clinical Journal of Sport Medicine 14, 4 (2004), 193--196.Google ScholarCross Ref
- Frank A Haight. 1986. Risk, especially risk of traffic accident. Accident Analysis & Prevention 18, 5 (1986), 359--366.Google ScholarCross Ref
- Peter Harris. 2007. The impact of perceived experience on likelihood judgments for self and others: An experimental approach. European Journal of Social Psychology 37, 1 (2007), 141--151.Google ScholarCross Ref
- James Hedlund. 2000. Risky business: safety regulations, risk compensation, and individual behavior. Injury Prevention 6, 2 (2000), 82--89.Google ScholarCross Ref
- Thomas W Hoyes. 1992. Risk homeostasis theory in simulated environments. Ph.D. Dissertation. Aston University.Google Scholar
- Thomas W Hoyes and Aleck Ian Glendon. 1993. Risk homeostasis: issues for future research. Safety Science 16, 1 (1993), 19--33.Google ScholarCross Ref
- Thomas W Hoyes and Neville A Stanton. 1995. Testing risk homeostasis theory in a simulated process control task: implications for alarm reduction strategies. In Human Factors in Alarm Design. Taylor & Francis, Inc., 45--58. Google ScholarDigital Library
- Thomas W Hoyes, Neville A Stanton, and RG Taylor. 1996. Risk homeostasis theory: A study of intrinsic compensation. Safety Science 22, 1 (1996), 77--86.Google ScholarCross Ref
- Helmut Jungermann and Paul Slovic. 1993. Die Psychologie der Kognition und Evaluation von Risiko. In Risiko und Gesellschaft. Springer, 167--207.Google Scholar
- Jeanne X Kasperson, Roger E Kasperson, Nick Pidgeon, and Paul Slovic. 2003. The social amplification of risk: assessing fifteen years of research and theory. The social amplification of risk 1 (2003), 13--46.Google Scholar
- Wayne Derek Kearney. 2016. Risk homeostasis as a factor in information security. Ph.D. Dissertation. Computer Science, North West University.Google Scholar
- Richard Kissel. 2013. NISTIR 7298 Revision 2. Glossary of Key Information Security Terms. (2013). nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf.Google Scholar
- Tapio Klen. 1997. Personal protectors and working behaviour of loggers. Safety Science 25, 1 (1997), 89--103.Google ScholarCross Ref
- Fanny Lalonde Lévesque, Jude Nsiempba, José M Fernandez, Sonia Chiasson, and Anil Somayaji. 2013. A clinical study of risk factors related to malware infections. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 97--108. Google ScholarDigital Library
- John Leach. 2003. Improving user security behaviour. Computers & Security 22, 8 (2003), 685--692. Google ScholarDigital Library
- James Lee Jr, Merrill Warkentin, Robert E Crossler, and Robert F Otondo. 2016. Implications of Monitoring Mechanisms on Bring Your Own Device Adoption. Journal of Computer Information Systems (2016), 1--10.Google Scholar
- Huigang Liang and Yajiong Xue. 2009. Avoidance of information technology threats: a theoretical perspective. MIS Quarterly (2009), 71--90. Google ScholarDigital Library
- Huigang Liang and Yajiong Xue. 2010. Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems 11, 7 (2010), 394.Google ScholarCross Ref
- Maria Luisa Lima. 2004. On the influence of risk perception on mental health: living near an incinerator. Journal of environmental psychology 24, 1 (2004), 71--84.Google ScholarCross Ref
- Robert L Linn, M Elizabeth Graue, and Nancy M Sanders. 1990. Comparing state and district test results to national norms: The validity of claims that "everyone is above average". Educational Measurement: Issues and Practice 9, 3 (1990), 5--14.Google ScholarCross Ref
- Graham Loomes and Robert Sugden. 1982. Regret theory: An alternative theory of rational choice under uncertainty. The Economic Journal 92, 368 (1982), 805--824.Google ScholarCross Ref
- Adrian K Lund and Paul Zador. 1984. Mandatory belt use and driver risk taking. Risk Analysis 4, 1 (1984), 41--53.Google ScholarCross Ref
- John Thompson MacCurdy 1943. The Structure of Morale. Cambridge University Press, New York.Google Scholar
- Joseph E McGrath. 1995. Methodology matters: Doing research in the behavioral and social sciences. In Readings in Human-Computer Interaction: Toward the Year 2000 (2nd ed). Citeseer, San Francisco. Google ScholarDigital Library
- Frank P McKenna. 1985. Do safety measures really work? An examination of risk homoeostasis theory. Ergonomics 28, 2 (1985), 489--498.Google ScholarCross Ref
- Frank P McKenna. 1987. Behavioural compensation and safety. Journal of Occupational Accidents 9, 2 (1987), 107--121.Google ScholarCross Ref
- Qing Miao and David Popp. 2014. Necessity as the mother of invention: Innovative responses to natural disasters. Journal of Environmental Economics and Management 68, 2 (2014), 280--295.Google ScholarCross Ref
- Stanley Milgram. 1963. Behavioral Study of obedience. The Journal of Abnormal and Social Psychology 67, 4 (1963), 371--378.Google ScholarCross Ref
- Arwen Mohun. 2012. Risk:Negotiating Safety in American Society. JHU Press.Google Scholar
- Richard E Nisbett and Timothy D Wilson. 1977. The halo effect: Evidence for unconscious alteration of judgments. Journal of Personality and Social Psychology 35, 4(1977), 250--256.Google ScholarCross Ref
- Fran H Norris, Tenbroeck Smith, and Krzysztof Kaniasty. 1999. Revisiting the experience-behavior hypothesis: the effects of hurricane Hugo on hazard preparedness and other self-protective acts. Basic and Applied Social Psychology 21, 1 (1999), 37--47.Google Scholar
- Brian O'Neill, Adrian K Lund, Paul Zador, and Steve Ashton. 1985. Mandatory belt use and driver risk taking: An empirical evaluation of the risk-compensation hypothesis. In Human Behavior and Traffic Safety. Springer, 93--118.Google Scholar
- Brian O'Neill and Allan Williams. 1998. Risk homeostasis hypothesis: A rebuttal. Injury Prevention 4, 2 (1998), 92--93.Google ScholarCross Ref
- Jan E Paradise, Jennifer Cote, Sara Minsky, Ana Lourenco, and Jonathan Howland. 2001. Personal values and sexual decision-making among virginal and sexually experienced urban adolescent girls. Journal of Adolescent Health 28, 5 (2001), 404--409.Google ScholarCross Ref
- Malcolm R Pattinson, Marcus A Butavicius, Kathryn Parsons, Agata McCormac, and Cate Jerram. 2015. Examining Attitudes toward Information Security Behaviour using Mixed Methods.. In International Symposium on Human Aspects of Information Security & Assurance. Lesvos, Greece, 57--70.Google Scholar
- Rebecca Pedruzzi and Anne Swinbourne. 2009. "It won't happen to me:" optimism, biases, and recall of road-risk information. In Proceedings of the Australian College of Road Safety Conference. Perth, WA, Australia, 1--12.Google Scholar
- Sam Pelzman. 1975. The Effects of Automobile Safety Regulation. Journal of Political Economy 83, 4 (1975), 677--726.Google ScholarCross Ref
- Colin Powell. 2007. The perception of risk and risk taking behavior: Implications for incident prevention strategies. Wilderness and Environmental Medicine 18, 1 (2007), 10--15.Google ScholarCross Ref
- James O Prochaska, Carlo C DiClemente, and John C Norcross. 1992. In search of how people change: Applications to addictive behaviors. American Psychologist 47, 9 (1992), 1102.Google ScholarCross Ref
- Kelvin Redolfo. 2000. What is homeostasis? Scientific American (January 2000).Google Scholar
- D Runcie and DA Seaver. 1991. Inadequate Self-Discipline as a Causal Factor in Human Error Accidents. Technical Report. DTIC Document.Google Scholar
- Scott Ruoti, Tyler Monson, Justin Wu, Daniel Zappala, and Kent Seamons. 2017. Weighing Context and Trade-offs: How Suburban Adults Selected Their Online Security Posture. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, 211--228.Google Scholar
- Fridulv Sagberg, Stein Fosser, and Inger-Anne F Sætermo. 1997. An investigation of behavioural adaptation to airbags and antilock brakes among taxi drivers. Accident Analysis & Prevention 29, 3 (1997), 293--302.Google ScholarCross Ref
- Thomas Schlösser, David Dunning, and Detlef Fetchenhauer. 2013. What a feeling: the role of immediate and anticipated emotions in risky decisions. Journal of Behavioral Decision Making 26, 1 (2013), 13--30.Google ScholarCross Ref
- USA Homeland Security. 2012. The Menlo Report. (2012).Google Scholar
- Herbert A Simon. 1957. Models of Man; Social and Rational. Wiley, New York.Google Scholar
- Lennart Sjöberg. 2000. Factors in risk perception. Risk analysis 20, 1 (2000), 1--12.Google Scholar
- Lennart Sjöberg, Bjørg-Elin Moen, and Torbjørn Rundmo. 2004. Explaining risk perception. An evaluation of the psychometric paradigm in risk perception research. (2004). Rotunde publikasjoner. Norwegian University of Science and Technology, Department of Psychology.Google Scholar
- P Slovic. 1987. Perception of Risk. Science 236, 4799 (1987), 280--5.Google Scholar
- Paul Slovic. 1992. Perception of risk: Reflections on the psychometric paradigm. In D. Golding and S. Krimsky (Eds.), Theories of Risk. New York: Praeger.Google Scholar
- Paul Slovic, Melissa L Finucane, Ellen Peters, and Donald G MacGregor. 2004. Risk as analysis and risk as feelings: Some thoughts about affect, reason, risk, and rationality. Risk Analysis 24, 2 (2004), 311--322.Google ScholarCross Ref
- Paul Slovic, Baruch Fischhoff, and Sarah Lichtenstein. 1986. The psychometric study of risk perception. In Risk evaluation and management. Springer, 3--24.Google Scholar
- Adam Smith. 2010. The theory of moral sentiments. Penguin.Google Scholar
- J Spring, T Moore, and D Pym. 2017. Practicing a Science of Security. In New Security Paradigms Workshop (NSPW). Santa Cruz, USA. October. Google ScholarDigital Library
- Diederik A Stapel and Aart S Velthuijsen. 1996. "Just as if it happened to me": The impact of vivid and self-relevant information on risk judgments. Journal of Social and Clinical Psychology 15, 1 (1996), 102--119.Google ScholarCross Ref
- Fredrick M Streff and E Scott Geller. 1988. An experimental test of risk compensation: Between-subject versus within-subject analyses. Accident Analysis & Prevention 20, 4 (1988), 277--287.Google ScholarCross Ref
- Heikki Summala. 1996. Accident risk and driver behaviour. Safety Science 22, 1 (1996), 103--117.Google ScholarCross Ref
- Wayne C Summers and Edward Bosworth. 2004. Password policy: the good, the bad, and the ugly. In Proceedings of the Winter International Symposium on Information and Communication Technologies. Trinity College Dublin, 1--6. Google ScholarDigital Library
- SıdıkaTekeli-Yeşil, Necati Dedeoğlu, Charlotte Braun-Fahrlaender, and Marcel Tanner. 2010. Factors motivating individuals to take precautionary action for an expected earthquake in Istanbul. Risk Analysis 30, 8 (2010), 1181--1195.Google ScholarCross Ref
- Ulrich Tränkle and Christhard Gelau. 1992. Maximization of subjective expected utility or risk control? Experimental tests of risk homeostasis theory. Ergonomics 35, 1 (1992), 7--23.Google ScholarCross Ref
- Rüdiger M Trimpop. 1996. Risk homeostasis theory: problems of the past and promises for the future. Safety Science 22, 1 (1996), 119--130.Google ScholarCross Ref
- Alison G Vredenburgh and H Harvey Cohen. 1995. High-risk recreational activities: skiing and scuba --- what predicts compliance with warnings. International Journal of Industrial Ergonomics 15, 2 (1995), 123--128.Google ScholarCross Ref
- Merrill Warkentin, Robert E Crossler, and Nirmalee Malimage. 2012. Are You Sure You're Safe? Perceived Security Protection as an Enabler of Risky IT Behavior. In Proceedings of the 2012 International Federation of Information Processing (IFIP) International Workshop on Information Systems Security Research, Dewald Roode Information Security Workshop.Google Scholar
- Merrill Warkentin, Allen C Johnston, Eric Walden, and Detmar William Straub. 2016. Neural Correlates of Protection Motivation for Secure IT Behaviors: An fMRI Examination. Journal of the Association for Information Systems 17, 3 (2016), 194--215.Google ScholarCross Ref
- Merrill Warkentin, Zhengchuan Xu, and Leigh A. Mutchler. 2013. I'm Safer than You: The Role of Optimism Bias in Personal IT Risk Assessments. In Proceedings of 2013 IFIP 8.11/11.13 Dewald Roode Information Security Research Workshop, Niagara, NY, October.Google Scholar
- Rick Wash and Emilee J Rader. 2015. Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users. In SOUPS. 309--325.Google Scholar
- Neil D Weinstein. 1989. Effects of personal experience on self-protective behavior. Psychological Bulletin 105, 1 (1989), 31--50.Google ScholarCross Ref
- Ryan West. 2008. The psychology of security. Commun. ACM 51, 4 (2008), 34--40. Google ScholarDigital Library
- Gerald JS Wilde. 1982. The theory of risk homeostasis: implications for safety and health. Risk Analysis 2, 4 (1982), 209--225.Google ScholarCross Ref
- Gerald JS Wilde, Stephen P Claxton-Oldfield, and Peter H Platenius. 1985. Risk homeostasis in an experimental context. In Human Behavior and Traffic Safety. Springer, 119--149.Google Scholar
- Gerald J S Wilde. 1985. Assumptions necessary and unnecessary to risk homoeostasis. Ergonomics 28, 11 (1985), 1531--1538.Google ScholarCross Ref
- Jie Zhang, Brian J Reithel, and Han Li. 2009. Impact of perceived technical protection on security behaviors. Information Management & Computer Security 17, 4 (2009), 330--340.Google ScholarCross Ref
- Philip G Zimbardo. 1972. Comment: Pathology of imprisonment. Society 9, 6 (1972), 4--8.Google ScholarCross Ref
- Gregory D Zimet, Marcia L Shew, and Jessica A Kahn. 2008. Appropriate use of cervical cancer vaccine. Annual Review Medicine 59 (2008), 223--236.Google ScholarCross Ref
Index Terms
- Risk Homeostasis in Information Security: Challenges in Confirming Existence and Verifying Impact
Recommendations
On risk: perception and direction
The idea of risk permeates the information security field. We use terms like ''risk management'', ''risk assessment'', ''risk model'' and ''risk analysis'' every day, and those topics are themselves the subject of countless papers and articles in ...
Rethinking risk-based information security
InfoSecCD '07: Proceedings of the 4th annual conference on Information security curriculum developmentRisk assessment in the insurance and financial industries use processes and empirical data created specifically for their needs. The risk assessment processes used by IT and information security (InfoSec) risk management do not work as well. The ...
Comments