Using Prospect Theory to Investigate Decision-Making Bias Within an Information Security Context

摘要

Information security is an issue that has increased in importance over the past decade. In this time both practitioner and academic circles have researched and developed practices and process to more effectively handle information security. Even with growth in these areas there has been little research conducted into how decision makers actually behave. This is problematic because decision makers in the Department of Defense have been observed exhibiting risk seeking behavior when making information security decisions that seemingly violate accepted norms. There are presently no models in the literature that provide sufficient insight into this phenomenon. This study used Prospect Theory as a framework to develop a survey in an effort to obtain insight into how decision makers actually behave while making information security decisions. The survey was distributed to Majors in the Air Force who represented likely future information security decision makers. The results of the study were mixed, showing that prospect theory had only limited explanatory power in this context. The most significant finding showed that negatively connotated decision frames result in significantly more risk seeking behavior. These results provide insight into decision maker behavior and highlight the fact that there are biases in information security decision making.