Abstract

Most articles that discuss the economics of security focus on the use of rational choice decision models for evaluating investment alternatives. However, security investment decisions involve risk and several researchers have noted that risk related decisions often violate the fundamental principles of rational choice decision models. Accordingly, we assert that problems exist with using these models to explain security investment decisions. Further, we believe that the development of prescriptive models to guide investment decisions requires a deeper understanding of the cognitive processes involved. To test these ideas, we introduce a study that uses prospect theory to analyze security practitioners’ investment decisions. The article includes a discussion of our methodology to electronically assess security practitioners’ preference patterns. Additionally, we discuss data collection efforts which are currently in-process and future plans to analyze the collected data. Interim analytical results of data received prior to AMCIS 2012 will be presented to conference attendees.

Share

COinS
 

Prospect Theory and Information Security Investment Decisions

Most articles that discuss the economics of security focus on the use of rational choice decision models for evaluating investment alternatives. However, security investment decisions involve risk and several researchers have noted that risk related decisions often violate the fundamental principles of rational choice decision models. Accordingly, we assert that problems exist with using these models to explain security investment decisions. Further, we believe that the development of prescriptive models to guide investment decisions requires a deeper understanding of the cognitive processes involved. To test these ideas, we introduce a study that uses prospect theory to analyze security practitioners’ investment decisions. The article includes a discussion of our methodology to electronically assess security practitioners’ preference patterns. Additionally, we discuss data collection efforts which are currently in-process and future plans to analyze the collected data. Interim analytical results of data received prior to AMCIS 2012 will be presented to conference attendees.