Communications of the Association for Information Systems


Researchers studying the economics of information security have traditionally focused on the use of rational choice decision models for evaluating investment alternatives. Security investment decisions involve risk, and several researchers have noted that risk-related decisions often violate the fundamental principles of rational choice decision models. This study tests the prevailing presumption in published research that information security investment decisions are made in an entirely rational manner. We empirically validated our hypothesis that information security investment decision makers in fact exhibit preference reversals when faced with competing budget alternatives involving risk. Specifically, we observed the framing effect under prospect theory, which suggests that individuals exhibit unique risk attitudes when evaluating gain-related and loss-related risk decisions. Accordingly, we argue that existing, widely accepted rational choice and economic models for information security investments need to be supplemented with risk perception measurement and account for individual level decision biases.