Location

Online

Event Website

https://hicss.hawaii.edu/

Start Date

3-1-2022 12:00 AM

End Date

7-1-2022 12:00 AM

Description

Inadvertent human errors (e.g., clicking on phishing emails or falling for a spoofed website) have been the primary cause of security breaches in recent years. To understand the root cause of these errors and examine practical solutions for users to overcome them, we applied the theory of bounded rationality and explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews with 27 participants revealed that users rely on various heuristics to simplify their decision making in the information security context. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. The results have practical and theoretical significance. In particular, they extend the literature by integrating bounded rationality concepts and elaborating “how” users simplify their security decision making by relying on cognitive heuristics.

Share

COinS
 
Jan 3rd, 12:00 AM Jan 7th, 12:00 AM

The Role of Heuristics in Information Security Decision Making

Online

Inadvertent human errors (e.g., clicking on phishing emails or falling for a spoofed website) have been the primary cause of security breaches in recent years. To understand the root cause of these errors and examine practical solutions for users to overcome them, we applied the theory of bounded rationality and explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews with 27 participants revealed that users rely on various heuristics to simplify their decision making in the information security context. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. The results have practical and theoretical significance. In particular, they extend the literature by integrating bounded rationality concepts and elaborating “how” users simplify their security decision making by relying on cognitive heuristics.

https://aisel.aisnet.org/hicss-55/in/behavioral_is_security/5