In a pilot study, we employed a series of novel economic games to investigate the underexplored behavioral aspects of security investment decisions and security investment structure decisions (i.e., budgeting the security expenditure among different types of security measures). In our study, decision makers exhibited a bias toward investing in prevention even though investing in detection and response yielded the same return on security investment. We also demonstrated that it is difficult for human decision makers to determine the optimal security investment amount even when return on investment is readily calculable. Nearly all participants invested in security when the risk was so small that the economically justifiable security investment amount was zero.
Safi, Roozmehr and Browne, Glenn, "Investment in Information Security Measures: A Behavioral Investigation" (2015). WISP 2015 Proceedings. 8.