Abstract

Organizations are interested in improving information security and make use of a range of technical, organizational, or behavioral measures. The different approaches to improving information security must not be viewed as being isolated, instead, different measures might influence each other. Security efforts fail when technical measures influence human behavior in a way that their security perceptions and behaviors are altered to the disadvantage of the security outcome. Those unintended consequences of information security practices can be classified as risk compensation behaviors, describing how users become more careless when they perceive some level of protection. This research in progress is interested in understanding risk compensation behaviors for cascaded security choices by different actors (e.g., security decisions made by organizations vs. decisions made by individuals) and presents a lab experiment to test this issue.

Download

Share

COinS