Mis-spending on information security measures: Theory and experimental evidence
作者:
Highlights:
• We study security investment from a descriptive (versus a normative) perspective.
• We find patterns of systematic deviation from optimality (biases) in investment.
• We document a “Prevention Bias” in information security investment.
• The non-linear link between risk and the needed investment leads to misspending.
• Decision makers react even to small threats that normatively warrant no reaction.
摘要
•We study security investment from a descriptive (versus a normative) perspective.•We find patterns of systematic deviation from optimality (biases) in investment.•We document a “Prevention Bias” in information security investment.•The non-linear link between risk and the needed investment leads to misspending.•Decision makers react even to small threats that normatively warrant no reaction.
论文关键词:Information security investment,Prevention,Detection and response,Decision biases,Prevention bias,Experiment
论文评审过程:Received 16 January 2020, Revised 1 December 2020, Accepted 3 December 2020, Available online 29 December 2020, Version of Record 29 December 2020.
论文官网地址:https://doi.org/10.1016/j.ijinfomgt.2020.102291
