Risk homeostasis as a factor in information security

Abstract

Information security has become a complex human-driven science. There is widespread recognition of the fact that technology on its own no longer offers complete solutions to the information security problem and that the human aspect of information security is the most important determinant of information security success. Despite this acknowledgement and the large number of research projects that deals with the human aspects of information security, there are still no absolute solutions for what may seem to be very basic information security behaviour problems. The so-called privacy paradox or knowing-doing gap is a good example of a problem that remains something of a mystery. This type of problem refers to users with a high level of security awareness but who are easily persuaded to reveal confidential information (e.g. passwords) when asked for it. It therefore appears that the information security behaviour problem requires the use and implementation of new models, approaches and techniques to manage and understand information security risks and behaviour. In this study that was conducted at a large, multi-billion dollar utility company with more than 3500 IT users and over 2 million customers, a number of human information security aspects were investigated. These studies have culminated into a recommendation that risk homeostasis as a theory should be considered as a factor in information security, both as an explanatory and a prediction framework for information security behaviour. An initial study had been performed to develop a framework to identify key dimensions in good corporate governance in order to ensure that appropriate objectives are identified and focused on. Practical social engineering (phishing) exercises were then conducted to indicate that information security behaviour often suffers from the privacy paradox. In an effort to understand this paradoxical information security behaviour, a trust survey was conducted and results were explained in terms of the practical phishing experiments. In addition, perceptual differences among users, information technology staff and management were analysed as another explanatory variable. Finally, these different research studies have led to a theoretical consideration of risk homeostasis as a theory that should be considered to explain and predict information security behaviour. This final study also deals with possible problems that may be associated with the risk homeostasis model (e.g. security fatigue) and suggests new approaches (e.g. the slower is faster effect and the automaticity of social behaviour assumption) as ways to deal with them. The results of the various research activities have led to a number of contributions. The study opens up the prospect of theorising on risk homeostasis as a framework in information security behaviour that can be used to explain and predict information security behaviour, especially the contradictory behaviour of the privacy paradox. A value-focused approach has been developed to determine distinctive and unique security dimensions and objectives. It has been shown how practical security incidents can create opportunities for organisational learning and, at the same time, empirical evidence has been provided to show the serious challenges that are presented by the privacy paradox. A trust survey confirms the important role that trust plays in information security problems such as the privacy paradox. An investigation into perceptual differences between different groups of people indicated that information security congruence is a prerequisite for a successful information security environment; this has led to a proposed new model for a safe and secure information environment. Finally, the results have contributed to the development of a better and more successful information security framework in the company under study.