Risk homeostasis in information security: challenges in confirming existence and verifying impact

Karen Renaud, Merrill Warkentin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)
33 Downloads (Pure)

Abstract

The central premise behind risk homeostasis theory is that humans adapt their behaviors, based on external factors, to align with a personal risk tolerance level. In essence, this means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this effect exists, it serves to restrict the ability of risk mitigation techniques to effect improvements.

The concept is hotly debated in the safety area. Some authors agree that the effect exists, but also point out that it is poorly understood and unreliably predicted. Other re-searchers consider the entire concept fallacious. It is important to gain clarity about whether the effect exists, and to gauge its impact if such evidence can indeed be found.

In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, information security could well be impaired if a risk homeostasis effect neutralizes the potential benefits of risk mitigation measures. If the risk homeostasis effect does indeed exist and does impact risk-related behaviors, people will simply elevate risky behaviors in response to feeling less vulnerable due to following security procedures and using protective technologies.

Here we discuss, in particular, the challenges we face in confirming the existence and impact of the risk homeostasis effect in information security, especially in an era of ethical research practice.
Original languageEnglish
Title of host publicationProceedings of New Security Paradigms Workshop (NSPW’17)
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages57-69
Number of pages13
ISBN (Print)9781450363846
DOIs
Publication statusPublished - 2017
EventNew Security Paradigms Workshop - Santa Cruz, United States
Duration: 1 Oct 20174 Oct 2017
http://www.nspw.org/

Workshop

WorkshopNew Security Paradigms Workshop
Abbreviated titleNSWP 2017
CountryUnited States
CitySanta Cruz
Period1/10/174/10/17
Internet address

Fingerprint

Information security
Homeostasis
Risk mitigation
Safety
Risky behavior
Risk tolerance
External factors

Cite this

Renaud, K., & Warkentin, M. (2017). Risk homeostasis in information security: challenges in confirming existence and verifying impact. In Proceedings of New Security Paradigms Workshop (NSPW’17) (pp. 57-69). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/3171533.3171534
Renaud, Karen ; Warkentin, Merrill. / Risk homeostasis in information security : challenges in confirming existence and verifying impact. Proceedings of New Security Paradigms Workshop (NSPW’17). New York : Association for Computing Machinery (ACM), 2017. pp. 57-69
@inproceedings{f5b35001613d44639b2d85cc6c3327fd,
title = "Risk homeostasis in information security: challenges in confirming existence and verifying impact",
abstract = "The central premise behind risk homeostasis theory is that humans adapt their behaviors, based on external factors, to align with a personal risk tolerance level. In essence, this means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this effect exists, it serves to restrict the ability of risk mitigation techniques to effect improvements.The concept is hotly debated in the safety area. Some authors agree that the effect exists, but also point out that it is poorly understood and unreliably predicted. Other re-searchers consider the entire concept fallacious. It is important to gain clarity about whether the effect exists, and to gauge its impact if such evidence can indeed be found.In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, information security could well be impaired if a risk homeostasis effect neutralizes the potential benefits of risk mitigation measures. If the risk homeostasis effect does indeed exist and does impact risk-related behaviors, people will simply elevate risky behaviors in response to feeling less vulnerable due to following security procedures and using protective technologies.Here we discuss, in particular, the challenges we face in confirming the existence and impact of the risk homeostasis effect in information security, especially in an era of ethical research practice.",
author = "Karen Renaud and Merrill Warkentin",
year = "2017",
doi = "10.1145/3171533.3171534",
language = "English",
isbn = "9781450363846",
pages = "57--69",
booktitle = "Proceedings of New Security Paradigms Workshop (NSPW’17)",
publisher = "Association for Computing Machinery (ACM)",
address = "United States",

}

Renaud, K & Warkentin, M 2017, Risk homeostasis in information security: challenges in confirming existence and verifying impact. in Proceedings of New Security Paradigms Workshop (NSPW’17). Association for Computing Machinery (ACM), New York, pp. 57-69, New Security Paradigms Workshop, Santa Cruz, United States, 1/10/17. https://doi.org/10.1145/3171533.3171534

Risk homeostasis in information security : challenges in confirming existence and verifying impact. / Renaud, Karen; Warkentin, Merrill.

Proceedings of New Security Paradigms Workshop (NSPW’17). New York : Association for Computing Machinery (ACM), 2017. p. 57-69.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Risk homeostasis in information security

T2 - challenges in confirming existence and verifying impact

AU - Renaud, Karen

AU - Warkentin, Merrill

PY - 2017

Y1 - 2017

N2 - The central premise behind risk homeostasis theory is that humans adapt their behaviors, based on external factors, to align with a personal risk tolerance level. In essence, this means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this effect exists, it serves to restrict the ability of risk mitigation techniques to effect improvements.The concept is hotly debated in the safety area. Some authors agree that the effect exists, but also point out that it is poorly understood and unreliably predicted. Other re-searchers consider the entire concept fallacious. It is important to gain clarity about whether the effect exists, and to gauge its impact if such evidence can indeed be found.In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, information security could well be impaired if a risk homeostasis effect neutralizes the potential benefits of risk mitigation measures. If the risk homeostasis effect does indeed exist and does impact risk-related behaviors, people will simply elevate risky behaviors in response to feeling less vulnerable due to following security procedures and using protective technologies.Here we discuss, in particular, the challenges we face in confirming the existence and impact of the risk homeostasis effect in information security, especially in an era of ethical research practice.

AB - The central premise behind risk homeostasis theory is that humans adapt their behaviors, based on external factors, to align with a personal risk tolerance level. In essence, this means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this effect exists, it serves to restrict the ability of risk mitigation techniques to effect improvements.The concept is hotly debated in the safety area. Some authors agree that the effect exists, but also point out that it is poorly understood and unreliably predicted. Other re-searchers consider the entire concept fallacious. It is important to gain clarity about whether the effect exists, and to gauge its impact if such evidence can indeed be found.In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, information security could well be impaired if a risk homeostasis effect neutralizes the potential benefits of risk mitigation measures. If the risk homeostasis effect does indeed exist and does impact risk-related behaviors, people will simply elevate risky behaviors in response to feeling less vulnerable due to following security procedures and using protective technologies.Here we discuss, in particular, the challenges we face in confirming the existence and impact of the risk homeostasis effect in information security, especially in an era of ethical research practice.

U2 - 10.1145/3171533.3171534

DO - 10.1145/3171533.3171534

M3 - Conference contribution

SN - 9781450363846

SP - 57

EP - 69

BT - Proceedings of New Security Paradigms Workshop (NSPW’17)

PB - Association for Computing Machinery (ACM)

CY - New York

ER -

Renaud K, Warkentin M. Risk homeostasis in information security: challenges in confirming existence and verifying impact. In Proceedings of New Security Paradigms Workshop (NSPW’17). New York: Association for Computing Machinery (ACM). 2017. p. 57-69 https://doi.org/10.1145/3171533.3171534