Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs

Computers and Security

Volumn 52, Issue , 2015, Pages 128-141

  Tsohou, Aggeliki ^a   Karyda, Maria ^b   Kokolakis, Spyros ^b  

^a Ionian University   (Greece)

^b UNIVERSITY OF THE AEGEAN   (Greece)

Author keywords

Cognitive bias; Cultural bias; Information security awareness; Risk decision making; Security behavior; Security policy compliance

Indexed keywords

DECISION MAKING; ECONOMICS; MOBILE SECURITY; RISK PERCEPTION; SECURITY SYSTEMS;

COGNITIVE BIAS; CULTURAL BIAS; INFORMATION SECURITY AWARENESS; RISK DECISION MAKING; SECURITY BEHAVIOR; SECURITY POLICY;

SECURITY OF DATA;

EID: 84930200251     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2015.04.006     Document Type: Article

References (66)

1. A. Acquisti Privacy in electronic commerce and the economics of immediate gratification Proceedings of the 5th ACM Conference on Electronic Commerce, May 17-20, 2004, New York, USA 2004
2. D.A. Armor, and S.E. Taylor When predictions fail: the dilemma of unrealistic optimism T. Gilovich, D.W. Griffin, D. Kahneman, Heuristics and biases 2002 Cambridge University Press 334 347
3. BBC News Greater Manchester police fined over stolen data stick 2012 http://www.bbc.com/news/uk-england-manchester-19960966 [accessed 12.12.14]
4. L. Biener, M. Ji, E.A. Gilpin, and A.B. Albers The impact of emotional tone, message, and broadcast parameters in youth anti-smoking advertisements J Health Commun 9 3 2004 259 274
5. J. Brenot, S. Bonnefous, and C. Marris Testing the cultural theory of risk in France Risk Anal 18 6 1998 729 739
6. B. Bulgurcu, H. Cavusoglu, and I. Benbasat Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness MIS Quarterly 34 3 2010 523 548
7. A. Caputo A literature review of cognitive biases in negotiation process Int J Confl Manag 24 4 2013 374 398
8. G.B. Chapman, and E.J. Johnsons Incorporating the irrelevant: anchors in judgments of belief and value T. Gilovich, D.W. Griffin, D. Kahneman, Heuristics and biases 2002 Cambridge University Press 120 138
9. J. D'Arcy, A. Hovav, and D. Galletta User awareness of security countermeasures and its impact on information systems misuse Information Syst Res 20 1 2009 79 98
10. N. Davinson, and E. Sillence It won't happen to me: promoting secure behaviour among internet users Comput Hum Behav 26 6 2010 1739 1747
11. M.R.P. Dougherty, C.F. Gettys, and E.E. Ogden MINERVA-DM: a memory process model for judgments of likelihood Psychol Rev 106 1 1999 180 209
12. M. Douglas, and A. Wildavsky Risk and culture: an assay on the selection of technological and environmental dangers 1982 California University Press Berkeley
13. ENISA Secure USB flash drives 2008 Retrieved from http://www.enisa.europa.eu/publications/archive/secure-usb-flash-drives-en [accessed 12.12.14]
14. ENISA The new users' guide: how to raise information security awareness 2010 Retrieved from http://www.enisa.europa.eu/publications/archive/copy-of-new-users-guide [accessed 22.11.14]
15. Ernst & Young Global Information Security Survey Fighting to close the gap 2012 Available online at: http://www.ey.com/Publication/vwLUAssets/GISS2012/$FILE/EY-GISS-2012.pdf [accessed 22.11.14]
16. S. Frederick, G. Loewenstein, and T. O'Donoghue Time discounting and time preference: a critical review J Econ Literature 40 2 2002 351 401
17. A. Furnham, and C.H. Boo A literature review of the anchoring effect J Socio-Economics 40 1 2011 35 42
18. J.I. Gabriel, and E. Nyshadham A cognitive map of people's online risk perceptions and attitudes: an empirical study Proceedings of the 41st Hawaii International Conference on System Sciences (HICSS), Big Island, HI 2008 274 283
19. T. Gilovich, D.W. Griffin, and D. Kahneman Heuristics and biases: the psychology of intuitive judgment 2002 Cambridge University Press
20. S. Haag, and A. Eckhardt Sensitizing employees' corporate is security risk perception Proceedings of the 35th International Conference on Information Systems (ICIS), Auckland, New Zealand 2014
21. F. Haeussinger, and J. Kranz Information security Awareness: Its antecedents and mediating effects on security compliant behavior Proceedings of the International Conference on Information Systems ICIS 2013, Milan, Italy 2013
22. S. Hansche Designing a security awareness program: Part I Inf Syst Secur 9 6 2001 14 23
23. T. Herath, and H.R. Rao Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness Decis Support 47 2 2009 154 165
24. T. Herath, and H.R. Rao Protection motivation and deterrence: a framework for security policy compliance in organisations Eur J Inform Syst 18 2 2009 106 125
25. C.K. Hsee, and H.C. Kunreuther The affect effect in insurance decisions J Risk Uncertain 20 2 2000 141 159
26. D. Huang, P.P. Rau, and G. Salvendy Perception of information security Behav Information Technol 29 3 2010 221 232
27. D. Huang, P.P. Rau, G. Salvendy, F. Gao, and J. Zhou Factors affecting perception of information security and their impacts on IT adoption and security practices Int J Human-Comput Stud 69 12 2011 870 883
28. P. Ifinedo Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory Comput Secur 31 1 2012 83 95
29. D. Kahneman, and A. Tversky Choices, values, and frames Am Psychol 39 4 1984 341 350
30. D. Kahneman, and S. Frederick Representativeness revisited: attribute substitution in intuitive judgment T. Gilovich, D.W. Griffin, D. Kahneman, Heuristics and biases 2002 Cambridge University Press 49 81
31. D. Kahneman, D. Lovallo, and O. Sibony Before you make that big decision Harv Bus Rev 89 6 2011 50 60
32. M. Karjalainen, and M. Siponen Toward a new meta-theory for designing information systems (IS) security training approaches J Assoc Inform Syst 12 8 2011 518 555
33. S. Katsikas Health care management and information systems security: Awareness, training or education? International Journal of Medical Informatics 60 2 2000 129 135
34. I. Langford, S. Georgiou, I. Bateman, R. Day, and R. Turner Public perceptions of health risks from polluted coastal bathing waters: a mixed methodological analysis using cultural theory Risk Anal: An Int J 20 5 2000 691 705
35. C.G. Lord, L. Ross, and M.R. Lepper Biased assimilation and attitude polarization: the effects of prior theories on subsequently considered evidence J Pers Soc Psychol 37 1979 2098 2109
36. C. Marris, I.H. Langford, and T. O'Riordan A quantitative test of the cultural theory of risk perceptions: comparison with the psychometric paradigm Risk Anal 18 5 1998 635 647
37. R.S. Nickerson Confirmation bias: a ubiquitous phenomenon in many guises Rev General Psychol 2 2 1998 175 220
38. NIST Information technology security training requirements: a role- and performance-based model (NIST SP 800-16) 1998 Retrieved from http://csrc.nist.gov/publications/PubsSPs.html [accessed 22.11.14]
39. NIST Building an information technology security awareness and training program (NIST SP 800-50) 2003 Retrieved from http://csrc.nist.gov/publications/PubsSPs.html [accessed 22.11.14]
40. NIST Security and privacy controls for federal information systems and organizations (NIST SP 800-53, Rev. 4) 2013 Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf [accessed 18.05.15]
41. L.P. Ong, and C.F. Chong Information security awareness: an application of psychological factors - a study in Malaysia Proceedings of International Conference on Computer, Communications and Information Technology, Beijing, China 2014
42. T.R. Peltier Implementing an information security awareness program Inf Syst Secur 14 2 1995 37 48
43. S.L. Pfleeger Risky business: what we have yet to learn about risk management J Syst Softw 53 3 2000 265 273
44. H.S. Rhee, Y.U. Ryu, and C.T. Kim Unrealistic optimism on information security management Comput Secur 31 2 2012 221 232
45. K. Riddle Always on my mind: exploring how frequent, recent, and vivid television portrayals are used in the formation of social reality judgments Media Psychol 13 2 2010 155 179
46. S. Rippl Cultural theory and risk perception: a proposal for a better measurement J Risk Res 5 2 2002 147 165
47. B. Schneier The psychology of security Progress in cryptology -AFRICACRYPT, LNCS vol. 5023 2008 Springer Berlin Heidelberg 50 79
48. T. Sharot, A.M. Riccardi, C.M. Raio, and E.A. Phelps Neural mechanisms mediating optimism bias Nature 450 7166 2007 102 105
49. J. Sherman, R.B. Cialdini, D.F. Schwartzman, and K.D. Reynolds Imagining can heighten or lower the perceived likelihood of contracting a disease: the mediating effect of ease of imagery Personality Soc Psychol Bull 11 1 1985 118 127
50. S. Singh, A. Cabraal, C. Demosthenous, G. Astbrink, and M. Furlong Security design based on social and cultural practice: sharing of passwords N. Aykin, Usability and internationalization 2007 Springer Berlin Heidelberg Berlin 476 485
51. M. Siponen, S. Pahnila, and M.A. Mahmood Compliance with information security policies: an empirical investigation IEEE Comput 43 2 2010 64 72
52. S.A. Sloman Two systems of reasoning T. Gilovich, D.W. Griffin, D. Kahneman, Heuristics and biases 2002 Cambridge University Press 379 396
53. P. Slovic Perception of risk Science 236 4799 1987 280 285
54. P. Slovic, M. Finucane, E. Peters, and D.G. MacGregor The affect heuristic T. Gilovich, D.W. Griffin, D. Kahneman, Heuristics and biases 2002 Cambridge University Press 397 420
55. P. Slovic, M.L. Finucane, E. Peters, and D.G. MacGregor Risk as analysis and risk as feelings: some thoughts about affect, reason, risk, and rationality Risk Anal 24 2 2004 311 322
56. P. Slovic, B. Fischhoff, and S. Lichtenstein Behavioral decision theory perspectives on risk and safety Acta Psychol 56 1-3 1984 183 203
57. P. Slovic, J. Monahan, and D.M. MacGregor Violence risk assessment and risk communication: the effects of using actual cases, providing instructions, and employing probability vs. frequency formats Law Hum Behav 24 3 2000 271 296
58. T. Sommestad, J. Hallberg, K. Lundholm, and J. Bengtsson Variables influencing information security policy compliance: a systematic review of quantitative studies Inform Manag Comput Secur 22 1 2014 42 75
59. G. Stewart A safety approach to information security communications, Inf Secur Tech Rep 14 4 2009 197 201
60. G. Stewart, and D. Lacey Death by a thousand facts: criticising the technocratic approach to information security awareness Inform Manag Comput Secur 20 1 2012 29 38
61. F. Strack, and T. Mussweiler Explaining the enigmatic anchoring effect: mechanisms of selective accessibility J Pers Soc Psychol 73 3 1997 437 446
62. A. Tsohou, M. Karyda, S. Kokolakis, and E. Kiountouzis Formulating information systems risk management strategies through cultural theory Inform Manag Comput Secur 14 3 2006 198 217
63. A. Tversky, and D. Kahneman Judgment under uncertainty: heuristics and biases Science 185 1974 1124 1131
64. A. Vance, M. Siponen, and S. Pahnila Motivating is security compliance: insights from habit and protection motivation theory Inform Manage 49 3-4 2012 190 198
65. N.D. Weinstein, and W.M. Klein Resistance to personal risk perceptions to debiasing interventions Health Psychol 14 2 1995 132 140
66. P. Winkielman, R.B. Zajonc, and N. Schwarz Subliminal affective priming resists attributional interventions Cognition Emot 11 4 1997 433 465