Author(s)

JOHAN J. DE WIT, WOLTER PIETERS, PIETER H. A. J. M. VAN GELDER

Abstract

Risk assessments in the (cyber) security domain are often, if not always, based on subjective expert judgement. For the first time, to the best of our knowledge, the individual preferences of professionals from the security domain are studied. In on online survey they are asked to mention, rate and rank their preferences when assessing a security risk. The survey setup allows to differentiate between easily accessible or “on top of mind” attributes and guided or stimulated attributes. The security professionals are also challenged to both non-compensatory and compensatory decision making on the relevance of the attributes. The results of this explorative study indicate a clear difference and shift in the individual perceived relevance of attributes in these different settings. Another remarkable finding of this study is the predominant focus on impact attributes by the respondents and the less significant position of likelihood or probability. The majority of professionals seem to ignore likelihood in their security risk assessment. This might be due to so called probability neglect as introduced by other scholars. the security in organisations and society is depending on the assessment and judgement of these professionals, understanding their preferences and the influence of cognitive biases is paramount. This study contributes to this body of knowledge and might raise attention to this important topic in both the academic and professional security domain.

Keywords

security risk assessment, decision making, risk management, decision biases, preferences, probability neglect