Looking at Information Security through a Prospect Theory Lens

摘要

Traditional accounts of decision-making under uncertainty have taken the Von Neumann and Morgenstern approach of Expected Utility Theory that considers how decisions under uncertainty should be made. This prescriptive model states that, when faced with a choice, a rational decision maker will pick the prospect that offers the highest expected utility. But as has been demonstrated by Kahnemann and Tversky in Prospect Theory, decision-making under uncertainty often deviates from what Expected Utility Theory predicts, largely depending on whether the decision is framed as a gain or a loss. According to their model, choices framed as gains often lead to risk-averse behavior, and choices framed as losses often induce risk-seeking behavior. This paper reviews various theories of decision-making under uncertainty and evaluates the relevance of Prospect Theory in the information security context. An instrument is developed to evaluate relevance, preliminary results are presented, and implications for future research are discussed.