In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015)
Title: Perceived Information Security Risk as a Function of Probability and Severity
Author(s): Teodor Sommestad, Henrik Karlzén, Peter Nilsson, Jonas Hallberg
Keywords: Information security risk assessment, Risk perception, Perceived severity, Perceived probability
Abstract: Information security risks are frequently assessed in terms of the probability that a threat will be realized and the severity of the consequences of a realized threat. In methods and manuals, the product of this probability and severity is often thought of as the risk to consider and manage. However, studies of human behavior and intentions in the field of information security suggest that in general, this is not the way security is perceived. In fact, few studies have found an interaction (i.e., a multiplicative relationship) between probability and severity. This paper describes a study where the ratings of risk and the two variables probability and severity were collected on 105 security threats from ten individuals together with information about the respondents’ expertise and cognitive style. These ten individuals do not assess risk as the product of probability and severity, regardless of expertise and cognitive style. Depending on how risk is measured, an additive model explains 54.0% or 38.4% of the variance in risk. If a multiplicative term is added, the mean increased variance is only 1.5% or 2.4%, and for most of the individuals the contribution of the multiplicative term is statistically insignificant.
Download count: 2797
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.