Keywords

risk perception, information security behavior, NeuroIS, self-reported measures, EEG, Iowa Gambling Task (IGT), laboratory experiment, security warning disregard

Abstract

Users' perceptions of risks have important implications for information security, as the actions of individual users can compromise entire systems. Therefore, there is a critical need to understand how users perceive and respond to information security risks. Previous research on perceptions of information security risk has chiefly relied on self-reported measures. Although these studies are valuable, risk perceptions are often associated with feelings—such as fear or doubt—that are difficult to measure accurately using survey instruments. Additionally, it is unclear how these self-reported measures map to actual security behavior. This paper contributes by demonstrating that risk-taking behavior is effectively predicted using electroencephalography (EEG) via event-related potentials (ERPs). Using the Iowa Gambling Task, a widely used technique shown to be correlated with real-world risky behaviors, we show that the differences in neural responses to positive and negative feedback strongly predict users' information security behavior in a separate laboratory-based computing task. In addition, we compare the predictive validity of EEG measures to that of self-reported measures of information security risk perceptions. Our experiments show that self-reported measures are ineffective in predicting security behaviors under a condition in which information security is not salient. However, we show that, when security concerns become salient, self-reported measures do predict security behavior. Interestingly, EEG measures significantly predict behavior in both salient and non-salient conditions, indicating that EEG measures are a robust predictor of security behavior.

Original Publication Citation

Vance, A., Anderson, B., Kirwan, B., Eargle, D. 2014. “Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG),” Journal of the Association for Information Systems, 15 (10), pp. 679-722, 2014.

Document Type

Peer-Reviewed Article

Publication Date

2014

Permanent URL

http://hdl.lib.byu.edu/1877/3911

Publisher

Association for Information Systems

Language

English

College

Marriott School of Management

Department

Information Systems

Share

COinS