risk perception, information security behavior, NeuroIS, self-reported measures, EEG, Iowa Gambling Task (IGT), laboratory experiment, security warning disregard
Users' perceptions of risks have important implications for information security, as the actions of individual users can compromise entire systems. Therefore, there is a critical need to understand how users perceive and respond to information security risks. Previous research on perceptions of information security risk has chiefly relied on self-reported measures. Although these studies are valuable, risk perceptions are often associated with feelings—such as fear or doubt—that are difficult to measure accurately using survey instruments. Additionally, it is unclear how these self-reported measures map to actual security behavior. This paper contributes by demonstrating that risk-taking behavior is effectively predicted using electroencephalography (EEG) via event-related potentials (ERPs). Using the Iowa Gambling Task, a widely used technique shown to be correlated with real-world risky behaviors, we show that the differences in neural responses to positive and negative feedback strongly predict users' information security behavior in a separate laboratory-based computing task. In addition, we compare the predictive validity of EEG measures to that of self-reported measures of information security risk perceptions. Our experiments show that self-reported measures are ineffective in predicting security behaviors under a condition in which information security is not salient. However, we show that, when security concerns become salient, self-reported measures do predict security behavior. Interestingly, EEG measures significantly predict behavior in both salient and non-salient conditions, indicating that EEG measures are a robust predictor of security behavior.
Original Publication Citation
Vance, A., Anderson, B., Kirwan, B., Eargle, D. 2014. “Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG),” Journal of the Association for Information Systems, 15 (10), pp. 679-722, 2014.
BYU ScholarsArchive Citation
Vance, Anthony; Anderson, Bonnie; Kirwan, C. Brock; and Eargle, David, "Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG)" (2014). All Faculty Publications. 1956.
Association for Information Systems
Marriott School of Management
© 2014 Association for Information Systems. This is the author's submitted version of this article. The definitive version can be found at https://search.proquest.com/docview/1619352586?accountid=4488
Copyright Use Information