risk perception, information security behavior, NeuroIS, self-reported measures, EEG, Iowa Gambling Task (IGT), laboratory experiment, security warning disregard


Users' perceptions of risks have important implications for information security, as the actions of individual users can compromise entire systems. Therefore, there is a critical need to understand how users perceive and respond to information security risks. Previous research on perceptions of information security risk has chiefly relied on self-reported measures. Although these studies are valuable, risk perceptions are often associated with feelings—such as fear or doubt—that are difficult to measure accurately using survey instruments. Additionally, it is unclear how these self-reported measures map to actual security behavior. This paper contributes by demonstrating that risk-taking behavior is effectively predicted using electroencephalography (EEG) via event-related potentials (ERPs). Using the Iowa Gambling Task, a widely used technique shown to be correlated with real-world risky behaviors, we show that the differences in neural responses to positive and negative feedback strongly predict users' information security behavior in a separate laboratory-based computing task. In addition, we compare the predictive validity of EEG measures to that of self-reported measures of information security risk perceptions. Our experiments show that self-reported measures are ineffective in predicting security behaviors under a condition in which information security is not salient. However, we show that, when security concerns become salient, self-reported measures do predict security behavior. Interestingly, EEG measures significantly predict behavior in both salient and non-salient conditions, indicating that EEG measures are a robust predictor of security behavior.

Original Publication Citation

Vance, A., Anderson, B., Kirwan, B., Eargle, D. 2014. “Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG),” Journal of the Association for Information Systems, 15 (10), pp. 679-722, 2014.

Document Type

Peer-Reviewed Article

Publication Date


Permanent URL


Association for Information Systems




Marriott School of Management


Information Systems