Risk Homeostasis in Information Security: Challenges in Confirming Existence and Verifying Impact
Total Page:16
File Type:pdf, Size:1020Kb
Risk homeostasis in information security: challenges in confirming existence and verifying impact Karen Renaud Merrill Warkentin © the authors 2017. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in Proceedings of the 2017 New Security Paradigms Workshop (NSPW’17), http://dx.doi.org/10.1145/3171533.3171534 Risk Homeostasis in Information Security: Challenges in Confirming Existence and Verifying Impact Karen Renaud Merrill Warkentin School of Arts, Media and Computer Games College of Business Abertay University, Scotland Mississippi State University University of South Africa MS, USA [email protected] [email protected] ABSTRACT CCS CONCEPTS The central premise behind risk homeostasis theory is that • General and reference → Empirical studies; • Secu- humans adapt their behaviors, based on external factors, to rity and privacy → Social aspects of security and pri- align with a personal risk tolerance level. In essence, this vacy; means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this KEYWORDS eect exists, it serves to restrict the ability of risk mitigation Risk Homeostasis, Challenges techniques to eect improvements. The concept is hotly debated in the safety area. Some ACM Reference Format: authors agree that the eect exists, but also point out that Karen Renaud and Merrill Warkentin. 2017. Risk Homeostasis in it is poorly understood and unreliably predicted. Other re- Information Security: Challenges in Conrming Existence and Ver- searchers consider the entire concept fallacious. It is impor- ifying Impact. In Proceedings of New Security Paradigms Workshop tant to gain clarity about whether the eect exists, and to (NSPW’17). ACM, New York, NY, USA, 13 pages. https://doi.org/10. gauge its impact if such evidence can indeed be found. 1145/3171533.3171534 In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, informa- tion security could well be impaired if a risk homeostasis 1 INTRODUCTION eect neutralizes the potential benets of risk mitigation To commence our discussion we start with the basics, den- measures. If the risk homeostasis eect does indeed exist ing homeostasis. The French psychologist Bernard rst intro- and does impact risk-related behaviors, people will simply duced the notion of homeostasis in 1878 [9] (cited by [20]). elevate risky behaviors in response to feeling less vulnerable He argued that people naturally maintained particular in- due to following security procedures and using protective ternal variables within narrow boundaries. Any change in technologies. the external system might necessitate a change to their in- Here we discuss, in particular, the challenges we face in ternal system in order to maintain the variable within the conrming the existence and impact of the risk homeostasis boundaries. Redolfo [70] provides some examples of this ef- eect in information security, especially in an era of ethical fect. The human body maintains a steady temperature by research practice. either sweating or shivering. The interaction of supply and demand keeps prices stable. Pelzman [67] was one of the rst to raise the idea that peo- ple would moderate their behaviors if safety measures made Permission to make digital or hard copies of part or all of this work for them feel that it was safe to take more risks. He had noted personal or classroom use is granted without fee provided that copies are that the imposition of seat belt legislation had not resulted not made or distributed for prot or commercial advantage and that copies in the anticipated reduction in road fatalities. He surmised bear this notice and the full citation on the rst page. Copyrights for third- that some behavioral adaptation was taking place. Wilde party components of this work must be honored. For all other uses, contact the owner/author(s). [99], along the same lines, argues for this same behavioral NSPW’17, October 2017, Santa Cruz, CA, USA adaptation, actively defending attacks on the existence and © 2017 Copyright held by the owner/author(s). impact of what he calls risk homeostasis theory (RHT). The ACM ISBN 978-1-4503-6384-6. core concept is that people will take more risks when they https://doi.org/10.1145/3171533.3171534 feel safer in doing so, and that this behavioral adaptation NSPW’17, October 2017, Santa Cruz, CA, USA Renaud & Warkentin makes safety measures less powerful than they could be in risk level to something below his or her target level, he or terms of reducing harm. she might drive faster, thereby increasing the likelihood of NIST [42] denes risk as: “A measure of the extent to which an accident occurring. By so doing, he or she re-establishes an entity is threatened by a potential circumstance or event, the risk level to what it would have been without the seat and typically a function of: (i) the adverse impacts that would belt. arise if the circumstance or event occurs; and (ii) the likelihood There is a large body of literature related to risk home- of occurrence.” There are thus three components to risk: (a) an ostasis. It comes across as a polarizing issue, characterized external threat agent, (b) the likelihood that an adverse event by heated rebuttals and counter rebuttals. This is in no small will occur, and (c) the anticipated negative impact thereof. part due to the diculties related to conrming the existence Personal risk assessment, thus, implicitly gauges all three of of the eect, and the challenges of designing experiments these. The risk homeostasis assertion is that the person then that will be considered sound by everyone in the eld. moderates his or her behavior in order to align the actual We hope to contribute to the eld by considering how we risk to his or her risk target level. could go about conrming the existence and impact of this Such moderated behavior might be calculated to eliminate eect in the eld of Information Security. The idea that or reduce vulnerabilities, likelihood or impact. Behaviors such an eect might play a role has been posited by [41], are informed by perceptions, and, as Slovic [80] points out: [93] and [65]. It is important to explore the existence and “Risk does not exist ‘out there’, independent of our minds and impact of this eect in information security. If we do indeed cultures, waiting to be ‘measured’. Human beings have invented conrm a risk homeostasis eect, we can propose ways of the concept risk to help them understand and cope with the ameliorating it to ensure that our eorts to bolster cyber dangers and uncertainties of life” security are not neutralized by even more risky behaviors. Behavior thus depends on individual and societal percep- tion of risk [40]. Risk perception is inuenced by a number of dierent aspects of the risk, including voluntariness [39], controllability [77], immediacy of eect [78], whether it is 2 RISK HOMEOSTASIS manmade or natural [14], familiarity [82], habituation [49], That people change their behavior in response to changes potential benets of risky behaviour [82] and the ease with in external circumstances, when it comes to risky behaviors, which the risk impact is brought to mind [16]. Slovic [79] has been argued by Hedlund [34], who says “We all change collapses the factors that impact risk perception into three our behavior in response to changes in our environment. categories: (1) dread [control, potential for catastrophe, ben- Never assume that behavior will not change” (p88). ets, consequences], (2) whether it is known or unknown Yet exactly how people change their behaviors is not al- [observability, knowledge of risks, immediacy and novelty], ways predictable. Historically, scholars assumed that deci- and (3) whether individuals, society or future generations are sions, including personal decisions about engaging in risky aected. These three factors will interact in unpredictable behaviors, were grounded in a rational assessment of fun- ways that make it dicult to predict how an individual will damental decision criteria, including the relative costs and perceive a particular risk at any particular point in time. benets of risky behaviors. Simon [76] suggested that human Wilde [99] considers risk-taking to be an inherent part decision making was characterized by bounded rationality, of the human psyche. He argues that people have a deep which reects imperfect information, imperfect decision- seated need to take risks and that this need is individually making abilities, and rapid choices made without full con- determined. He argues that we all have a “target level of sideration of all costs and benets [28]. This foundation has risk.” He suggests the concept of a personal “risk thermo- informed our understanding of decisions in the context of stat,” indicating how much risk each person is prepared to computer security hygiene, wherein researchers have as- tolerate. This implies that people assess risk and then act in sumed that individual computer users will adopt an essen- a way that aligns with their risk tolerance. If anything in tially rational approach to determining the degree to which the environment changes, it is argued that they will compen- they will engage in inconvenient or onerous security be- sate by moderating the riskiness of their actions to bring the haviors (e.g. changing passwords, encrypting data, patching risk back to within the boundaries of their own risk comfort software) and avoid such behaviors when the costs are too zone. In other words, in the presence of new risk-reduction high. This core boundary condition is also consistent with methods or technologies, RHT suggests that individuals will Fishbein and Ajzen’s Theory of Reasoned Action (TRA) [29].