Risk homeostasis in information security: challenges in confirming existence and verifying impact Karen Renaud Merrill Warkentin © the authors 2017. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in Proceedings of the 2017 New Security Paradigms Workshop (NSPW’17), http://dx.doi.org/10.1145/3171533.3171534 Risk Homeostasis in Information Security: Challenges in Confirming Existence and Verifying Impact Karen Renaud Merrill Warkentin School of Arts, Media and Computer Games College of Business Abertay University, Scotland Mississippi State University University of South Africa MS, USA
[email protected] [email protected] ABSTRACT CCS CONCEPTS The central premise behind risk homeostasis theory is that • General and reference → Empirical studies; • Secu- humans adapt their behaviors, based on external factors, to rity and privacy → Social aspects of security and pri- align with a personal risk tolerance level. In essence, this vacy; means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this KEYWORDS eect exists, it serves to restrict the ability of risk mitigation Risk Homeostasis, Challenges techniques to eect improvements. The concept is hotly debated in the safety area. Some ACM Reference Format: authors agree that the eect exists, but also point out that Karen Renaud and Merrill Warkentin. 2017. Risk Homeostasis in it is poorly understood and unreliably predicted. Other re- Information Security: Challenges in Conrming Existence and Ver- searchers consider the entire concept fallacious. It is impor- ifying Impact.