Uniwersyteckie Czasopisma NaukoweExploring the potential of behavioural economics in cyber-security – development of a conceptual framework
DOI:
https://doi.org/10.26881/ibage.2023.42.04Słowa kluczowe:
cyber-risk, cyber-security, cybercrime, decision-making, cognitive biasesAbstrakt
In recent years, the field of cyber-security has encountered unprecedented challenges due to the rapidly evolving nature of cyber-threats. Traditional cyber-security approaches often prioritize technical solutions and infrastructure, neglecting the critical role of human decision-making in cyber defence strategies. This paper delves into the intricate realm of cognitive biases within the cyber-security domain, investigating their profound influence on decision-making processes and organizational resilience from a behavioural economics perspective. Scholars have identified a multitude of biases, many of which directly impede actions and decisions in cyber-security. The paper addresses this gap in the literature by proposing a systematic and mixed research approach, which includes qualitative research followed by an empirical study. Through an examination of various biases and their implications, this research aims to illuminate the cognitive vulnerabilities inherent in cyber security and suggests strategies to mitigate their impact and reduce economic damage. Additionally, the study endeavours to narrow down the long list of biases and heuristics to the most prevalent ones through interviews, facilitating a more focused approach during the empirical study.
Downloads
Bibliografia
Alanazi M., Freeman M., Tootell H., 2022, Exploring the factors that influence the cybersecurity behaviors of young adults, Computers in Human Behavior, no. 136, doi.org/https://doi. org/10.1016/j.chb.2022.107376.
Alnifie K.M., Kim C., 2023, Appraising the manifestation of optimism bias and its impact on human perception of cyber security: A meta analysis, Journal of Information Security, no. 2, doi.org/10.4236/JIS.2023.142007.
Alsharida R.A., Al-Rimy B.A.S., Al-Emran M., Zainal A., 2023, A systematic review of multi-perspectives on human cybersecurity behavior, Technology in Society, no. 73, doi.org/https:// doi.org/10.1016/j.techsoc.2023.102258.
Avery D., 2022, Capital one $190 million data breach settlement: Today is the last day to claim money, CNET, cnet.com/personal-finance/capital-one-190-million-data-breach-settlement- -today-is-deadline-to-file-claim [access: 12.10.2023].
Brar H.S., Kumar G., 2018, Cybercrimes: A proposed taxonomy and challenges, Journal of Computer Networks and Communications, doi.org/10.1155/2018/1798659.
Brooks B., Curnin S., Owen C., Bearman C., 2020, Managing cognitive biases during disaster response: The development of an aide memoire, Cognition, Technology & Work, no. 22, doi. org/10.1007/s10111-019-00564-5.
Ceric A., Holland P., 2019, The role of cognitive biases in anticipating and responding to cyberattacks, Information Technology and People, no. 1, doi.org/10.1108/ITP-11-2017-0390/FULL/XML.
Cremer F., Sheehan B., Fortmann M., Kia A.N., Mullins M., Murphy F., Materne S., 2022, Cyber risk and cybersecurity: A systematic review of data availability, The Geneva Papers on Risk and Insurance – Issues and Practice, no. 3, doi.org/10.1057/s41288-022-00266-6.
Duong A.A., Maurushat A., Bello A., 2022, Working from home users at risk of COVID-19 ransomware attacks, Cybersecurity and Cognitive Science, doi.org/10.1016/ B978-0-323-90570-1.00001-2.
Europol, 2023, Cyber-attacks: The apex of crime-as-a-service (IOCTA 2023), europol.europa.eu/ publication-events/main-reports/cyber-attacks-apex-of-crime-service-iocta-2023#downloads [access: 24.11.2024].
Farahbod K., Shayo C., Varzandeh J., 2020, Cybersecurity indices and cybercrime annual loss and economic impacts, Journal of Business and Behavioral Sciences, no. 1.
Frank M., 2020, Using calibration to help overcome information security overconfidence [in:] Proceedings of the 41st International Conference on Information Systems, ICIS 2020, Making Digital Inclusive: Blending the Locak and the Global, Hyderabad, India, December 13–16, 2020, eds. J.F. George, S. Paul, R. De’, E. Karahanna, S. Sarker, G. Oestreicher-Singer, Association For Information Systems.
Greenberg A., 2018, The untold story of NotPetya, the most devastating cyberattack in history, Wired, wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world [access: 4.12.2023].
Huang K., Madnick M.S.S., 2017, Cybercrime-as-a-service: Identifying control points to disrupt, Working Paper CISL# 2017-17, web.mit.edu/smadnick/www/wp/2017-17.pdf [access: 24.11.2024].
Huang K., Siegel M., Madnick S., 2018, Systematically understanding the cyber attack business: A survey, ACM Computer Surveys, no. 4, doi.org/10.1145/3199674.
Jalali M.S., Siegel M., Madnick S., 2019, Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment, The Journal of Strategic Information Systems, no. 1, doi.org/10.1016/j.jsis.2018.09.003.
Johnson C.K., Gutzwiller R.S., Ferguson-Walter K.J., Fugate S.J., 2020, A cyber-relevant table of decision making biases and their definitions, doi.org/10.13140/RG.2.2.14891.87846/1.
Kahneman D., Tversky A., 1974, Subjective probability: A judgment of representativeness [in:] The concept of probability in psychological experiments, ed. C.-A.S. Staël Von Holstein, Springer, Dordrecht.
Kahneman D., Tversky A., 1979, Prospect theory: An analysis of decision under risk, Econometrica, no. 2, doi.org/10.2307/1914185.
Khan S., Kabanov I., Hua Y., Madnick S., 2022, A systematic analysis of the capital one data breach: Critical lessons learned, ACM Transactions on Privacy and Security, no. 1, doi. org/10.1145/3546068.
Konradt C., Schilling A., Werners B., 2016, Phishing: An economic analysis of cybercrime perpetrators, Computers & Security, no. 58, doi.org/10.1016/J.COSE.2015.12.001.
Leukfeldt E.R., Yar M., 2016, Applying routine activity theory to cybercrime: A theoretical and empirical analysis, Deviant Behavior, no. 3, doi.org/10.1080/01639625.2015.1012409.
Singh M.M., Bakar A.A., 2019, A systemic cybercrime stakeholders architectural model, Procedia Computer Science, no. 161, doi.org/10.1016/J.PROCS.2019.11.227.
Thaler R.H., 1980, Toward a positive theory of consumer choice, Journal of Economic Behavior & Organization, no. 1, doi.org/10.1016/0167-2681(80)90051-7.
Tversky A., Kahneman D., 1974, Judgment under uncertainty: Heuristics and biases, Science, no. 185.
Tversky A., Kahneman D., 1981, The framing of decisions and the psychology of choice, Science, no. 211, doi.org/10.1126/SCIENCE.7455683.
Weinstein N.D., 1980, Unrealistic optimism about future life events, Journal of Personality and Social Psychology, no. 5, doi.org/10.1037/0022-3514.39.5.806.
Wolff J., 2022, Insurers must rethink handling of cyber attacks on states, Financial Times, ft.com/ content/aa147054-ec14-4a75-a183-bee345319948 [access: 4.12.2023].
