Professionals working in both the physical and cybersecurity domain need to assess and evaluate security risks. As information on risks in general and security risks in particular is often imperfect and intractable, these professionals are facing a challenge in judging both likelihood and consequences, but how much do their existing psychological biases play a role in these judgments? In this paper, we present new empirical evidence on the perception of the information position and confidence levels of security professionals, the influence of detailed information and the conjunction fallacy, and the level of noise in security assessments. This paper adds to the literature by examining, for the first time, risk assessments by professionals in realistic, real life, security cases. The results show clear indications for overconfidence, comparative ignorance, influence of the conjunction fallacy, and influence of individual experience on security decision making in the professional security domain. The observed phenomena might have far reaching effects on security risk management in organizations and society.
Bibliographical noteGreen Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.
- Conjunction fallacy
- Decision biases
- Information position
- Security assessment