Biases in security risk management: Do security professionals follow prospect theory in their decisions?

Security professionals play a decisive role in security risk decision making, with important implications for security in organisations and society. Because of this subjective input in security understanding possible biases in this process is paramount. In this paper, well known biases as observed and described in prospect theory are studied in individual security risk decision making by security professionals. To this end, we distributed a questionnaire among security professionals including both original dilemmas from prospect theory and dilemmas adapted to the context of incident prevention. It was hypothesised that security professionals dealing with risks and decision making under risk on an almost daily basis would or should be less vulnerable to decision biases involving risks, in particular when framed in terms of incident prevention. The results show that security professionals are vulnerable to decision biases at the same scale as lay people, but some biases are weaker when decision problems are framed in terms of security as opposed to monetary gains and losses. Of the individual characteristics defining experience, only the general education level observably affects vulnerability for biases in security decision making in this study. A higher general education level leads to a significantly higher vulnerability to decision biases. By highlighting the vulnerability of security professionals to decision biases, this study contributes essential awareness and knowledge for improved decision making, for example by different representation of probabilities and uncertainty.