The boundedly rational employee: Security economics for behaviour intervention support in organizations

Albesë Demjaha*, Simon Parkin, David Pym

*Corresponding author for this work

Research output: Contribution to journalArticleScientificpeer-review

4 Downloads (Pure)


Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal security-related choices. Conflict arises because of information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote good enough' decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both traditional economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. Our four stage plan to Capture, Adapt, Realign, and Enable behaviour choices provides guidance for security managers, focusing on a more effective response to the uncertainty associated with security behaviour in organizations.
Original languageEnglish
Pages (from-to)435-464
Number of pages30
JournalJournal of Computer Security
Issue number3
Publication statusPublished - 2022


  • security behaviour modelling
  • Security decision-making
  • security economics
  • security policy


Dive into the research topics of 'The boundedly rational employee: Security economics for behaviour intervention support in organizations'. Together they form a unique fingerprint.

Cite this