Risk-taking behavior is effectively predicted using electroencephalography (EEG) via event-related potentials (ERPs). Using the Iowa Gambling Task, a widely used technique shown to be correlated with real-world risky behaviors, we show that the differences in neural responses to positive and negative feedback strongly predict users’ information security behavior in a separate laboratory-based computing task. In addition, we compare the predictive validity of EEG measures to that of self-reported measures of information security risk perceptions. Our experiments show that selfreported measures are ineffective in predicting security behaviors under a condition in which information security is not salient.
| Construct | Cites | Category | Questions given? | Content validity | Pretests | Response type | Notes |
|---|---|---|---|---|---|---|---|
| Willingness to Gamble Lifetime Income | Barsky et al., 1997 | yes | none | pilot | binary yes/no | ||
| General risk appetite | Kam, 2015 | yes | none | pilot | binary yes/no | ||
| Perceived security risk of malware | Guo et al., 2011 | yes | none | pilot | 7-point Likert scale ranging from "strongly disagree" to "strongly agree" | ||
| Threat susceptibility | Johnston, 2010 | yes | none | pilot | 7-point Likert scale ranging from "strongly disagree" to "strongly agree" | ||
| Threat severity | Johnston, 2010 | yes | none | pilot | 7-point Likert scale ranging from "strongly disagree" to "strongly agree" | ||
| Bias | NEW | yes | none | pilot | 5-point Likert scale ranging from "not at all" to "very strongly" | ||
| Malware warning screen realism | NEW | yes | none | pilot | 11-point scale from "not realistic" to "100% realistic" and from "not concerned at all" to "extremely concerned" | ||
| Hacker screen realism | NEW | yes | none | pilot | 11-point scale from "not realistic" to "100% realistic" and from "not concerned at all" to "extremely concerned" | ||
| Malware warning screen concern | NEW | yes | none | pilot | 11-point scale from "not concerned" to "extremely concerned" | ||
| Hacker screen concern | NEW | yes | none | pilot | 11-point scale from "not concerned" to "extremely concerned" |
Anthony Vance, Bonnie Brinton Anderson, Brock Kirwan, and David Eargle. Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG). Journal of the Association for Information Systems Forthcoming, 2014.
@article{vance_using_2014,
author = {Vance, Anthony and Anderson, Bonnie Brinton and Kirwan, Brock and Eargle, David},
journal = {Journal of the Association for Information Systems Forthcoming},
shorttitle = {Using {{Measures}} of {{Risk Perception}} to {{Predict Information Security Behavior}}},
title = {Using {{Measures}} of {{Risk Perception}} to {{Predict Information Security Behavior}}: {{Insights}} from {{Electroencephalography}} ({{EEG}})},
year = {2014}
}