Why We Don’t Value Security: It’s a human thing
In this short article, Optic Security Group Enterprise Security Risk Manager Nicholas Dynon discusses how behavioural economics provides an explanation as to why humans tend to take a cavalier approach to security.
We’ve all seen variations on the below image in our LinkedIn feeds. The coin jar is a fun way to illustrate the lack of investment in security prior to a security breach relative to the funding thrown at security after a breach… and the small price that’s paid for security relative to the potential cost of a breach.
Much of the commentary discusses the problem in terms of Return on Investment (ROI) and, in particular, the difficulties organisations face in evidencing, measuring, and understanding Return on Security Investment (ROSI).
Unlike traditional ROI, which is a measurement based on gain (profitability), ROSI is measured in terms of loss avoided.
We’ll look more closely at ROSI in subsequent posts, but before we do that, it’s worth taking a step back to consider how we as humans approach the prospect of loss and loss avoidance. What are the basic human behaviours that inform why we value potential loss, and do we value it differently to potential gain?
Enter Prospect Theory.
Sometimes referred to as loss-aversion theory, Prospect Theory is a behavioural economics construct that describes how people make decisions when presented with alternatives that involve uncertainty. It was developed by Amos Tversky and Daniel Kahneman (who won a Nobel Prize in Economics for his prospect theory work).
According to the theory, for most people, a small yet certain gain is more attractive than the prospect of a less certain larger gain, but when it comes to losses, the reverse holds true: most people will risk the prospect of a greater loss rather than incur a guaranteed smaller one.
In the research, participants were presented with two choices: (i) the choice between a certain gain of $500 and a 50% chance of gaining $1,000, and (ii) the choice between a certain loss of $500 and a 50% chance of losing $1,000.
The results? 84% of participants chose the certain $500 gain over the riskier one, while 70% chose to risk a $1,000 loss over settling for the smaller certain one.
In other words, human nature dictates that we’ll take a sure gain over a less certain bigger one, yet we’ll risk a bigger loss just to avoid a certain smaller one (this is known as the ‘reflection effect’). We are so averse to loss that instead of accepting a small loss we’d rather try to gamble our way out of it – even if it means we might lose big!
It’s no wonder then that security spend (a.k.a., the certain smaller cost) tends to be avoided in favour of chancing it. According to Prospect Theory, it’s in our nature.
Disclaimer – This post has only been shared for an educational and knowledge-sharing purpose related to Technologies. Information was obtained from the source above source. All rights and credits are reserved for the respective owner(s).
Keep learning 📚 and keep growing 📈
Credits: Optic Security Group ’s Post