Computer security and risky computing practices: A rational choice perspective

Kregg Aytes, Terence Connolly

Research output: Contribution to journalArticle

80 Citations (Scopus)

Abstract

Despite rapid technological advances in computer hardware and software, insecure behavior by individual computer users continues to be a significant source of direct cost and productivity loss. Why do individuals, many of whom are aware of the possible grave consequences of low-level insecure behaviors such as failure to backup work and disclosing passwords, continue to engage in unsafe computing practices? In this article we propose a conceptual model of this behavior as the outcome of a boundedly-rational choice process. We explore this model in a survey of undergraduate students (N = 167) at two large public universities. We asked about the frequency with which they engaged in five commonplace but unsafe computing practices, and probed their decision processes with regard to these practices. Although our respondents saw themselves as knowledgeable, competent users, and were broadly aware that serious consequences were quite likely to result, they reported frequent unsafe computing behaviors. We discuss the implications of these findings both for further research on risky computing practices and for training and enforcement policies that will be needed in the organizations these students will shortly be entering.

Original languageEnglish (US)
Pages (from-to)22-40
Number of pages19
JournalJournal of Organizational and End User Computing
Volume16
Issue number3
StatePublished - Jul 2004

Fingerprint

Security of data
Students
Computer hardware
Productivity
Costs
Rational choice
Computer security

Keywords

  • Computer security
  • Information assurance
  • Risk management

ASJC Scopus subject areas

  • Management of Technology and Innovation
  • Computer Science(all)

Cite this

Computer security and risky computing practices : A rational choice perspective. / Aytes, Kregg; Connolly, Terence.

In: Journal of Organizational and End User Computing, Vol. 16, No. 3, 07.2004, p. 22-40.

Research output: Contribution to journalArticle

@article{ebf74fef056d45d2b31c90258ac93420,
title = "Computer security and risky computing practices: A rational choice perspective",
abstract = "Despite rapid technological advances in computer hardware and software, insecure behavior by individual computer users continues to be a significant source of direct cost and productivity loss. Why do individuals, many of whom are aware of the possible grave consequences of low-level insecure behaviors such as failure to backup work and disclosing passwords, continue to engage in unsafe computing practices? In this article we propose a conceptual model of this behavior as the outcome of a boundedly-rational choice process. We explore this model in a survey of undergraduate students (N = 167) at two large public universities. We asked about the frequency with which they engaged in five commonplace but unsafe computing practices, and probed their decision processes with regard to these practices. Although our respondents saw themselves as knowledgeable, competent users, and were broadly aware that serious consequences were quite likely to result, they reported frequent unsafe computing behaviors. We discuss the implications of these findings both for further research on risky computing practices and for training and enforcement policies that will be needed in the organizations these students will shortly be entering.",
keywords = "Computer security, Information assurance, Risk management",
author = "Kregg Aytes and Terence Connolly",
year = "2004",
month = "7",
language = "English (US)",
volume = "16",
pages = "22--40",
journal = "Journal of Organizational and End User Computing",
issn = "1546-2234",
publisher = "IGI Publishing",
number = "3",

}

TY - JOUR

T1 - Computer security and risky computing practices

T2 - A rational choice perspective

AU - Aytes, Kregg

AU - Connolly, Terence

PY - 2004/7

Y1 - 2004/7

N2 - Despite rapid technological advances in computer hardware and software, insecure behavior by individual computer users continues to be a significant source of direct cost and productivity loss. Why do individuals, many of whom are aware of the possible grave consequences of low-level insecure behaviors such as failure to backup work and disclosing passwords, continue to engage in unsafe computing practices? In this article we propose a conceptual model of this behavior as the outcome of a boundedly-rational choice process. We explore this model in a survey of undergraduate students (N = 167) at two large public universities. We asked about the frequency with which they engaged in five commonplace but unsafe computing practices, and probed their decision processes with regard to these practices. Although our respondents saw themselves as knowledgeable, competent users, and were broadly aware that serious consequences were quite likely to result, they reported frequent unsafe computing behaviors. We discuss the implications of these findings both for further research on risky computing practices and for training and enforcement policies that will be needed in the organizations these students will shortly be entering.

AB - Despite rapid technological advances in computer hardware and software, insecure behavior by individual computer users continues to be a significant source of direct cost and productivity loss. Why do individuals, many of whom are aware of the possible grave consequences of low-level insecure behaviors such as failure to backup work and disclosing passwords, continue to engage in unsafe computing practices? In this article we propose a conceptual model of this behavior as the outcome of a boundedly-rational choice process. We explore this model in a survey of undergraduate students (N = 167) at two large public universities. We asked about the frequency with which they engaged in five commonplace but unsafe computing practices, and probed their decision processes with regard to these practices. Although our respondents saw themselves as knowledgeable, competent users, and were broadly aware that serious consequences were quite likely to result, they reported frequent unsafe computing behaviors. We discuss the implications of these findings both for further research on risky computing practices and for training and enforcement policies that will be needed in the organizations these students will shortly be entering.

KW - Computer security

KW - Information assurance

KW - Risk management

UR - http://www.scopus.com/inward/record.url?scp=2642549662&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=2642549662&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:2642549662

VL - 16

SP - 22

EP - 40

JO - Journal of Organizational and End User Computing

JF - Journal of Organizational and End User Computing

SN - 1546-2234

IS - 3

ER -