An empirical test of the perceived relationship between risk and the constituents severity and probability. (13th June 2016)
- Record Type:
- Journal Article
- Title:
- An empirical test of the perceived relationship between risk and the constituents severity and probability. (13th June 2016)
- Main Title:
- An empirical test of the perceived relationship between risk and the constituents severity and probability
- Authors:
- Sommestad, Teodor
Karlzén, Henrik
Nilsson, Peter
Hallberg, Jonas - Abstract:
- Abstract : Purpose: In methods and manuals, the product of an information security incident's probability and severity is seen as a risk to manage. The purpose of the test described in this paper is to investigate if information security risk is perceived in this way, if decision-making style influences the perceived relationship between the three variables and if the level of information security expertise influences the relationship between the three variables. Design/methodology/approach: Ten respondents assessed 105 potential information security incidents. Ratings of the associated risks were obtained independently from ratings of the probability and severity of the incidents. Decision-making style was measured using a scale inspired from the Cognitive Style Index; information security expertise was self-reported. Regression analysis was used to test the relationship between variables. Findings: The ten respondents did not assess risk as the product of probability and severity, regardless of experience, expertise and decision-making style. The mean variance explained in risk ratings using an additive term is 54.0 or 38.4 per cent, depending on how risk is measured. When a multiplicative term was added, the mean variance only increased by 1.5 or 2.4 per cent. For most of the respondents, the contribution of the multiplicative term is statistically insignificant. Practical Implications: The inability or unwillingness to see risk as a product of probability and severityAbstract : Purpose: In methods and manuals, the product of an information security incident's probability and severity is seen as a risk to manage. The purpose of the test described in this paper is to investigate if information security risk is perceived in this way, if decision-making style influences the perceived relationship between the three variables and if the level of information security expertise influences the relationship between the three variables. Design/methodology/approach: Ten respondents assessed 105 potential information security incidents. Ratings of the associated risks were obtained independently from ratings of the probability and severity of the incidents. Decision-making style was measured using a scale inspired from the Cognitive Style Index; information security expertise was self-reported. Regression analysis was used to test the relationship between variables. Findings: The ten respondents did not assess risk as the product of probability and severity, regardless of experience, expertise and decision-making style. The mean variance explained in risk ratings using an additive term is 54.0 or 38.4 per cent, depending on how risk is measured. When a multiplicative term was added, the mean variance only increased by 1.5 or 2.4 per cent. For most of the respondents, the contribution of the multiplicative term is statistically insignificant. Practical Implications: The inability or unwillingness to see risk as a product of probability and severity suggests that procedural support (e.g. risk matrices) has a role to play in the risk assessment processes. Originality/value: This study is the first to test if information security risk is assessed as an interaction between probability and severity using suitable scales and a within-subject design. … (more)
- Is Part Of:
- Information and computer security. Volume 24:Number 2(2016)
- Journal:
- Information and computer security
- Issue:
- Volume 24:Number 2(2016)
- Issue Display:
- Volume 24, Issue 2 (2016)
- Year:
- 2016
- Volume:
- 24
- Issue:
- 2
- Issue Sort Value:
- 2016-0024-0002-0000
- Page Start:
- 194
- Page End:
- 204
- Publication Date:
- 2016-06-13
- Subjects:
- Risk perception -- Information security risk assessment -- Perceived probability -- Perceived severity
Computer security -- Management -- Periodicals
Computer networks -- Security measures -- Periodicals
Data protection -- Management -- Periodicals
658.47 - Journal URLs:
- http://www.emeraldinsight.com/loi/ics ↗
http://www.emeraldinsight.com/ ↗ - DOI:
- 10.1108/ICS-01-2016-0004 ↗
- Languages:
- English
- ISSNs:
- 2056-4961
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4481.796000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 8149.xml