Information resources are becoming increasingly important to individuals and organizations, and ensuring their security is a major concern. While research in information security has adopted primarily a quantitative method to determine how and how much to invest in security, most decision makers rely on non-quantitative methods for this purpose, thereby introducing a considerable amount of as yet unexplained subjective judgment to the problem. We use a behavioral decision making approach to investigate factors causing possible inefficiencies of security spending decisions. Decision makers in our experiment performed a series of economic games featuring the key characteristics of a typical security problem. We found several biases in investment decisions. For budgeting their investment between major classes of security measures, decision makers demonstrated a strong bias toward investing in preventive measures rather than in detection and response measures, even though the task was designed to yield the same return on investment for both classes of measures. We term this phenomenon the “Prevention Bias.” Decision makers also reacted to security threats when the risk was so small that no investment was economically justified. For higher levels of risk that warranted some security investment, decision makers showed a strong tendency to overinvest. Theoretical and practical implications of the findings are discussed.

信息资源对于个人和组织变得越来越重要，确保其安全性是一个主要问题。尽管信息安全研究主要采用一种定量方法来确定对安全进行投资的方式和数量，但大多数决策者为此目的都依赖非量化方法，从而为该问题引入了大量尚未解释的主观判断。我们使用行为决策方法来调查可能导致安全支出决策效率低下的因素。在我们的实验中，决策者进行了一系列经济游戏，这些游戏具有典型安全问题的关键特征。我们在投资决策中发现了一些偏见。为了在主要安全措施类别之间预算其投资，决策者表现出对投资预防措施而不是发现和应对措施的强烈偏见，尽管该任务旨在为两种措施产生相同的投资回报率。我们将此现象称为“预防偏见”。当风险很小时，决策者也对安全威胁做出了反应，以至于没有任何投资在经济上是合理的。对于需要进行某些安全投资的较高风险等级，决策者表现出强烈的过度投资趋势。讨论的结果的理论和实践意义。风险很小时，决策者也对安全威胁做出了反应，以至于没有任何投资在经济上是合理的。对于需要进行某些安全投资的较高风险等级，决策者表现出强烈的过度投资趋势。讨论的结果的理论和实践意义。风险很小时，决策者也对安全威胁做出了反应，以至于没有任何投资在经济上是合理的。对于需要进行某些安全投资的较高风险等级，决策者表现出强烈的过度投资趋势。讨论的结果的理论和实践意义。