The Role of Heuristics in Information Security Decision Making

Fard Bahreini, Amir
Cenfetelli, Ron
Cavusoglu, Hasan
Journal Title
Journal ISSN
Volume Title
Inadvertent human errors (e.g., clicking on phishing emails or falling for a spoofed website) have been the primary cause of security breaches in recent years. To understand the root cause of these errors and examine practical solutions for users to overcome them, we applied the theory of bounded rationality and explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews with 27 participants revealed that users rely on various heuristics to simplify their decision making in the information security context. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. The results have practical and theoretical significance. In particular, they extend the literature by integrating bounded rationality concepts and elaborating “how” users simplify their security decision making by relying on cognitive heuristics.
Innovative Behavioral IS Security and Privacy Research, behavioral is security, framework analysis, heuristics, inadvertent human errors, the theory of bounded rationality
Access Rights
Email if you need this content in ADA-compliant format.