{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T04:57:51Z","timestamp":1772600271266,"version":"3.50.1"},"reference-count":59,"publisher":"Oxford University Press (OUP)","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["J Cyber Secur"],"published-print":{"date-parts":[[2016,12]]},"DOI":"10.1093\/cybsec\/tyw009","type":"journal-article","created":{"date-parts":[[2016,12,24]],"date-time":"2016-12-24T09:07:03Z","timestamp":1482570423000},"page":"57-70","source":"Crossref","is-referenced-by-count":8,"title":["Are information security professionals expected value maximizers?: An experiment and survey-based test"],"prefix":"10.1093","volume":"2","author":[{"given":"Konstantinos","family":"Mersinas","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bjoern","family":"Hartig","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Keith M.","family":"Martin","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Andrew","family":"Seltzer","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2016,12,22]]},"reference":[{"key":"2016123008051124000_2.1.57.1","unstructured":"IBM Corp. Released 2012. IBM SPSS statistics for Windows, Version 21.0. Armonk, NY: IBM Corp, 2012."},{"key":"2016123008051124000_2.1.57.2","doi-asserted-by":"crossref","unstructured":"Acquisti A. Privacy in electronic commerce and the economics of immediate gratification. In: Proceedings of the 5th ACM Conference on Electronic Commerce (EC '04), 2004, 21\u201329.","DOI":"10.1145\/988772.988777"},{"key":"2016123008051124000_2.1.57.3","first-page":"24","article-title":"Privacy and rationality in individual decision making","volume":"2","author":"Acquisti","year":"2005","journal-title":"IEEE Security & Privacy"},{"key":"2016123008051124000_2.1.57.4","doi-asserted-by":"crossref","first-page":"671","DOI":"10.1016\/j.jebo.2008.01.004","article-title":"Man\u2019s search for meaning: the case of Legos","volume":"67","author":"Ariely","year":"2008","journal-title":"J Econ Behav & Organ"},{"key":"2016123008051124000_2.1.57.5","doi-asserted-by":"crossref","unstructured":"Schneier B. The psychology of security. In: Progress in Cryptology\u2013AFRICACRYPT 2008. Berlin, Heidelberg: Springer, 2008, 50\u201379.","DOI":"10.1007\/978-3-540-68164-9_5"},{"key":"2016123008051124000_2.1.57.6","unstructured":"Anderson R. Why information security is hard - an economic perspective. In: Proceedings of 17th Annual Computer Security Applications Conference (ACSAC). New Orleans, LO. 2001, 10\u201314. Washington, DC: IEEE Computer Society."},{"key":"2016123008051124000_2.1.57.7","doi-asserted-by":"crossref","unstructured":"Anderson R. Information security economics-and beyond. In: DEON '08 Proceedings of the 9th international conference on Deontic Logic in Computer Science, Springer-Verlag Berlin, Heidelberg, 2008, 49.","DOI":"10.1007\/978-3-540-70525-3_5"},{"key":"2016123008051124000_2.1.57.8","doi-asserted-by":"crossref","unstructured":"Anderson R Barton C B\u00f6hme R . Measuring the cost of cybercrime. In: The Economics of Information Security and Privacy. Berlin Heidelberg: Springer, 2013, 265\u2013300.","DOI":"10.1007\/978-3-642-39498-0_12"},{"key":"2016123008051124000_2.1.57.9","doi-asserted-by":"publisher","DOI":"10.1126\/science.1130992"},{"key":"2016123008051124000_2.1.57.10","doi-asserted-by":"publisher","DOI":"10.1098\/rsta.2009.0027"},{"key":"2016123008051124000_2.1.57.11","unstructured":"Arrow KJ. The Economics of Information (Collected Papers of Kenneth J. Arrow), Vol. 4. Cambridge, MA: Belknap Press, 1984."},{"key":"2016123008051124000_2.1.57.12","unstructured":"Information Systems Audit and Control Association (ISACA). G41 Return on Security Investment (ROSI), 2010. www.isaca.org. (6 September 2016, date last accessed)."},{"key":"2016123008051124000_2.1.57.13","unstructured":"Baddeley M. Information security: lessons from behavioural economics. Working Paper, Gonville and Caius College, University of Cambridge, 2011."},{"key":"2016123008051124000_2.1.57.14","unstructured":"S.B. 1386, 2002 Leg., Reg. Sess. (Cal. 2002)."},{"key":"2016123008051124000_2.1.57.15","doi-asserted-by":"crossref","unstructured":"Beresnevichiene Y Pym D Shiu S. Decision support for systems security investment. In: Network Operations and Management Symposium Workshops (NOMS Wksps),2010 IEEE\/IFIP. 2010, 118\u201325.","DOI":"10.1109\/NOMSW.2010.5486590"},{"key":"2016123008051124000_2.1.57.16","doi-asserted-by":"publisher","DOI":"10.1093\/qje\/qjs018"},{"key":"2016123008051124000_2.1.57.17","unstructured":"Bouyssou D Dubois D Prade H . Decision Making Process: Concepts and Methods. Hoboken, NJ: John Wiley & Sons, 2013."},{"key":"2016123008051124000_2.1.57.18","first-page":"24.","article-title":"Risk Management and Compliance","volume":"54","author":"Brenner","year":"2007","journal-title":"Risk Manag"},{"key":"2016123008051124000_2.1.57.19","doi-asserted-by":"crossref","unstructured":"Camerer CF Loewenstein G Rabin M. Advances in Behavioral Economics. Princeton, NJ: Princeton University Press, 2011.","DOI":"10.2307\/j.ctvcm4j8j"},{"key":"2016123008051124000_2.1.57.20","unstructured":"Cebula JL Young LR . A taxonomy of operational cyber security risks. Technical Report, DTIC Document, Carnegie Mellon University Software Engineering Institute (SEI), 2010."},{"key":"2016123008051124000_2.1.57.21","doi-asserted-by":"publisher","DOI":"10.1023\/A:1015544715608"},{"key":"2016123008051124000_2.1.57.22","first-page":"171","article-title":"Critical values and probability levels for the Wilcoxon rank sum test and the Wilcoxon signed rank test","volume":"1","author":"Wilcoxon","year":"1970","journal-title":"Selected Tables Math Stat"},{"key":"2016123008051124000_2.1.57.23","doi-asserted-by":"crossref","first-page":"230","DOI":"10.1016\/0749-5978(86)90018-X","article-title":"Psychological sources of ambiguity avoidance","volume":"38","author":"Curley","year":"1986","journal-title":"Organ Behav Human Decision Proces"},{"key":"2016123008051124000_2.1.57.24","doi-asserted-by":"crossref","first-page":"793","DOI":"10.1016\/j.ijpe.2008.04.002","article-title":"An economic analysis of the optimal information security investment in the case of a risk-averse firm","volume":"114","author":"Huang","year":"2008","journal-title":"Int J Prod Econ"},{"key":"2016123008051124000_2.1.57.25","doi-asserted-by":"publisher","DOI":"10.1111\/j.1542-4774.2011.01015.x"},{"key":"2016123008051124000_2.1.57.26","doi-asserted-by":"publisher","DOI":"10.2307\/1884324"},{"key":"2016123008051124000_2.1.57.27","doi-asserted-by":"crossref","unstructured":"Von Neumann J Morgenstern O . Theory of Games and Economic Behavior (60th Anniversary Commemorative Edition). Princeton University Press, 2007. http:\/\/www.jstor.org\/stable\/j.ctt1r2gkx (6 September 2016, date last accessed).","DOI":"10.1515\/9781400829460"},{"key":"2016123008051124000_2.1.57.28","unstructured":"ENISA Introduction to Return on Security Investment. Technical report, ENISA, Heraklion, Greece, Dec 2012. https:\/\/www.enisa.europa.eu\/activities\/cert\/other-work\/introduction-to-return-on-security-investment (6 September 2016, date last accessed)."},{"key":"2016123008051124000_2.1.57.29","unstructured":"Verendel V. A prospect theory approach to security. Technical Report, Department of Computer Science and Engineering, Chalmers University of Technology, 2008."},{"key":"2016123008051124000_2.1.57.30","unstructured":"Department for Business, Innovation and Skills (BIS, UK) and Technology Strategy Board. Cost of business cyber security breaches almost double. Technical Report, April 2014. https:\/\/www.gov.uk\/government\/news\/cost-of-business-cyber-security-breaches-almost-double."},{"key":"2016123008051124000_2.1.57.31","doi-asserted-by":"publisher","DOI":"10.2307\/2279372"},{"key":"2016123008051124000_2.1.57.32","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1109\/MTS.2013.2241294","article-title":"Heuristics and biases: implications for security design","volume":"32","author":"Garg","year":"2013","journal-title":"Technol Soc Magazine, IEEE"},{"key":"2016123008051124000_2.1.57.33","doi-asserted-by":"crossref","first-page":"94","DOI":"10.1109\/MSP.2012.91","article-title":"Power. law","volume":"10","author":"Geer","year":"2012","journal-title":"Security & Privacy, IEEE"},{"key":"2016123008051124000_2.1.57.34","doi-asserted-by":"publisher","DOI":"10.1162\/qjec.2010.125.4.1399"},{"key":"2016123008051124000_2.1.57.35","doi-asserted-by":"publisher","DOI":"10.1145\/581271.581274"},{"key":"2016123008051124000_2.1.57.36","unstructured":"Gordon LA Loeb MP . Managing Cybersecurity Resources: A Cost-Benefit Analysis, Vol. 1. New York: McGraw-Hill, 2006."},{"key":"2016123008051124000_2.1.57.37","doi-asserted-by":"publisher","DOI":"10.1007\/BF00122574"},{"key":"2016123008051124000_2.1.57.38","doi-asserted-by":"publisher","DOI":"10.1257\/000282802762024700"},{"key":"2016123008051124000_2.1.57.39","unstructured":"Soo Hoo KJ . How much is enough? A risk management approach to computer security. Working Paper, Stanford University, 2000."},{"key":"2016123008051124000_2.1.57.40","doi-asserted-by":"crossref","unstructured":"Ioannidis C Pym D Williams J. Fixed costs, investment rigidities, and risk aversion in information security: a utility-theoretic approach. In: Schneier B (ed.), Economics of Security and Privacy III, Proceedings of the 2011 Workshop on the Economics of Information Security. New York: Springer, 2013, 171\u2013191.","DOI":"10.1007\/978-1-4614-1981-5_8"},{"key":"2016123008051124000_2.1.57.41","unstructured":"BS ISO. IEC 27005:2008. Information Technology\u2013Security Techniques\u2013 Information Security Risk Management, 2012."},{"key":"2016123008051124000_2.1.57.42","unstructured":"Kahneman D . Thinking, Fast and Slow. New York: Allen Lane and Penguin Books, 2011."},{"key":"2016123008051124000_2.1.57.43","doi-asserted-by":"crossref","first-page":"263","DOI":"10.2307\/1914185","article-title":"Prospect theory: an analysis of decision under risk","volume":"47","author":"Kahneman","year":"1979","journal-title":"Econometrica J Econ Soc"},{"key":"2016123008051124000_2.1.57.44","doi-asserted-by":"publisher","DOI":"10.1037\/0003-066X.39.4.341"},{"key":"2016123008051124000_2.1.57.45","unstructured":"Knight FH . Risk, Uncertainty and Profit. Mineola, NY: Courier Dover Publications, 2012."},{"key":"2016123008051124000_2.1.57.46","unstructured":"Ponemon Institute LLC Cost of Data Breach Study: Australia. 2011."},{"key":"2016123008051124000_2.1.57.47","unstructured":"Locher C . Methodologies for evaluating information security investments - What Basel II can change in the financial industry. 2005. In: Proceedings of the 13th European conference of information systems, information systems in a rapidly changing economy, ECIS 2005, Regensburg, Germany, 26\u201328 May 2005."},{"key":"2016123008051124000_2.1.57.48","doi-asserted-by":"publisher","DOI":"10.1257\/jep.1.1.121"},{"key":"2016123008051124000_2.1.57.49","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1140\/epjb\/e2010-00120-8","article-title":"Heavy-tailed distribution of cyber-risks","volume":"75","author":"Maillart","year":"2010","journal-title":"Eur Phys J B Condensed Matter Complex Syst"},{"key":"2016123008051124000_2.1.57.50","unstructured":"Maximiano S . Measuring reciprocity: do survey and experimental data correlate. Working Paper, Krannert School of Management, Purdue University, 2012."},{"key":"2016123008051124000_2.1.57.51","unstructured":"McGuire M Dowling S . Cyber crime: a review of the evidence. Summary of key findings and implications. Home Office Research report 75, 2013. www.gov.uk\/government\/uploads\/system\/uploads\/attachment_data\/file\/246749\/horr75-summary.pdf."},{"key":"2016123008051124000_2.1.57.52","unstructured":"Moore E Eckel C . Measuring ambiguity aversion. Unpublished manuscript. Department of Economics, Virginia Tech. 2003."},{"key":"2016123008051124000_2.1.57.53","doi-asserted-by":"publisher","DOI":"10.1080\/00107510500052444"},{"key":"2016123008051124000_2.1.57.54","unstructured":"Schroeder NJ Using prospect theory to investigate decision-making bias within an information security context. Technical Report, Department of the Air Force Air University, Air Force Institute of Technology, 2005."},{"key":"2016123008051124000_2.1.57.55","unstructured":"Schneier B . Worst-case thinking makes us nuts, not safe. Schneier on Security (blog), May 2010. https:\/\/www.schneier.com\/essay-316.html."},{"key":"2016123008051124000_2.1.57.56","unstructured":"Richardson R. CSI Computer Crime and Security Survey, 2008."},{"key":"2016123008051124000_2.1.57.57","unstructured":"Richardson R. CSI Computer Crime and Security Survey, 2010."},{"key":"2016123008051124000_2.1.57.58","first-page":"53.","article-title":"Recommended security controls for federal information systems","volume":"800","author":"Ross","year":"2005","journal-title":"NIST Special Publication"},{"key":"2016123008051124000_2.1.57.59","doi-asserted-by":"publisher","DOI":"10.1016\/0022-0531(70)90038-4"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/2\/1\/57\/10833200\/tyw009.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,9,16]],"date-time":"2019-09-16T22:17:47Z","timestamp":1568672267000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-lookup\/doi\/10.1093\/cybsec\/tyw009"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,12]]},"references-count":59,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2016,12,30]]},"published-print":{"date-parts":[[2016,12]]}},"alternative-id":["10.1093\/cybsec\/tyw009"],"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyw009","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,12]]}}}