{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T00:47:45Z","timestamp":1768351665108,"version":"3.49.0"},"reference-count":16,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2016,6,13]],"date-time":"2016-06-13T00:00:00Z","timestamp":1465776000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2016,6,13]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>In methods and manuals, the product of an information security incident\u2019s probability and severity is seen as a risk to manage. The purpose of the test described in this paper is to investigate if information security risk is perceived in this way, if decision-making style influences the perceived relationship between the three variables and if the level of information security expertise influences the relationship between the three variables.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Ten respondents assessed 105 potential information security incidents. Ratings of the associated risks were obtained independently from ratings of the probability and severity of the incidents. Decision-making style was measured using a scale inspired from the Cognitive Style Index; information security expertise was self-reported. Regression analysis was used to test the relationship between variables.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The ten respondents did not assess risk as the product of probability and severity, regardless of experience, expertise and decision-making style. The mean variance explained in risk ratings using an additive term is 54.0 or 38.4 per cent, depending on how risk is measured. When a multiplicative term was added, the mean variance only increased by 1.5 or 2.4 per cent. For most of the respondents, the contribution of the multiplicative term is statistically insignificant.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical Implications<\/jats:title>\n<jats:p>The inability or unwillingness to see risk as a product of probability and severity suggests that procedural support (e.g. risk matrices) has a role to play in the risk assessment processes.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This study is the first to test if information security risk is assessed as an interaction between probability and severity using suitable scales and a within-subject design.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-01-2016-0004","type":"journal-article","created":{"date-parts":[[2016,6,20]],"date-time":"2016-06-20T04:51:07Z","timestamp":1466398267000},"page":"194-204","source":"Crossref","is-referenced-by-count":4,"title":["An empirical test of the perceived relationship between risk and the constituents severity and probability"],"prefix":"10.1108","volume":"24","author":[{"given":"Teodor","family":"Sommestad","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Henrik","family":"Karlz\u00e9n","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Peter","family":"Nilsson","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jonas","family":"Hallberg","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"issue":"1","key":"key2020121501483193100_ref001","doi-asserted-by":"crossref","first-page":"119","DOI":"10.1111\/j.1467-6486.1996.tb00801.x","article-title":"The cognitive style index: a measure of intuition-analysis for organizational research","volume":"33","year":"1996","journal-title":"Journal of Management Studies"},{"key":"key2020121501483193100_ref002","first-page":"97","article-title":"Information security is information risk management","year":"2002"},{"issue":"3","key":"key2020121501483193100_ref003","doi-asserted-by":"crossref","first-page":"249","DOI":"10.1177\/1470593107080344","article-title":"Interaction effects and combinatorial rules governing Protection Motivation Theory variables: a new model","volume":"7","year":"2007","journal-title":"Marketing Theory"},{"key":"key2020121501483193100_ref004","unstructured":"Club de la S\u00e9curit\u00e9 de l\u2019Information Fran\u00e7ais (2011), \u201cMEHARI 2010 Processing guide for risk analysis and management\u201d, CLUSIF, Paris, pp. 1-32, available at: www.clusif.asso.fr\/fr\/production\/ouvrages\/pdf\/MEHARI-2010-Risk-Analysis-and-Treatment-Guide.pdf (accessed 12 March 2016)."},{"issue":"5","key":"key2020121501483193100_ref005","doi-asserted-by":"crossref","first-page":"650","DOI":"10.1177\/0146167203029005009","article-title":"Fear appeals motivate acceptance of action recommendations: evidence for a positive bias in the processing of persuasive messages","volume":"29","year":"2003","journal-title":"Personality & Social Psychology Bulletin"},{"issue":"4","key":"key2020121501483193100_ref006","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","year":"2002","journal-title":"ACM Transactions on Information and System Security"},{"issue":"2","key":"key2020121501483193100_ref007","doi-asserted-by":"crossref","first-page":"147","DOI":"10.1016\/j.cose.2004.07.004","article-title":"ISRAM: information security risk analysis method","volume":"24","year":"2005","journal-title":"Computers & Security"},{"key":"key2020121501483193100_ref008","volume-title":"Model-driven Risk Analysis: The CORAS Approach","year":"2011"},{"issue":"5","key":"key2020121501483193100_ref009","doi-asserted-by":"crossref","first-page":"469","DOI":"10.1016\/0022-1031(83)90023-9","article-title":"Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change","volume":"19","year":"1983","journal-title":"Journal of Experimental Social Psychology"},{"key":"key2020121501483193100_ref010","article-title":"Activity 8.8: decision making style inventory","volume-title":"Canadian Organizational Behaviour","year":"2006"},{"key":"key2020121501483193100_ref011","unstructured":"NIST (2012), NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments, available at: http:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-30r1.pdf (accessed 12 march 2016)."},{"issue":"2","key":"key2020121501483193100_ref012","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1509\/jmkg.67.2.1.18607","article-title":"What to convey in antismoking advertisements for adolescents: the use of protection motivation theory to identify effective message themes","volume":"67","year":"2003","journal-title":"Journal of Marketing"},{"key":"key2020121501483193100_ref013","article-title":"Cognitive and physiological processes in fear appeals and attitude change: a revised theory of protection motivation","volume-title":"Social Psychophysiology","year":"1983"},{"key":"key2020121501483193100_ref014","doi-asserted-by":"crossref","unstructured":"Scott, S.G. and Bruce, R.A. (1995), \u201cDecision-making style: the development and assessment of a new measure\u201d, Educational and Psychological Measurement, Vol. 55 No. 5, pp. 818-831, available at: http:\/\/epm.sagepub.com\/cgi\/doi\/10.1177\/0013164495055005017 (accessed 24 October 2014).","DOI":"10.1177\/0013164495055005017"},{"issue":"6","key":"key2020121501483193100_ref015","doi-asserted-by":"crossref","first-page":"659","DOI":"10.1016\/j.cose.2010.02.002","article-title":"A probabilistic relational model for security risk analysis","volume":"29","year":"2010","journal-title":"Computers & Security"},{"issue":"1","key":"key2020121501483193100_ref016","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1037\/0278-6133.19.1.65","article-title":"Perceived probability, perceived severity, and health-protective behavior","volume":"19","year":"2000","journal-title":"Health Psychology: Official Journal of the Division of Health Psychology, American Psychological Association"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-01-2016-0004","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2016-0004\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2016-0004\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:34Z","timestamp":1753406554000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/24\/2\/194-204\/112145"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,6,13]]},"references-count":16,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2016,6,13]]}},"alternative-id":["10.1108\/ICS-01-2016-0004"],"URL":"https:\/\/doi.org\/10.1108\/ics-01-2016-0004","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2016,6,13]]}}}