Investing in Prevention or Paying for Recovery - Attitudes to Cyber Risk

  • Anna Cartwright
  • Edward CartwrightEmail author
  • Lian Xue
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11836)


Broadly speaking an individual can invest time and effort to avoid becoming victim to a cyber attack and/or they can invest resource in recovering from any attack. We introduce a new game called the prevention and recovery game to study this trade-off. We report results from the experimental lab that allow us to categorize different approaches to risk taking. We show that many individuals appear relatively risk loving in that they invest in recovery rather than prevention. We find little difference in behavior between a gain and loss framing.


Cyber-security Ransomware Insurance Recovery Risk aversion 


  1. 1.
    Bada, M., Sasse, A.M., Nurse, J.R.: Cyber security awareness campaigns: why do they fail to change behaviour? arXiv preprint arXiv:1901.02672, 9 Januaray 2019
  2. 2.
    Arora, A., Hall, D., Pinto, C.A., Ramsey, D., Telang, R.: An ounce of prevention vs. a pound of cure: how can we measure the value of IT security solutions? Lawrence Berkeley National Lab (LBNL), Berkeley, CA USA, 12 January 2004Google Scholar
  3. 3.
    Grossklags, J., Christin, N., Chuang, J.: Predicted and observed user behavior in the weakest-link security game. In: UPSEC, April 2008Google Scholar
  4. 4.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 17th International Conference on World Wide Web, pp. 209–218, 21 April 2008Google Scholar
  5. 5.
    Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). Scholar
  6. 6.
    Hull, G., John, H., Arief, B.: Ransomware deployment methods and analysis: views from a predictive model and human responses. Crime Sci. 8(1), 2 (2019)Google Scholar
  7. 7.
    Richardson, R., North, M.M.: Ransomware: evolution, mitigation and prevention. Int. Manag. Rev. 13(1), 10 (2017)Google Scholar
  8. 8.
    Cartwright, A., Cartwright, E.: Ransomware and reputation. Games 10(2), 26 (2019)MathSciNetGoogle Scholar
  9. 9.
    Laszka, A., Farhang, S., Grossklags, J.: On the economics of ransomware. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) GameSec 2017. LNCS, vol. 10575. Springer, Cham (2017). Scholar
  10. 10.
    August, T., Dao, D., Niculescu, M.F.: Economics of ransomware attacks. SSRN (2019) Google Scholar
  11. 11.
    Janofsky, A.: HBO, uber incidents shed light on ransoms without ransomware. Wall Street J. (2017)Google Scholar
  12. 12.
    Cook, S.: 2017–2018 ransomware statistics and facts (2018).
  13. 13.
    Kahneman, D., Tversky, A.: Prospect theory: an analysis of decision under risk. Econometrica 47(2), 263–292 (1979)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Tversky, A., Kahneman, D.: The framing of decisions and the psychology of choice. Science 211(4481), 453–458 (1981)MathSciNetzbMATHGoogle Scholar
  15. 15.
    Tversky, A., Kahneman, D.: Rational choice and the framing of decisions. In: Karpak, B., Zionts, S. (eds.) Multiple Criteria Decision Making and Risk Analysis Using Microcomputers. NATO ASI Series, vol. 56, pp. 81–126. Springer, Berlin (1989). Scholar
  16. 16.
    Homonoff, T.A.: Can small incentives have large effects? The impact of taxes versus bonuses on disposable bag use. Am. Econ. J.: Econ. Policy 10(4), 177–210 (2018)Google Scholar
  17. 17.
    Field, E.: Educational debt burden and career choice: Evidence from a financial aid experiment at NYU Law School. Am. Econ. J.: Appl. Econ. 1(1), 1–21 (2009)Google Scholar
  18. 18.
    Fryer Jr, R.G., Levitt, S.D., List, J., Sadoff, S.: Enhancing the efficacy of teacher incentives through loss aversion: a field experiment. National Bureau of Economic Research (2012)Google Scholar
  19. 19.
    Hernandez-Castro, J., Cartwright, E., Stepanova, A.: Economic analysis of ransomware. arXiv 2017. arXiv preprint arXiv:1703.06660
  20. 20.
    Pfleeger, S.L., Caputo, D.D.: Leveraging behavioral science to mitigate cyber security risk. Comput. Secur. 31(4), 597–611 (2012)Google Scholar
  21. 21.
    Baddeley, M.: Information security: lessons from behavioural economics. In: Workshop on the Economics of Information Security (2011)Google Scholar
  22. 22.
    Rosoff, H., Cui, J., John, R.S.: Heuristics and biases in cyber security dilemmas. Environ. Syst. Decis. 33(4), 517–529 (2013)Google Scholar
  23. 23.
    Harrington, S., Anderson, C., Agarwal, R.: Practicing safe computing: message framing, self-view, and home computer user security behavior intentions. In: Proceedings of ICIS 2006, p. 93, 31 December 2006Google Scholar
  24. 24.
    Ravindran, S.K., Nah, F.F., Cheng, M.X.: Effect of probable and guaranteed monetary value gains and losses on cybersecurity behavior of users. In: MWAIS 2018 Proceedings, pp. 1–5 (2018)Google Scholar
  25. 25.
    Smith, S.N., Nah, F.F., Cheng, M., Ravindran, S.K.: The impact of monetary value gains and losses on cybersecurity behavior. In: Proceedings of the Midwest Association for Information Systems Conference, Springfield, Illinois (2017)Google Scholar
  26. 26.
    Starmer, C.: Developments in non-expected utility theory: the hunt for a descriptive theory of choice under risk. J. Econ. Lit. 38(2), 332–382 (2000)Google Scholar
  27. 27.
    O’Donoghue, T., Somerville, J.: Modeling risk aversion in economics. J. Econ. Perspect. 32(2), 91–114 (2018)Google Scholar
  28. 28.
    Weber, E.U., Blais, A.R., Betz, N.E.: A domain specific risk attitude scale: measuring risk perceptions and risk behaviors. J. Behav. Decis. Making 15(4), 263–290 (2002)Google Scholar
  29. 29.
    Fischbacher, U.: z-Tree: Zurich toolbox for ready-made economic experiments. Exp. Econ. 10(2), 171–178 (2007)Google Scholar
  30. 30.
    Johnson, B., Böhme, R., Grossklags, J.: Security games with market insurance. In: Baras, J.S., Katz, J., Altman, E. (eds.) GameSec 2011. LNCS, vol. 7037, pp. 117–130. Springer, Heidelberg (2011). Scholar
  31. 31.
    Johnston, A.C., Warkentin, M.: Fear appeals and information security behaviors: an empirical study. MIS Q. 1, 549–566 (2010)Google Scholar
  32. 32.
    Kharlamov, A., Jaiswal, A., Parry, G., Pogrebna, G.: A cyber domain-specific risk attitudes scale to address security issues in the digital space (2018)Google Scholar
  33. 33.
    Grossklags, J., Christin, N., Chuang, J.: Security and insurance management in networks with heterogeneous agents. In: Proceedings of the 9th ACM Conference on Electronic Commerce, vol. 8, pp. 160–169, 8 July 2008Google Scholar
  34. 34.
    Dufwenberg, M., Gächter, S., Hennig-Schmidt, H.: The framing of games and the psychology of play. Games Econ. Beh. 73(2), 459–478 (2011)MathSciNetzbMATHGoogle Scholar
  35. 35.
    Poulsen, O., Saral, K.J.: Coordination and focality under gain-loss framing: experimental evidence. Econ. Lett. 1(164), 75–78 (2018)MathSciNetzbMATHGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.School of Economics, Finance and AccountingUniversity of CoventryCoventryUK
  2. 2.Department of Strategic Management and MarketingDe Montfort UniversityLeicesterUK
  3. 3.School of EconomicsWuhan UniversityWuhanChina

Personalised recommendations