Name of concept

Loss aversion

Key reference

(Kahneman & Tversky, 1979)

Description

Loss aversion is the idea that people will seek to avoid losses more than they would work towards a gain of an equal magnitude. For example, people will want to avoid losing €10 more than they would put in effort to gain €10. One of the classic experiments on this phenomenon is the Asian disease problem, where participants are presented with an introduction to the problem, and then are presented with one of two scenarios.

Introduction:

Imagine that the U.S. is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed, program A and program B:

Scenario 1

If program A is adopted, 200 people will be saved. If program B is adopted, there is a one-third probability that 600 people will be saved and a two-thirds probability that no people will be saved. Which of the two programs would you favour?

Scenario 2

If program A is adopted, 400 people will die. If program B is adopted, there is a one-third probability that nobody will die and a two-thirds probability that 600 people will die. Which of the two programs would you favour?

The difference between the two scenarios is the framing of the outcome, with scenario 1 focusing on the number of people saved in the two options, and scenario 2 focusing on the number of people dying in the two options. When presented with these scenarios, participants in the first scenario are more likely to go for the certainty of saving 200 people, while participants in scenario 2 are more likely to take a risk to avoid anyone dying, as choosing the first option would lead to certain death for 400 people.

Application within the field of cybersecurity

Loss aversion is an important concept in decision making processes. This also goes for decision making processes in the cybersecurity domain. In general, cybersecurity is seen as something that might avoid cyberattacks. The resulting focus is then on avoiding losses in terms of 1) losing data, 2) losing access to systems, 3) downtime of the organisation. In many organisations, cybersecurity is not seen as a business opportunity, but the absence of a cyber incident. Framing cybersecurity this way also has an impact on how organisations deal with these issues, as they are not as clearly defined as is the case for other business opportunities.

Annotated bibliography

Bos et al. (2016). Bos and colleagues investigated whether scenarios presented as gains or losses affected how network defence professionals dealt with these hypothetical scenarios. The professionals worked through two separate scenarios, and behaved differently in one of those scenarios, but not the other, based on a loss/gain frame. The authors see this partial result as evidence for an impact of loss/gain framing on decision making processes in cybersecurity settings.

Kahneman & Tversky, (1979). In this paper, Kahneman and Tversky outline prospect theory, a theory to explain human behaviour that is not relying on rational behaviour. Part of this prospect theory is the focus on loss aversion, that people are more likely to avoid losses than to seek gains of a similar magnitude.

Pratama & Firmansyah (2021). Pratama and Firmansyah investigated how the adoption of two-factor authentication was associated with demographical factors as well as tendencies for loss aversion. They found that loss aversion was the “most significant demographical factor” in predicting the adoption of two-factor authentication.

References

Bos, N., Paul, C. L., Gersh, J. R., Greenberg, A., Piatko, C., Sperling, S., … & Burtner, R. (2016).       Effects of gain/loss framing in cyber defense decision-making. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting (Vol. 60, No. 1, pp. 168-172).          Sage CA: Los Angeles, CA: SAGE Publications.

Kahneman, D., & Tversky, A. (1979). Prospect Theory: An Analysis of Decision under                     Risk. Econometrica47(2), 263-292.

Pratama, A. R., & Firmansyah, F. M. (2021). Until you have something to lose! Loss aversion        and two-factor authentication adoption. Applied Computing and Informatics, (ahead-         of-print).