The Triad of Risk-Related Behaviors (TriRB): A Three-Dimensional Model of Cyber Risk Taking

Abstract

Objective: We identify three risk-related behaviors in coping with cyber threats—the exposure to risk a person chooses, use of security features, and responses to security indications. The combinations of behaviors that users choose determine how well they cope with threats and the severity of adverse events they experience. Background: End users’ coping with risks is a major factor in cybersecurity. This behavior results from a combination of risk-related behaviors rather than from a single risk-taking tendency. Method: In two experiments, participants played a Tetris-like game, attempting to maximize their gains, while exogenous occasional attacks could diminish earnings. An alerting system provided indications about possible attacks, and participants could take protective actions to limit the losses from attacks. Results: Variables such as the costs of protective actions, reliability of the alerting system, and attack severity affected the three behaviors differently. Also, users dynamically adjusted each of the three risk-related behaviors after gaining experience with the system. Conclusion: The results demonstrate that users’ risk taking is the complex combination of three behaviors rather than the expression of a general risk-taking tendency. The use of security features, exposure to risk, and responses to security indications reflect long-term strategy, short-term tactical decisions, and immediate maneuvering in coping with risks in dynamic environments. Application: The results have implications for the analysis of cybersecurity-related decisions and actions as well as for the evaluation and design of systems and targeted interventions in other domains.