The Influence of Status Quo Bias on Novice Users’ Security Decisions: An Empirical Analysis

Presented by Amir Fard Bahreini as a part of the 2020 Serene-risc Workshop on The State of Canadian Cybersecurity Conference: Human-Centric Cybersecurity

About the presentation

40% to 60% of adults in North America have no established information security education or training. In today’s connected world, these novice users make many security-related decisions daily and are as susceptible, if not more, to security threats as their security-savvy counterparts. Accordingly, improved security decisions of these users can help not only enhance their own personal data security, but also increase the protection of people and organizations connected to them. In a field experiment (n=95), we examined the role of potentially influential factors on security decisions for this group of users. Using security settings of a mobile app developed for this study as our security decision measurement, we discovered that default settings have the most substantial influence on novice users’ security decisions, even higher than users’ security knowledge. Simply put, optimized default settings lead to better decisions, and sub-optimal default settings lead to worse decisions. For instance, users are more likely to keep the two-factor authentication option enabled if it is turned on by default. This tendency is labeled as Status Quo Bias and has both positive and negative consequences in the context of information security, which we will discuss in this study.

About the speaker

Amir Fard Bahreini is a third-year Ph.D. candidate of Management Information Systems at the Sauder School of Business at the University of British Columbia. His primary research is focused on behavioral information security, where he investigates how people make security-related decisions and how their security behaviors can be improved by utilizing theories in behavioral economics and cognitive psychology. He holds a bachelor’s degree in Accounting from Shiraz University, Iran, an MBA with a Finance specialization, and an M.Sc. in Management Information Technology from the University of Oklahoma, United States.