Security risks, such as sabotage and cyberattacks, are an increasing threat to business and government processes. They originate from malicious human action, of which often exact historical information is lacking. Thus, the judgment and assessment of security professionals is the primary input for security risk management, a subjective probabilistic approach. In this study, we explore the information sources professionals, in both the physical and cybersecurity domain, use for this purpose, improving understanding of their daily praxis. Sources of security risk information are collected, their quality and trustworthiness is assessed, and their use is analyzed. Quality is assessed by experienced security practitioners applying the NATO system for intelligence evaluation, with source intention as additional criterion. Actual use is analyzed among security professionals. The results consist of a comparative ranking of both assessed quality and daily use of sources. Experts are ranked first for perceived quality and are also most relied upon in daily praxis, and individual/personal experience comes second. The additional criterion of source intention explained the lower level of use of information from science. This study provides the basis for enhancing security risk management by a more conscious selection of sources. ... Read more

Professionals working in both the physical and cybersecurity domain need to assess and evaluate security risks. As information on risks in general and security risks in particular is often imperfect and intractable, these professionals are facing a challenge in judging both likelihood and consequences, but how much do their existing psychological biases play a role in these judgments? In this paper, we present new empirical evidence on the perception of the information position and confidence levels of security professionals, the influence of detailed information and the conjunction fallacy, and the level of noise in security assessments. This paper adds to the literature by examining, for the first time, risk assessments by professionals in realistic, real life, security cases. The results show clear indications for overconfidence, comparative ignorance, influence of the conjunction fallacy, and influence of individual experience on security decision making in the professional security domain. The observed phenomena might have far reaching effects on security risk management in organizations and society. ... Read more

With the worldwide COVID-19 pandemic in 2020 and 2021 necessitating working from home, corporate Virtual Private Networks (VPNs) have become an important item securing the continued operation of companies around the globe. However, due to their different use case, corporate VPNs and how users interact with them differ from public VPNs, which are now commonly used by end-users. In this paper, we present a first explorative study of eleven experts' and seven non-experts' mental models in the context of corporate VPNs. We find a partial alignment of these models in the high-level technical understanding while diverging in important parameters of how, when, and why VPNs are being used. While, in general, experts have a deeper technical understanding of VPN technology, we also observe that even they sometimes hold false beliefs on security aspects of VPNs. In summary, we show that the mental models of corporate VPNs differ from those for related security technology, e.g., HTTPS. Our findings allow us to draft recommendations for practitioners to encourage a secure use of VPN technology (through training interventions, better communication, and system design changes in terms of device management). Furthermore, we identify avenues for future research, e.g., into experts' knowledge and balancing privacy and security between system operators and users. ... Read more

Security professionals play a decisive role in security risk decision making, with important implications for security in organisations and society. Because of this subjective input in security understanding possible biases in this process is paramount. In this paper, well known biases as observed and described in prospect theory are studied in individual security risk decision making by security professionals. To this end, we distributed a questionnaire among security professionals including both original dilemmas from prospect theory and dilemmas adapted to the context of incident prevention. It was hypothesised that security professionals dealing with risks and decision making under risk on an almost daily basis would or should be less vulnerable to decision biases involving risks, in particular when framed in terms of incident prevention. The results show that security professionals are vulnerable to decision biases at the same scale as lay people, but some biases are weaker when decision problems are framed in terms of security as opposed to monetary gains and losses. Of the individual characteristics defining experience, only the general education level observably affects vulnerability for biases in security decision making in this study. A higher general education level leads to a significantly higher vulnerability to decision biases. By highlighting the vulnerability of security professionals to decision biases, this study contributes essential awareness and knowledge for improved decision making, for example by different representation of probabilities and uncertainty. ... Read more