Kaivanto, Kim (2014): The effect of decentralized behavioral decision making on system-level risk. Published in: Risk Analysis , Vol. 34, No. 12 (2014): pp. 2121-2142.
Preview |
PDF
CPT_SDT_RAv5.0_post-print.pdf Download (450kB) | Preview |
Abstract
Certain classes of system-level risk depend partly on decentralized lay decision making. For instance, an organization's network security risk depends partly on its employees' responses to phishing attacks. On a larger scale, the risk within a financial system depends partly on households' responses to mortgage sales pitches. Behavioral economics shows that lay decision makers typically depart in systematic ways from the normative rationality of Expected Utility (EU), and instead display heuristics and biases as captured in the more descriptively accurate Prospect Theory (PT). In turn psychological studies show that successful deception ploys eschew direct logical argumentation and instead employ peripheral-route persuasion, manipulation of visceral emotions, urgency, and familiar contextual cues. The detection of phishing emails and inappropriate mortgage contracts may be framed as a binary classification task. Signal Detection Theory (SDT) offers the standard normative solution, formulated as an optimal cutoff threshold, for distinguishing between good/bad emails or mortgages. In this paper we extend SDT behaviorally by re-deriving the optimal cutoff threshold under PT. Furthermore we incorporate the psychology of deception into determination of SDT's discriminability parameter. With the neo-additive probability weighting function, the optimal cutoff threshold under PT is rendered unique under well-behaved sampling distributions, tractable in computation, and transparent in interpretation. The PT-based cutoff threshold is (i) independent of loss aversion and (ii) more conservative than the classical SDT cutoff threshold. Independently of any possible misalignment between individual-level and system-level misclassification costs, decentralized behavioral decision makers are biased toward under-detection, and system-level risk is consequently greater than in analyses predicated upon normative rationality.
| Item Type: | MPRA Paper |
|---|---|
| Original Title: | The effect of decentralized behavioral decision making on system-level risk |
| Language: | English |
| Keywords: | prospect theory; psychology of deception; signal detection theory; spear phishing; system-level risk |
| Subjects: | D - Microeconomics > D8 - Information, Knowledge, and Uncertainty > D81 - Criteria for Decision-Making under Risk and Uncertainty |
| Item ID: | 65972 |
| Depositing User: | Dr. Kim Kaivanto |
| Date Deposited: | 07 Aug 2015 05:49 |
| Last Modified: | 27 Sep 2019 08:59 |
| References: | Acquisti A, Grossklags J. Losses, gains, and hyperbolic discounting: An experimental approach to information security attitudes and behavior. In: Camp LJ, Lewis S (eds). The Economics of Information Security. Boston, MA: Kluwer Academic Publishers, 2004:165--178. Abdellaoui M. Parameter-free elicitation of utility and probability weighting functions. Management Science, 2000; 46:1497--1512. Abdellaoui M, L'Haridon O, Zank H. Separating curvature and elevation: A parametric probability weighting function. Journal of Risk and Uncertainty, 2010; 41:39--65. Abdellaoui M, Vossmann F, Weber M. Choice-based elicitation and decomposition of decision weights for gains and losses under uncertainty. Management Science, 2005; 51:1384--1399. Anderson R, Moore T. Information security: Where computer science, economics and psychology meet. Philosophical Transactions of the Royal Society A, 2009; 367:2717--2727. Bar-Hillel M. On the subjective probability of compound events. Organizational Behavior and Human Performance, 1973; 9:396--406. Bell DE. Disappointment in decision making under uncertainty. Operations Research, 1985; 33:1--27. Brandstatter E, Gigerenzer G, Hertwig R. The priority heuristic: Making choices without trade-offs. Psychological Review, 2006; 113:409--432. Chateauneuf A, Eichberger J, Grant S. Choice under uncertainty with the best and worst in mind: Neo-additive capacities. Journal Economic Theory, 2007; 137:538--567. Cialdini RB. Influence: The Psychology of Persuasion. New York, NY: Collins, 2007. Cohen M. Security level, potential level, expected utility: A three-criteria decision model under risk. Theory and Decision, 1992; 33:101--134. Davidson R, Duclos J-Y. Testing for restricted stochastic dominance. Econometric Reviews, 2012; 32:84--125. Easley B. Biz-Op: How to Get Rich with 'Business Opportunity' Frauds and Scams. Port Townsend, WA: Loompanics Unlimited, 1994. Egan JE. Signal Detection Theory and ROC Analysis. London: Academic Press, 1975. Elgin B, Lawrence D, Riley M. Coke gets hacked and doesn't tell anyone. Bloomberg, Nov 4, 2012. http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html Galanter E. Psychological decision mechanisms and perception. In: Carterette EC, Friedman MP (eds). Handbook of Perception II: Psychophysical Judgement and Measurement. New York, NY: Academic Press, 1974:85--126. Glockner A, Betsch T. Do people make decisions under risk based on ignorance? An empirical test of the priority heuristic against cumulative prospect theory. Organizational Behavior and Humand Decision Processes, 2008; 107:75--95. Glockner A, Pachur T. Cognitive models of risky choice: Parameter stability and predictive accuracy of prospect theory. Cognition, 2012; 123:21--32. Grazioli S. Where did they go wrong? An analysis of the failure of knowledgeable internet consumers to detect deception over the internet. Group Decision and Negotiation, 2004; 13:149--172. Grazioli S, Jarvenpaa SL. Perils of internet fraud: An empirical investigation of deception and trust with experienced internet consumers. IEEE Transactions on Systems, Man and Cybernetics---Part A: Systems and Humans, 2000; 30:395--410. Green DM, Swets JA, Signal Detection Theory and Psychophysics. London: Wiley, 1966. Healy AF, Kubovy M. Probability matching and the formation of conservative decision rules in a numerical analog of signal detection. Journal of Experimental Psychology: Human Learning and Memory, 1981; 7:344--354. Herley C. So long, and no thanks for the externalities: The rational rejection of security advice by users. Proceedings of the New Security Paradigms Workshop (Oxford, UK, Sept 8--11, 2009). NSPW '09. New York, NY: ACM, 2009: 133--144. Hong J. The state of phishing attacks. Communications of the ACM, 2012; 55:74--81. Jagatic TN, Johnson NA, Jakobsson M, Menczer F. Social phishing. Communications of the ACM, 2007; 50:94--100. Jakobsson M, Myers S. Phishing and Countermeasures. New York, NY: Wiley, 2007. Jarnebrant P, Toubia O, Johnson E. The silver lining effect: Formal analysis and experiments. Management Science, 2009; 55:1832--1841. Johnson NB. Feds' chief cyberthreat: 'Spear phishing' attacks. Federal Times, Feb 20, 2013. Johnson PE, Grazioli S, Jamal K, Berryman RG. Detecting deception: Adversarial problem solving in a low base-rate world. Cognitive Science, 2001; 25:355--392. Kahneman D, Tversky A. (eds). Choices, Values, and Frames. New York, NY: Cambridge University Press, 2000. Koszegi B, Rabin M. A model of reference-dependent preferences. Quarterly Journal of Economics, 2006; 121:1133--1165. Koszegi B, Rabin M. Reference-dependent risk attitudes. American Economic Review, 2007; 97:1047--1073. Langenderfer J, Shimp TA. Consumer vulnerability to scams, swindles, and fraud: A new theory of visceral influences on persuasion. Psychology and Marketing, 2001; 18:763--783. Loewenstein G. Out of control: Visceral influences on economic behavior. Organizational Behavior and Human Performance, 1996; 65:272--292. Macmillan NA, Creelman CD. Detection Theory: A User's Guide. Cambridge: Cambridge University Press, 1991. McFadden D. Testing for stochastic dominance. In: Romby TB, Seo TK (eds). Studies in the Economics of Uncertainty in Honor of Josef Hadar. New York, NY: Springer-Verlag, 1989. Petty RE, Cacioppo JT. Communication and Persuasion: Central and Peripheral Routes to Attitude Change. New York, NY: Springer-Verlag, 1986. Rusch JJ. The ``social engineering'' of internet fraud. Proceedings of the Internet Society Global Summit (INET'99), 1999, June 22--25, San Jose, CA. http://www.isoc.org/inet99/proceedings/3g/3g_2.htm Schmidt U, Starmer C, Sugden R. Third-generation prospect theory. Journal of Risk and Uncertainty, 2008; 36:203--223. Shermer M, Wheatgrass juice and folk medicine: Why subjective anecdotes often trump objective data. Scientific American, 2008; 299:42. Thaler RH. Mental accounting and consumer choice. Marketing Science, 1985; 4:199--214. Tversky A, Kahneman D. Advances in prospect theory: Cumulative representation of uncertainty. Journal of Risk and Uncertainty, 1992; 5:297--323. Ulehla ZJ. Optimality of perceptual decision criteria. Journal of Experimental Psychology, 1966; 71:564--569. US Office of Management and Budget. Fiscal Year 2011 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002. March 7, 2012. Viscusi WK, Evans WN. Behavioral probabilities. Journal of Risk and Uncertainty, 2006; 32:5--15. Wakker P. Prospect Theory for Risk and Ambiguity. Cambridge: Cambridge University Press, 2010. West R. The psychology of security; Why do good users make bad decisions? Communications of the ACM, 2008; 51:34--40. Wolfe JM, Horowitz TS, Van Wert MJ, Kenner NM, Place SS, Kibbi N. Low target prevalence is a stubborn source of errors in visual search tasks. Journal of Experimental Pscyhology: General, 2007; 136:623--638. Wright R, Chakraborty S, Basoglu A, Marett K. Where did they go right? Understanding the deception in phishing communications. Group Decision and Negotiation, 2010; 19:391--416. |
| URI: | https://mpra.ub.uni-muenchen.de/id/eprint/65972 |
All papers reproduced by permission. Reproduction and distribution subject to the approval of the copyright owners.
 |
View Item |
