IEEE Technology and Society Magazine - Spring 2013 - 79

making by end users. It is critical
to remember that bounded rationality serves us well in general but
fails systematically for specific
cases. Thus, bounded rationality
should not present the decision
maker in a negative light, rather
it should be treated as a design
input when provisioning for security in information systems. There
are existing examples of research
that demonstrate the usefulness of
heuristics-based decisions when
leveraged appropriately [6]. This
can be further informed by emerging theories such as QIpT and
DFT that facilitate modeling of
end user behavior.

Author Information
The authors are with the School of
Informatics and Computing, Indiana University, Bloomington, IN.
Email: gargv@indiana.edu and
ljcamp@indiana.edu.

References

[1] A. Acquisti and J. Grossklags, "What
can behavioral economics teach us about
privacy?," in Digital Privacy: Theory, Technologies, and Practices, 1st ed., vol. 1,
A. Acquisti, S. Gritzalis, S. Di Vimercati,
and C. Lambrinoudakis, Eds. New York, NY:
Auerbach, 2007, pp. 363-379.
[2] r. Anderson, "Why information security
is hard-an economic perspective," in Proc.
17th Annual Computer Security Applications
Conf., 2001, pp. 358-365.
[3] J. Bargh, M. Chen, and L. Burrows,
"Automaticity of social behavior: Direct effects
of trait construct and stereotype activation on
action," J. Personality and Social Psychology,
vol. 71, no. (2, pp. 230-244, Aug. 1996.
[4] J. Busemeyer and J. Townsend, "Decision
field theory: a dynamic-cognitive approach
to decision making in an uncertain environment," psychological review, vol. 100 (3),
pp. 432-459, Jul. 1993.
[5] A. Dijksterhuis et al., "Seeing one thing and
doing another: Contrast effects in automatic
behavior," J. Personality and Social Psychology, vol. 75, no. 4, pp. 862-871, Oct. 1998.
[6] K. Ehrlich et al., "Taking advice from intelligent systems: The double-edged sword of
explanations," in Proc. of 16th Int. Conf. Intelligent User Interfaces, 2011, pp. 125-134.
[7] G. Gigerenzer, "How to make cognitive illusions disappear: Beyond heuristics
and biases," Euro. Rev. Social Psychology,
vol. 2, 1, pp. 83-115, 1991.
[8] p. Herr, S. Sherman, and r. Fazio, "On the
consequences of priming: Assimilation and
contrast effects," J. Experimental Social Psychology, vol. 19, no. 4, pp. 323-340, Jul. 1983.

[9] A. Isen and A. Labroo, "Some ways in which
positive affect facilitates decision making and
judgment," in Emerging Perspectives on Judgment and Decision Research, 1st ed., vol. 1, S.
L. Schneider and J. Shanteau, Eds. Cambridge,
MA: Cambridge Univ. press, 2003, pp. 365-393.
[10] J. Jackson, N. Allum, and G. Gaskell,
"perceptions of risk in cyberspace," in Trust
and Crime in Information Societies, 1st ed.,
vol. 1, r. Mansell and B. S. Collins, Eds. U.K.:
Edward Elgar, 2005, pp. 245-281.
[11] D. Kahneman and A. Tversky, "prospect theory: An analysis of decision under risk," Econometrica, vol. 47, no. 2, pp. 263-291, Mar. 1979.
[12] C. Keller, M. Siegrist, and H. Gutscher,
"The role of the affect and availability heuristics in risk communication," Risk Analysis,
vol. 26, no. 3, pp. 631-639, Jun. 2006.
[13] D. Koehler, "Explanation, imagination,
and confidence in judgment," Psych. Bull.,
vol. 110, no. 3, pp. 499-519, Nov. 1991.
[14] T. Moore, r. Clayton, and r. Anderson,
"The economics of online crime," J. Economic Perspectives, vol. 23, no. 3, pp. 3-20,
Summer 2009.
[15] p. Norberg, D. Horne, and D. Horne, "The
privacy paradox: personal information disclosure
intentions versus behaviors," J. Consumer Affairs, vol. 41, no. 1, pp. 100-126, Summer 2007.
[16] E. pothos and J. Busemeyer, "A quantum probability explanation for violations
of rational decision theory," Royal Society
B: Biological Sciences, vol. 276, no. 1665,
pp. 2171, Mar. 2009.
[17] L. ross and C. Anderson, "Shortcomings
in the attribution process: On the origins and
maintenance of erroneous social assessments,"
in Judgment under Uncertainty: Heuristics
and Biases, 1st ed., vol. 1, D. Kahneman,
p. Slovic, and A. Tversky, Eds. New York, NY:
Oxford Univ. press, 1982, pp. 129-152.
[18] A. J. rothman et al., "The systematic
influence of gain-and loss-framed messages on
interest in and use of different types of health
behavior," Personality and Social Psychology
Bull., vol. 25, no. 11, pp. 1355-1369, Nov. 1999.
[19] N. Schroeder, "Using prospect theory
to investigate decision-making bias within
an information security context," Dec. 16,
2005; http://www.dtic.mil/dtic/tr/fulltext/u2/
a445399.pdf, accessed Jun. 7, 2012.
[20] N. Schwarz, "Feelings as information:
Moods influence judgments and processing
strategies," in Heuristics and Biases: The Psychology of Intuitive Judgment, 1st ed., vol. 1,
T. Gilovich, D. Griffin, and D. Kahneman,
Ed. Cambridge, U.K.: Cambridge Univ. press,
2002, pp. 534-547.
[21] N. Schwarz and H. Bless, "Mental construal processes: The inclusion/exclusion
model," in Assimilation and Contrast in Social
Psychology, 1st ed., vol. 1, D. Stapel and J.
Suls, Eds. New York, NY: psychology press,
2007, pp. 119-141.
[22] S. Sherman, "On the self-erasingnature
of errors of prediction," J. Personality and
Social Psychology, vol. 39, no. 2, pp. 211-221,
Aug. 1980.
[23] S. Sherman et al., "Imagining can heighten
or lower the perceived likelihood of contracting
a disease," Personality and Social Psychology
Bull., vol. 11, no. 1, pp. 118-127, Mar. 1985.

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

|

SprING 2013

[24] H. Simon, "A behavioral model of rational
choice," Quart. J. Economics, vol. 69, no. 1,
pp. 99-118, Feb. 1955.
[25] H. Simon, "Theories of bounded rationality," Decision and Organization, vol. 1,
pp. 161-176, 1972.
[26] H. Simon, Models of Bounded Rationality. Cambridge, MA: M.I.T. press, 1982.
[27] p. Slovic et al., "The affect heuristic,"
Euro. J. Operational Res., vol. 177, no. 3,
pp. 1333-1352, Mar. 2007.
[28] p. Slovic and B. Fischhoff, "On the psychology of experimental surprises," J. Experimental Psychology: Human Perception
and Performance, vol. 3, no. 4, pp. 544-551,
Nov. 1977.
[29] D. Stebila, "reinforcing bad behavior:
The misuse of security indicators on popular websites," in Proc. of 22nd Australasian
Conf. Computer-Human Interaction, 2010,
pp. 248-251.
[30] A. Tversky and D. Kahneman, "Availability: A heuristic for judging frequency
and probability," Cognitive Psychology, vol. 2,
pp. 207-232, Sept. 1973.
[31] A. Tversky and D. Kahneman, "Judgment
under uncertainty: Heuristics and biasesm"
Science, vol. 185, no. 4157, pp. 1124-1131,
Sept. 1974.
[32] A. Tversky and D. Kahneman, "The framing of decisions and the psychology of choice,"
Science, vol. 211, no. 4481, pp. 453-458, Jan.
1981.
[33] A. Tversky and D. Kahneman, "Extensional versus intuitive reasoning: The conjunction fallacy in probability judgment,"
Psychological Rev., vol. 90, no. 4, pp. 293-315,
Oct. 1983.
[34] A. Tversky and D. Kahneman, "On
the reality of cognitive illusions," Psychological Rev., vol. 103, no. 3, pp. 582-591, Jul.
1996.
[35] H. Varian, "System reliability and free
riding," in Economics of Information Security, 1st ed., vol. 12, L. J. Camp and S. Lewis,
Ed. MA: Kluwer, 2004, pp. 1-15.
[36] V. Verendel, "A prospect theory approach
to security," M.S. thesis, Göteburg University,
Sweden, 2008.
[37] Velocity, "Malware," Nov. 6, 2012; http://
velocity93.blogspot.com/2010/08/malware.
html, Aug. 6 2010.
[38] C. Smith and C. Kanalley, "Fired over
Facebook: 13 posts that got people canned,"
July 26, 2010; http://www.huffingtonpost.
c o m / 2 010 / 0 7/ 2 6 / f i r e d - ove r-fa c e b o o kposts_n_659170.html-s118586&title=Juror_
Dismissed_After, Nov. 6, 2012.
[39] V. Garg, L. J. Camp, K. Connelly, and
L. Lorenzen-Huber, "risk communication
design: Video vs. text," in Proc. of the 12th
Int. Conf. Privacy Enhancing Technologies,
2012, pp. 279-298.
[40] J. Blythe, L. J. Camp, and V. Garg,
"Targeted risk communication for computer security," in Proc. of the 16th Int.
Conf. Intelligent User Interfaces, 2011,
pp. 295-298.
[41] r. Zeckhauser, "Behavioral versus rational economics: What you see is what you conquer," J. Business, vol. 59, no. 4, pp. 435-449,
Oct. 1986.

|

79
http://www.dtic.mil/dtic/tr/fulltext/u2/ http://http:// http://velocity93.blogspot.com/2010/08/malware http://www.huffingtonpost
Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - Spring 2013
