Perceived information security risk as a function of probability and severity

Information security risks are frequently assessed in terms of the probability that a threat will be realized and the severity of the consequences of a realized threat. In methods and manuals, the product of this probability and severity is often thought of as the risk to consider and manage. However, studies of human behavior and intentions in the field of information security suggest that in general, this is not the way security is perceived. In fact, few studies have found an interaction (i.e., a multiplicative relationship) between probability and severity. This paper describes a study where the ratings of risk and the two variables probability and severity were collected on 105 security threats from ten individuals together with information about the respondents’ expertise and cognitive style. These ten individuals do not assess risk as the product of probability and severity, regardless of expertise and cognitive style. Depending on how risk is measured, an additive model explains 54.0% or 38.4% of the variance in risk. If a multiplicative term is added, the mean increased variance is only 1.5% or 2.4%, and for most of the individuals the contribution of the multiplicative term is statistically insignificant.